Access NC via local IP with overwrite.cli.url

Nextcloud version (eg, 20.0.5): 20.0.4
Operating system and version (eg, Ubuntu 20.04): Raspberry Pi OS 11
Apache or nginx version (eg, Apache 2.4.25): 2.4.54
PHP version (eg, 7.4): 8.0.22

The issue you are facing:

I am running Nextcloud on a docker swarm behind a nginx reverse proxy protected by Cloudflare. In theory, everything is working fine. One issue I’m facing is that when I want to access my server with the desktop app, I cannot use https://nextcloud.mydomain.com because of the following error:

The polling URL does not start with HTTPS despite the login URL started with HTTPS. Login will not be possible because this might be a security issue. Please contact your administrator

I fixed this my changing the the following:

From
'overwrite.cli.url' => 'localip:port',
to

 'overwrite.cli.url' => 'https://nextcloud.mydomain.com',
 'overwriteprotocol' => 'https',

By doing so, I cannot access my server via localip:port anymore. I get the following error:

ERR_TOO_MANY_REDIRECTS

When I try to access it in a private browser window (no cookies etc) I get to the login page, but then the loading thing in the “signing in”-button just turns, but nothing happens.

Under Admin > Logging it doesn’t show anything related, the last entry is from a few days ago, even though I just tried to access it and all options are ticked. The log in portainer shows the following:

10.0.0.2 - - [29/Aug/2022:16:05:02 +0000] "GET /login?redirect_url=/apps/files/ HTTP/1.1" 200 8424 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
10.0.0.2 - - [29/Aug/2022:16:05:07 +0000] "POST /login HTTP/1.1" 303 1504 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => 'ocmnyk01f68r',
  'passwordsalt' => 'xxx',
  'secret' => 'xxx',
  'trusted_domains' => 
  array (
    0 => '192.168.178.36:8086',
    1 => 'nextcloud.mydomain.com',
	  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '24.0.4.1',
  'overwrite.cli.url' => 'https://nextcloud.mydomain.com',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'xxx',
  'dbpassword' => 'xxx',
  'installed' => true,
  'loglevel' => 2,
  'maintenance' => false,
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'tls',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'xxx',
  'mail_domain' => 'mail.com',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
    'mail_smtphost' => 'xxx',
  'mail_smtpport' => '587',
  'mail_smtpname' => 'xxx',
  'mail_smtppassword' => 'xxx',
);

The output of your Apache/nginx/system log in /var/log/____:

"apache2/access.log" is a device file

in such case the most useful logging would be browser dev console (F12) - you will see which resources your browser looks for and which redirects it follows - try to understand and adopt to right values…

Please review Reverse proxy config as well. I’m missing overwritehost and trusted_proxies in your config.php

My new config.php:

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\OC\Memcache\Redis',
  'redis' => [
       'host' => 'redis',
       'port' => 6379,
  ],
  'memcache.locking' => '\OC\Memcache\Redis',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => 'ocmnyk01f68r',
  'passwordsalt' => 'xxx',
  'secret' => 'xxx',
  'trusted_domains' =>
  array (
    0 => '192.168.178.36:8086',
    1 => 'nextcloud.domain.com',
  ),
  'trusted_proxies' =>
  array (
    0 => '192.168.178.36',
  ),
  'overwritehost' => 'nextcloud.domain.com',
  'overwrite.cli.url' => 'https://nextcloud.domain.com',
  'overwriteprotocol' => 'https',
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '24.0.4.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'xxx',
  'dbpassword' => 'xxx',
  'installed' => true,
  'loglevel' => 2,
);

My swarm has 4 nodes and all my services are accessible via all IPs of every node. I use 192.168.178.36:Port to access all my services.

In the console, this is what I get when I go to 192.168.178.36:8086/apps/files and it redirects me to http://192.168.178.36:8086/login?redirect_url=/apps/files/ and I try to log in:

Under “Headers” → “Response Headers” it says “Location: https://nextcloud.domain.com/apps/files”. So it seems that when I go directly to 192.168.178.36:8086/apps/files while logged off, it redirects me to the login page, which it should, and then wants to redirect me to https://nextcloud.domain.com/apps/files.

When I go to 192.168.178.36:8086 (without /apps/files/), it automatically redirects to https://nextcloud.domain.com. Basically, only using the local IP does not work, probably due to the overwrites?

You have talked about the same issue in this thread as well. My train of thought is that I want my PC, since it’s stationary, to access my server through the local network as traffic is much faster rather than go through the internet to access it. For my laptop and phone, I don’t really care and they may use the public address. Does that make any sense?

The solution is what called split-bran DNS or split-horizon DNS - in short words you point exactly the same hostname to different IP addresses - in the internet it points to you public IP and within LAN to your internal IP (ideally both point to your external reverse proxy). This makes all the clients access the system in a same way (only the very low level details differ)

See similar discussions (most of the topic has multiple references as well):

1 Like

So what I understood is:

  • I setup nextcloud.domain.com in my reverse proxy to point to the local IP of my nextcloud instance, e. g. 192.168.178.36:8086 (which I did anyway)

  • in my local DNS (Adguard) I add a DNS record (DNA rewrite) pointing nextcloud.domain.com to my reverse proxy, e. g. 192.168.178.36.

From here on, my reverse proxy should redirect the traffic to 192.168.178.36:8086.

The two internal IPs are the same as all my containers (nextcloud, nginx proxy manager, etc.) run on a docker swarm, so 192.168.178.36 is pointing to the swarm’s internal load balancer, which then redirects the requests to the proper docker internal IP.

Is this concept correct?

So far it isn’t working. NPM is using ports 80 and 443, port 81 for the GUI. When I do “ping nextcloud.domain.com”, it says “pinging ip.block.dt.de (46.29.100.42) - ping timeout”

I should mention that I don’t have a proper internet connection atm because I’m switching providers today. But since all of that should be happening internally, this shouldn’t matter, right?

In my FritzBox, I habe setup Adguard as my local DNS. I also changed the public DNS server to Adguard and 8.8.8.8.

I also rebooted my PC to reset all network settings and cache, even though I haven’t changed anything on my PC.

Edit: now it says “the DNS address of nextcloud.domain.com could not be found”, which is weird cuz the entry does exist in Adguard. When I go to 192.168.178.36, I get the congratulations pages of NPM, so that’s working as well.

Edit2: funny, I get the error with every domain. I wonder if it’s because I don’t have any internet atm. The log is Adguard even states that it received the request for nextcloud.domain.com and rewrote it to 192.168.178.36 with no errors, but still doesn’t work. It should work even without an internet connection, right? All my devices can communicate since the local network is still up

Edit3: I removed the adguard entry in my fritzbox to use adguard globally as then only my router is shown in adguard as client. I added nextcloud.domain.com into the dns-rebind-protection-exceptions of my FritzBox and I needed to change the DNS of the PC to adguard manually, setting it up in the router only wasn’t enough. This was the missing piece of the puzzle!

1 Like

It’s so strange! It all worked, I changed back the DNS settings of my PC to default to see if it’s necessary to point to adguard and apparently it was, so I changed it back to point to adguard and now it’s not working. It doesn’t try to redirect to my reverse proxy.

When it worked, I had the appropriate log entries in adguard. Now, nothing shows up there, meaning that my fritzbox does not direct the URL nextcloud.domain.com to adguard.

To summarize what I did:

  • add nextcloud.domain.com to my reverse proxy (NPM) to point to 192.168.178.36:8086

  • add a DNS rewrite to adguard from nextcloud.domain.com to my reverse proxy, 192.168.178.36

  • add adguard as my local DNS in my fritzbox for IPv4

  • change my PC’s DNS to adguard

  • add nextcloud.domain.com as exception to the DNS-Rebind-Protection in my router

This should point nextcloud.domain.com Internally to Adguard (192.168.178.54), which rewrites that URL to my reverse proxy (192.168.178.36), which points to nextcloud (192.168.178.36:8086). In theory it should work and did, but now it isn’t working :roll_eyes: I rebooted everything multiple times. Any ideas?

1 Like

Hi
I haven’t had the chance to properly look into this, but now I did and tried a few things:

  • In AdGuard, I added a DNS rewrite from nextcloud.mydomain.com to 192.168.178.36 (one node of my RPI docker swarm that runs nextcloud)
  • on the same node, I installed nginx proxy manager, created nextcloud.mydomain.com and point it to my nextcloud instance (192.168.178.36:8086)
  • I requested a SSL certificate in NPM for that host using DNS challenge
  • in my router, I added an exception for nextcloud.mydomain.com in the DNS-rebound-protection settings

When I go to 192.168.178.36:8086 in Chrome private mode or Edge, it redirects me to nextcloud.mydomain.com. I haven’t figured out yet why it doesn’t work on a regular Chrome window. I already deleted all the cookies and restarted the browser.

In private mode and Edge, I can normally login. I would assume that I’m using the route through my local network, not through the internet since I’m DNS rewriting the URL to my local IP. Upon downloading a larger file, I noticed that it maxes out at 4 MB/s, which is roughly equal to my 40 MBit/s upload speed. Internally, I’m running a GBit-network, so the speed should be much higher (more like ~125 MB/s).

So it seems I’m not going through my local network. What am I doing wrong here?

My setup has slightly changed. I’m using a Cloudflare tunnel now to access Nextcloud, not opening ports and a reverse proxy. The reverse proxy is only running so that I can access Nextcloud internally via HTTPS, since all URLs are rewritten to HTTPS.

Here the relevant snippet of my config:

  'trusted_domains' =>
  array (
    0 => '192.168.178.36:8086',
    1 => 'nextcloud.mydomain.com',
  ),
  'trusted_proxies' =>
  array (
    0 => '192.168.178.36',
  ),
  'overwritehost' => 'nextcloud.mydomain.com',
  'overwrite.cli.url' => 'https://nextcloud.mydomain.com',
  'overwriteprotocol' => 'https',

When I ping nextcloud.mydomain.com, I get a Cloudflare IP as response. When I go to the URL, it seems to load somewhat faster (hint to it not going through the internet?) and I get an entry in Adguard’s query log that nextcloud.mydomain.com has been rewritten to 192.168.178.36.

Basically, I cannot login from 192.168.178.36:8086 and when it “redirects” the URL to the internal IP, it’s stil going through the internet instead of staying locally.

you don’t need to guess which connection you are using - F12 (developer tools) is your friend - you can see the destination IP of each request…

I can’t say why you browser prefers the external path, everything you write sounds reasonable (exept the fact ping to nextcloud.mydomain.com goes to external IP). MAybe you need to double check DNS servers of the client, maybe clear the cache, review if IPv6 is used (often it’s preferred I think)

1 Like

I think disabling IPv6 did the trick!!

I still can’t login when accessing it via the local IP directly, but I think it has something to do with the overwritecli or something. Doesn’t matter though, as the URL now points to the local IP, so it behaves as I was accessing via the local IP!

Thanks for your help!