Access NC via local IP with overwrite.cli.url

Nextcloud version (eg, 20.0.5): 20.0.4
Operating system and version (eg, Ubuntu 20.04): Raspberry Pi OS 11
Apache or nginx version (eg, Apache 2.4.25): 2.4.54
PHP version (eg, 7.4): 8.0.22

The issue you are facing:

I am running Nextcloud on a docker swarm behind a nginx reverse proxy protected by Cloudflare. In theory, everything is working fine. One issue I’m facing is that when I want to access my server with the desktop app, I cannot use https://nextcloud.mydomain.com because of the following error:

The polling URL does not start with HTTPS despite the login URL started with HTTPS. Login will not be possible because this might be a security issue. Please contact your administrator

I fixed this my changing the the following:

From
'overwrite.cli.url' => 'localip:port',
to

 'overwrite.cli.url' => 'https://nextcloud.mydomain.com',
 'overwriteprotocol' => 'https',

By doing so, I cannot access my server via localip:port anymore. I get the following error:

ERR_TOO_MANY_REDIRECTS

When I try to access it in a private browser window (no cookies etc) I get to the login page, but then the loading thing in the “signing in”-button just turns, but nothing happens.

Under Admin > Logging it doesn’t show anything related, the last entry is from a few days ago, even though I just tried to access it and all options are ticked. The log in portainer shows the following:

10.0.0.2 - - [29/Aug/2022:16:05:02 +0000] "GET /login?redirect_url=/apps/files/ HTTP/1.1" 200 8424 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
10.0.0.2 - - [29/Aug/2022:16:05:07 +0000] "POST /login HTTP/1.1" 303 1504 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => 'ocmnyk01f68r',
  'passwordsalt' => 'xxx',
  'secret' => 'xxx',
  'trusted_domains' => 
  array (
    0 => '192.168.178.36:8086',
    1 => 'nextcloud.mydomain.com',
	  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '24.0.4.1',
  'overwrite.cli.url' => 'https://nextcloud.mydomain.com',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'xxx',
  'dbpassword' => 'xxx',
  'installed' => true,
  'loglevel' => 2,
  'maintenance' => false,
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'tls',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'xxx',
  'mail_domain' => 'mail.com',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
    'mail_smtphost' => 'xxx',
  'mail_smtpport' => '587',
  'mail_smtpname' => 'xxx',
  'mail_smtppassword' => 'xxx',
);

The output of your Apache/nginx/system log in /var/log/____:

"apache2/access.log" is a device file

in such case the most useful logging would be browser dev console (F12) - you will see which resources your browser looks for and which redirects it follows - try to understand and adopt to right values…

Please review Reverse proxy config as well. I’m missing overwritehost and trusted_proxies in your config.php

My new config.php:

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\OC\Memcache\Redis',
  'redis' => [
       'host' => 'redis',
       'port' => 6379,
  ],
  'memcache.locking' => '\OC\Memcache\Redis',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => 'ocmnyk01f68r',
  'passwordsalt' => 'xxx',
  'secret' => 'xxx',
  'trusted_domains' =>
  array (
    0 => '192.168.178.36:8086',
    1 => 'nextcloud.domain.com',
  ),
  'trusted_proxies' =>
  array (
    0 => '192.168.178.36',
  ),
  'overwritehost' => 'nextcloud.domain.com',
  'overwrite.cli.url' => 'https://nextcloud.domain.com',
  'overwriteprotocol' => 'https',
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '24.0.4.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'xxx',
  'dbpassword' => 'xxx',
  'installed' => true,
  'loglevel' => 2,
);

My swarm has 4 nodes and all my services are accessible via all IPs of every node. I use 192.168.178.36:Port to access all my services.

In the console, this is what I get when I go to 192.168.178.36:8086/apps/files and it redirects me to http://192.168.178.36:8086/login?redirect_url=/apps/files/ and I try to log in:

Under “Headers” → “Response Headers” it says “Location: https://nextcloud.domain.com/apps/files”. So it seems that when I go directly to 192.168.178.36:8086/apps/files while logged off, it redirects me to the login page, which it should, and then wants to redirect me to https://nextcloud.domain.com/apps/files.

When I go to 192.168.178.36:8086 (without /apps/files/), it automatically redirects to https://nextcloud.domain.com. Basically, only using the local IP does not work, probably due to the overwrites?

You have talked about the same issue in this thread as well. My train of thought is that I want my PC, since it’s stationary, to access my server through the local network as traffic is much faster rather than go through the internet to access it. For my laptop and phone, I don’t really care and they may use the public address. Does that make any sense?

The solution is what called split-bran DNS or split-horizon DNS - in short words you point exactly the same hostname to different IP addresses - in the internet it points to you public IP and within LAN to your internal IP (ideally both point to your external reverse proxy). This makes all the clients access the system in a same way (only the very low level details differ)

See similar discussions (most of the topic has multiple references as well):

1 Like

So what I understood is:

  • I setup nextcloud.domain.com in my reverse proxy to point to the local IP of my nextcloud instance, e. g. 192.168.178.36:8086 (which I did anyway)

  • in my local DNS (Adguard) I add a DNS record (DNA rewrite) pointing nextcloud.domain.com to my reverse proxy, e. g. 192.168.178.36.

From here on, my reverse proxy should redirect the traffic to 192.168.178.36:8086.

The two internal IPs are the same as all my containers (nextcloud, nginx proxy manager, etc.) run on a docker swarm, so 192.168.178.36 is pointing to the swarm’s internal load balancer, which then redirects the requests to the proper docker internal IP.

Is this concept correct?

So far it isn’t working. NPM is using ports 80 and 443, port 81 for the GUI. When I do “ping nextcloud.domain.com”, it says “pinging ip.block.dt.de (46.29.100.42) - ping timeout”

I should mention that I don’t have a proper internet connection atm because I’m switching providers today. But since all of that should be happening internally, this shouldn’t matter, right?

In my FritzBox, I habe setup Adguard as my local DNS. I also changed the public DNS server to Adguard and 8.8.8.8.

I also rebooted my PC to reset all network settings and cache, even though I haven’t changed anything on my PC.

Edit: now it says “the DNS address of nextcloud.domain.com could not be found”, which is weird cuz the entry does exist in Adguard. When I go to 192.168.178.36, I get the congratulations pages of NPM, so that’s working as well.

Edit2: funny, I get the error with every domain. I wonder if it’s because I don’t have any internet atm. The log is Adguard even states that it received the request for nextcloud.domain.com and rewrote it to 192.168.178.36 with no errors, but still doesn’t work. It should work even without an internet connection, right? All my devices can communicate since the local network is still up

Edit3: I removed the adguard entry in my fritzbox to use adguard globally as then only my router is shown in adguard as client. I added nextcloud.domain.com into the dns-rebind-protection-exceptions of my FritzBox and I needed to change the DNS of the PC to adguard manually, setting it up in the router only wasn’t enough. This was the missing piece of the puzzle!

1 Like

It’s so strange! It all worked, I changed back the DNS settings of my PC to default to see if it’s necessary to point to adguard and apparently it was, so I changed it back to point to adguard and now it’s not working. It doesn’t try to redirect to my reverse proxy.

When it worked, I had the appropriate log entries in adguard. Now, nothing shows up there, meaning that my fritzbox does not direct the URL nextcloud.domain.com to adguard.

To summarize what I did:

  • add nextcloud.domain.com to my reverse proxy (NPM) to point to 192.168.178.36:8086

  • add a DNS rewrite to adguard from nextcloud.domain.com to my reverse proxy, 192.168.178.36

  • add adguard as my local DNS in my fritzbox for IPv4

  • change my PC’s DNS to adguard

  • add nextcloud.domain.com as exception to the DNS-Rebind-Protection in my router

This should point nextcloud.domain.com Internally to Adguard (192.168.178.54), which rewrites that URL to my reverse proxy (192.168.178.36), which points to nextcloud (192.168.178.36:8086). In theory it should work and did, but now it isn’t working :roll_eyes: I rebooted everything multiple times. Any ideas?

1 Like