After starting using Nextcloud, the Nginx-Reverse Proxy throws Error 502

ℹ️ Support
1

Hi,

I installed a new nextcloud (which was working for days) and was checking something (I didn’t change anything!) and out of the sudden I get an Error 502 from my reverse proxy. Within LAN nextcloud still works, so it must be an error at the reverse proxy. I use the same config file which I used for many years (just changed the IP and the domain). It is secured with certbot.

What can I do?

Edit: I think the problem is because every damn tutorial for installing nextcloud uses some certificates. But I’m using a reverse proxy which handles already the certificates, so this f*cked up everything.

I tried to comment the ssl part in the nginx-config of the nextcloud server:

server_name cloud.mydomain.de
#443 ssl http2 default_server;
#listen [::]:443 ssl http2 default_server;
#server_name cloud;
#ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
#ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
#ssl_trusted_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
#ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
#ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
#ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
#ssl_dhparam /etc/ssl/certs/dhparam.pem;
#ssl_session_timeout 1d;
#ssl_session_cache shared:SSL:50m;
#ssl_session_tickets off;
#ssl_protocols TLSv1.3 TLSv1.2;
#ssl_ciphers ‘TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384’;
#ssl_ecdh_curve X448:secp521r1:secp384r1;
#ssl_prefer_server_ciphers on;
#ssl_stapling on;
#ssl_stapling_verify on;
add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;” always;
add_header Referrer-Policy “no-referrer” always;
add_header X-Content-Type-Options “nosniff” always;
add_header X-Download-Options “noopen” always;
add_header X-Frame-Options “SAMEORIGIN” always;
add_header X-Permitted-Cross-Domain-Policies “none” always;
add_header X-Robots-Tag “none” always;
add_header X-XSS-Protection “1; mode=block” always;
fastcgi_hide_header X-Powered-By;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
root /var/www/nextcloud;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
client_max_body_size 10240M;
fastcgi_buffers 64 4K;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
*snip

But still no luck.

This is the error of the reverse proxy:

2021/02/16 14:40:25 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “PROPFIND /remote.php/dav/files/user/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/files/user/”, host: “cloud.mydomain.de
2021/02/16 14:40:25 [error] 466#466: *3 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /ocs/v1.php/cloud/user?format=json HTTP/1.1”, upstream: “https://192.168.100.156:443/ocs/v1.php/cloud/user?format=json”, host: “cloud.mydomain.de
2021/02/16 14:40:26 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /remote.php/dav/avatars/user/128.png HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/avatars/user/128.png”, host: “cloud.mydomain.de
2021/02/16 14:40:28 [error] 466#466: *6 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “HEAD /remote.php/webdav/SofortUpload/2020/09/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/webdav/SofortUpload/2020/09/”, host: “cloud.mydomain.de
2021/02/16 14:40:30 [error] 466#466: *9 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “POST /index.php/apps/phonetrack/logPost/207a04a3b3cc73fc074f2b552bfd012f/XZ2 HTTP/1.1”, upstream: “https://192.168.100.156:443/index.php/apps/phonetrack/logPost/207a04a3b3cc73fc074f2b552bfd012f/XZ2”, host: “cloud.mydomain.de
2021/02/16 14:40:33 [error] 466#466: *6 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “HEAD /remote.php/webdav/SofortUpload/2020/08/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/webdav/SofortUpload/2020/08/”, host: “cloud.mydomain.de
2021/02/16 14:40:36 [error] 466#466: *6 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “HEAD /remote.php/webdav/SofortUpload/2020/12/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/webdav/SofortUpload/2020/12/”, host: “cloud.mydomain.de
2021/02/16 14:40:43 [error] 466#466: *6 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “HEAD /remote.php/webdav/SofortUpload/2020/09/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/webdav/SofortUpload/2020/09/”, host: “cloud.mydomain.de
2021/02/16 14:40:43 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “PROPFIND /remote.php/dav/files/user/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/files/user/”, host: “cloud.mydomain.de
2021/02/16 14:40:56 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /ocs/v1.php/cloud/user?format=json HTTP/1.1”, upstream: “https://192.168.100.156:443/ocs/v1.php/cloud/user?format=json”, host: “cloud.mydomain.de
2021/02/16 14:40:57 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /remote.php/dav/avatars/user/128.png HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/avatars/user/128.png”, host: “cloud.mydomain.de
2021/02/16 14:41:13 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “PROPFIND /remote.php/dav/files/user/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/files/user/”, host: “cloud.mydomain.de
2021/02/16 14:41:20 [error] 466#466: *6 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “HEAD /remote.php/webdav/SofortUpload/2020/07/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/webdav/SofortUpload/2020/07/”, host: “cloud.mydomain.de
2021/02/16 14:41:26 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /ocs/v1.php/cloud/user?format=json HTTP/1.1”, upstream: “https://192.168.100.156:443/ocs/v1.php/cloud/user?format=json”, host: “cloud.mydomain.de
2021/02/16 14:41:27 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /remote.php/dav/avatars/user/128.png HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/avatars/user/128.png”, host: “cloud.mydomain.de
2021/02/16 14:41:43 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “PROPFIND /remote.php/dav/files/user/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/files/user/”, host: “cloud.mydomain.de
2021/02/16 14:41:57 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /ocs/v1.php/cloud/user?format=json HTTP/1.1”, upstream: “https://192.168.100.156:443/ocs/v1.php/cloud/user?format=json”, host: “cloud.mydomain.de
2021/02/16 14:41:58 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /remote.php/dav/avatars/user/128.png HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/avatars/user/128.png”, host: “cloud.mydomain.de
2021/02/16 14:42:13 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “PROPFIND /remote.php/dav/files/user/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/files/user/”, host: “cloud.mydomain.de
2021/02/16 14:42:27 [error] 466#466: *58 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “HEAD /remote.php/webdav/SofortUpload/2020/03/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/webdav/SofortUpload/2020/03/”, host: “cloud.mydomain.de
2021/02/16 14:42:28 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /ocs/v1.php/cloud/user?format=json HTTP/1.1”, upstream: “https://192.168.100.156:443/ocs/v1.php/cloud/user?format=json”, host: “cloud.mydomain.de
2021/02/16 14:42:29 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /remote.php/dav/avatars/user/128.png HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/avatars/user/128.png”, host: “cloud.mydomain.de
2021/02/16 14:42:43 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “PROPFIND /remote.php/dav/files/user/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/files/user/”, host: “cloud.mydomain.de
2021/02/16 14:42:45 [error] 466#466: *58 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “HEAD /remote.php/webdav/SofortUpload/2020/07/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/webdav/SofortUpload/2020/07/”, host: “cloud.mydomain.de
2021/02/16 14:42:59 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /ocs/v1.php/cloud/user?format=json HTTP/1.1”, upstream: “https://192.168.100.156:443/ocs/v1.php/cloud/user?format=json”, host: “cloud.mydomain.de
2021/02/16 14:42:59 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /remote.php/dav/avatars/user/128.png HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/avatars/user/128.png”, host: “cloud.mydomain.de
2021/02/16 14:43:09 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /ocs/v2.php/apps/notifications/api/v2/notifications?format=json HTTP/1.1”, upstream: “https://192.168.100.156:443/ocs/v2.php/apps/notifications/api/v2/notifications?format=json”, host: “cloud.mydomain.de
2021/02/16 14:43:13 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “PROPFIND /remote.php/dav/files/user/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/files/user/”, host: “cloud.mydomain.de
2021/02/16 14:43:30 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /ocs/v1.php/cloud/user?format=json HTTP/1.1”, upstream: “https://192.168.100.156:443/ocs/v1.php/cloud/user?format=json”, host: “cloud.mydomain.de
2021/02/16 14:43:31 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /remote.php/dav/avatars/user/128.png HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/avatars/user/128.png”, host: “cloud.mydomain.de
2021/02/16 14:43:39 [error] 466#466: *58 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “HEAD /remote.php/webdav/SofortUpload/2019/10/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/webdav/SofortUpload/2019/10/”, host: “cloud.mydomain.de
2021/02/16 14:43:43 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “PROPFIND /remote.php/dav/files/user/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/files/user/”, host: “cloud.mydomain.de
2021/02/16 14:44:01 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /ocs/v1.php/cloud/user?format=json HTTP/1.1”, upstream: “https://192.168.100.156:443/ocs/v1.php/cloud/user?format=json”, host: “cloud.mydomain.de
2021/02/16 14:44:02 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /remote.php/dav/avatars/user/128.png HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/avatars/user/128.png”, host: “cloud.mydomain.de
2021/02/16 14:44:13 [error] 466#466: r3.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: r3.o.lencr.org, certificate: “/etc/letsencrypt/live/mydomain-0001/fullchain.pem”
2021/02/16 14:44:13 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “PROPFIND /remote.php/dav/files/user/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/files/user/”, host: “cloud.mydomain.de
2021/02/16 14:44:16 [error] 466#466: *90 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET / HTTP/1.1”, upstream: “https://192.168.100.156:443/”, host: “cloud.mydomain.de
2021/02/16 14:44:18 [error] 466#466: *93 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET / HTTP/1.1”, upstream: “https://192.168.100.156:443/”, host: “cloud.mydomain.de
2021/02/16 14:44:32 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /ocs/v1.php/cloud/user?format=json HTTP/1.1”, upstream: “https://192.168.100.156:443/ocs/v1.php/cloud/user?format=json”, host: “cloud.mydomain.de
2021/02/16 14:44:33 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /remote.php/dav/avatars/user/128.png HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/avatars/user/128.png”, host: “cloud.mydomain.de
2021/02/16 14:44:43 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “PROPFIND /remote.php/dav/files/user/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/files/user/”, host: “cloud.mydomain.de
2021/02/16 14:44:48 [error] 466#466: *102 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “HEAD /remote.php/webdav/SofortUpload/2020/01/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/webdav/SofortUpload/2020/01/”, host: “cloud.mydomain.de
2021/02/16 14:44:55 [error] 466#466: *112 connect() failed (113: No route to host) while connecting to upstream, client: 93.158.66.20, server: office.mydomain.de, request: “HEAD /.git/config HTTP/1.1”, upstream: “https://192.168.100.210:443/.git/config”, host: “office.mydomain.de
2021/02/16 14:45:03 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /ocs/v1.php/cloud/user?format=json HTTP/1.1”, upstream: “https://192.168.100.156:443/ocs/v1.php/cloud/user?format=json”, host: “cloud.mydomain.de
2021/02/16 14:45:04 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /remote.php/dav/avatars/user/128.png HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/avatars/user/128.png”, host: “cloud.mydomain.de
2021/02/16 14:45:13 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “PROPFIND /remote.php/dav/files/user/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/files/user/”, host: “cloud.mydomain.de
2021/02/16 14:45:19 [error] 466#466: *144 connect() failed (113: No route to host) while connecting to upstream, client: 93.158.66.20, server: eln.mydomain.de, request: “HEAD /.git/config HTTP/1.1”, upstream: “http://192.168.100.210:80/.git/config”, host: “eln.mydomain.de
2021/02/16 14:45:19 [error] 466#466: *146 connect() failed (113: No route to host) while connecting to upstream, client: 93.158.66.20, server: office.mydomain.de, request: “HEAD /.env HTTP/1.1”, upstream: “https://192.168.100.210:443/.env”, host: “office.mydomain.de
2021/02/16 14:45:34 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /ocs/v1.php/cloud/user?format=json HTTP/1.1”, upstream: “https://192.168.100.156:443/ocs/v1.php/cloud/user?format=json”, host: “cloud.mydomain.de
2021/02/16 14:45:35 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /remote.php/dav/avatars/user/128.png HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/avatars/user/128.png”, host: “cloud.mydomain.de
2021/02/16 14:45:43 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “PROPFIND /remote.php/dav/files/user/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/files/user/”, host: “cloud.mydomain.de
2021/02/16 14:45:47 [error] 466#466: *102 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “HEAD /remote.php/webdav/SofortUpload/2020/12/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/webdav/SofortUpload/2020/12/”, host: “cloud.mydomain.de
2021/02/16 14:45:47 [error] 466#466: *187 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “POST /index.php/apps/phonetrack/logPost/207a04a3b3cc73fc074f2b552bfd012f/XZ2 HTTP/1.1”, upstream: “https://192.168.100.156:443/index.php/apps/phonetrack/logPost/207a04a3b3cc73fc074f2b552bfd012f/XZ2”, host: “cloud.mydomain.de
2021/02/16 14:45:51 [error] 466#466: *102 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “HEAD /remote.php/webdav/SofortUpload/2019/11/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/webdav/SofortUpload/2019/11/”, host: “cloud.mydomain.de
2021/02/16 14:46:05 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /ocs/v1.php/cloud/user?format=json HTTP/1.1”, upstream: “https://192.168.100.156:443/ocs/v1.php/cloud/user?format=json”, host: “cloud.mydomain.de
2021/02/16 14:46:06 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “GET /remote.php/dav/avatars/user/128.png HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/avatars/user/128.png”, host: “cloud.mydomain.de
2021/02/16 14:46:13 [error] 466#466: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: “PROPFIND /remote.php/dav/files/user/ HTTP/1.1”, upstream: “https://192.168.100.156:443/remote.php/dav/files/user/”, host: “cloud.mydomain.de

and this is the error (many of similar) of nginx of the nextcloud:

2021/02/16 14:10:33 [warn] 592#592: *15227 an upstream response is buffered to a temporary file /var/cache/nginx/fastcgi_temp/4/52/0000000524 while reading upstream, client: 192.168.100.110, server: homecloud$2021/02/16 14:10:33 [warn] 592#592: *15229 an upstream response is buffered to a temporary file /var/cache/nginx/fastcgi_temp/5/52/0000000525 while reading upstream, client: 192.168.100.110, server: homecloud$2021/02/16 14:10:34 [warn] 589#589: *15253 an upstream response is buffered to a temporary file /var/cache/nginx/fastcgi_temp/6/52/0000000526 while reading upstream, client: 192.168.100.110, server: homecloud$2021/02/16 14:10:34 [warn] 592#592: *15283 an upstream response is buffered to a temporary file /var/cache/nginx/fastcgi_temp/7/52/0000000527 while reading upstream, client: 192.168.100.110, server: homecloud$2021/02/16 14:10:34 [warn] 592#592: *15285 an upstream response is buffered to a temporary file /var/cache/nginx/fastcgi_temp/8/52/0000000528 while reading upstream, client: 192.168.100.110, server: homecloud$2021/02/16 14:10:35 [warn] 592#592: *15313 an upstream response is buffered to a temporary file /var/cache/nginx/fastcgi_temp/9/52/0000000529 while reading upstream, client: 192.168.100.110, server: homecloud$2021/02/16 14:25:44 [warn] 1786#1786: “ssl_stapling” ignored, no OCSP responder URL in the certificate “/etc/ssl/certs/ssl-cert-snakeoil.pem”
2021/02/16 14:26:24 [warn] 186#186: “ssl_stapling” ignored, no OCSP responder URL in the certificate “/etc/ssl/certs/ssl-cert-snakeoil.pem”
2021/02/16 14:28:09 [warn] 582#582: “ssl_stapling” ignored, no OCSP responder URL in the certificate “/etc/ssl/certs/ssl-cert-snakeoil.pem”

The reverse proxy is this IP: 192.168.100.110

What’s markable: here the server is called “homecloud”. But I changed the hostname to “cloud” (and it did work for some hours)

2

Hey,
Is it working on port 80 (unsecured) ?

3

I think I found the problem:
I used this installation script: Nextcloud 23 (Nextcloud Hub II) Installationsskript - Carsten Rieger IT-Services

This script installs some certs. Since I’m using a Nginx reverse proxy with certbot, this f*cks up my config.
How can I remove this certs?

This is my nginx-config from nextcloud:

server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name cloud.mydomain.de;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_trusted_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers ‘TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384’;
ssl_ecdh_curve X448:secp521r1:secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;” always;
add_header Referrer-Policy “no-referrer” always;
add_header X-Content-Type-Options “nosniff” always;
add_header X-Download-Options “noopen” always;
add_header X-Frame-Options “SAMEORIGIN” always;
add_header X-Permitted-Cross-Domain-Policies “none” always;
add_header X-Robots-Tag “none” always;
add_header X-XSS-Protection “1; mode=block” always;
fastcgi_hide_header X-Powered-By;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_connect_timeout 3600;
root /var/www/nextcloud;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
client_max_body_size 10240M;
fastcgi_buffers 64 4K;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-f$location / {
rewrite ^ /index.php;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ^~ /apps/rainloop/app/data {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy).php(?:$|/) {
fastcgi_split_path_info ^(.+?.php)(/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|oc[ms]-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
location ~ .(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control “public, max-age=15778463”;
add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;” always;
add_header Referrer-Policy “no-referrer” always;
add_header X-Content-Type-Options “nosniff” always;
add_header X-Download-Options “noopen” always;
add_header X-Frame-Options “SAMEORIGIN” always;
add_header X-Permitted-Cross-Domain-Policies “none” always;
add_header X-Robots-Tag “none” always;
add_header X-XSS-Protection “1; mode=block” always;
access_log off;
}
location ~ .(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
try_files $uri /index.php$request_uri;
access_log off;
}
}

4

I think that the simplest way is to backup your configuration, take the official config for nginx on https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html , remove ssl line (ssl_certificate and ssl_certiicate_key) and finally launch cerbot to renew your certificate (if cerbot says that there is already a certificate, choose to renew the certificate all the same)

There is two nginx config, choose the right one.

5

This gives me errors as well.
it tells me: “nginx: [emerg] “location” directive is not allowed here in /etc/nginx/conf.d/nextcloud.conf:77”

6

You cant comment php-handler, it is necessary

7

it was a duplicate in /etc/nginx/conf.d/http.conf

but this error in line 77 remains.
This is line 77 and further:
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}

8

This is my general nginx.conf :

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http{

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

 include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

Try to format your code before sending it

9

Well, the good question is, what happens before line 77, which does not allow to use the location directive…? Maybe some ; missing? :wink:

10

Thx for sharing. May you show me your /etc/nginx/nginx.conf as well?

11

I copy pasted it from the manual and commented the SSL part.

12

Actually, it is my nginx.conf. I have no http.conf under conf.d directory

13

You don’t have a /etc/nginx/conf.d/nextcloud.conf?

14

No… And its very strange to put your nestcloud.conf under conf.d directory. There is a main nginx configuration in /etc/nginx/nginx.conf. Your nextcloud.conf should be written in /etc/nginx/sites-available and you should make a symbolic link in /etc/nginx/sites-enabled.

Edit :
Ironically, the article that I myself quoted contradicts me. I installed nginx with apt and you have certainly installed nginx with official repository of Nginx.
So, your nginx.conf is probably your http.conf. And my nextcloud.conf is under another directory.

We cant compare our file configuration. Can you display your all your config file (except nextcloud.conf) and the hierarchical tree.

15

Hmm very strange.

I got these files:
etc/nginx/nginx.conf:

user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on; use epoll;
}
http {
server_names_hash_bucket_size 64;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
set_real_ip_from 127.0.0.1;
#set_real_ip_from 192.168.2.0/24;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
send_timeout 3600;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=500 inactive=10m;
open_file_cache_errors on;
keepalive_timeout 65;
reset_timedout_connection on;
server_tokens off;
resolver 127.0.0.53 valid=30s;
resolver_timeout 5s;
include /etc/nginx/conf.d/*.conf;
}

Then I got: /etc/nginx/conf.d/http.conf
Here I needed to comment everything otherwise it would tell me that there is a duplicate of the upstream php-handler:

#upstream php-handler {
#server unix:/run/php/php7.4-fpm.sock;
#}
#server {
#listen 80 default_server;
#listen [::]:80 default_server;
#server_name cloud.mydomain.de;
#root /var/www;
#location ^~ /.well-known/acme-challenge {
#default_type text/plain;
#root /var/www/letsencrypt;
#}
#location / {
#return 301 https://$host$request_uri;
#}
#}

and then I got this last file: /etc/nginx/conf.d/nextcloud.conf

upstream php-handler {
    server 127.0.0.1:9000;
    server unix:/var/run/php/php7.4-fpm.sock;
}

server {
    listen 80;
    listen [::]:80;
    server_name cloud.mydomain.de;


    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application$

    fastcgi_hide_header X-Powered-By;
	root /var/www/nextcloud;
	
	index index.php index.html /index.php$request_uri;
	
	
	location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
	
        location ^~ /.well-known {
        # The following 6 rules are borrowed from `.htaccess`

        location = /.well-known/carddav     { return 301 /remote.php/dav/; }
        location = /.well-known/caldav      { return 301 /remote.php/dav/; }
        # Anything else is dynamically handled by Nextcloud
        location ^~ /.well-known            { return 301 /index.php$uri; }

        try_files $uri $uri/ =404;
    }

    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)              { return 404; }

    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
    # which handle static assets (as seen below). If this block is not declared first,
    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
    # to the URI, resulting in a HTTP 500 error response.
    location ~ \.php(?:$|/) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ \.(?:css|js|svg|gif)$ {
        try_files $uri /index.php$request_uri;
        expires 6M;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    location ~ \.woff2?$ {        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }
}

But still the same error (502 Bad Gateway)

What I noticed: If I try to open the IP of the nextcloud via https it tells me “no connection” - but when I try to open it with http everything works. But not with the domain name over the reverse proxy.

A curl from the reverse proxy to nextcloud gives me this error:
curl cloud.mydomain.de
curl: (7) Failed to connect to cloud.mydomain.de port 80: Connection timed out

16

I deinstalled nginx and I try my best with apache2 now. I copied the config-file from my other nextcloud.

At least I can now curl the IP of the nextcloud instance:

curl 192.168.100.156
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://192.168.100.156/">here</a>.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.100.156 Port 80</address>
</body></html>

but curl with the domain doesn’t work. And I can’t access it via firefox neither.

I deactivated a rewrite rule withing the apache2 config and now I can access the nextcloud via internalt IP with firefox, but curl from the reverse proxy doesn’t work anymore for the IP.
This is the error log if the reverse proxy:

2021/02/17 10:48:53 [error] 1077#1077: *359 connect() failed (113: No route to host) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: "GET /status.php HTTP/1.1", upstream: "https://192.168.100.156:443/status.php", host: "cloud.mydomain.de"
2021/02/17 10:49:25 [error] 1077#1077: *364 connect() failed (113: No route to host) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: "GET /status.php HTTP/1.1", upstream: "https://192.168.100.156:443/status.php", host: "cloud.mydomain.de"
2021/02/17 10:49:57 [error] 1077#1077: *371 connect() failed (113: No route to host) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: "GET /status.php HTTP/1.1", upstream: "https://192.168.100.156:443/status.php", host: "cloud.mydomain.de"
2021/02/17 10:50:29 [error] 1077#1077: *386 connect() failed (113: No route to host) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: "GET /status.php HTTP/1.1", upstream: "https://192.168.100.156:443/status.php", host: "cloud.mydomain.de"
2021/02/17 10:51:01 [error] 1077#1077: *391 connect() failed (113: No route to host) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: "GET /status.php HTTP/1.1", upstream: "https://192.168.100.156:443/status.php", host: "cloud.mydomain.de"
2021/02/17 10:51:33 [error] 1077#1077: *398 connect() failed (113: No route to host) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: "GET /status.php HTTP/1.1", upstream: "https://192.168.100.156:443/status.php", host: "cloud.mydomain.de"
2021/02/17 10:52:05 [error] 1077#1077: *407 connect() failed (113: No route to host) while connecting to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: "GET /status.php HTTP/1.1", upstream: "https://192.168.100.156:443/status.php", host: "cloud.mydomain.de"
2021/02/17 10:52:16 [error] 1077#1077: *410 connect() failed (113: No route to host) while connecting to upstream, client: 192.168.50.97, server: cloud.mydomain.de, request: "GET /index.php/204 HTTP/1.1", upstream: "https://192.168.100.156:443/index.php/204", host: "cloud.mydomain.de"
2021/02/17 10:52:36 [error] 1077#1077: *419 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: "GET /status.php HTTP/1.1", upstream: "https://192.168.100.156:443/status.php", host: "cloud.mydomain.de"
2021/02/17 10:52:38 [error] 1077#1077: *423 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: "GET / HTTP/1.1", upstream: "https://192.168.100.156:443/", host: "cloud.mydomain.de"
2021/02/17 10:53:06 [error] 1077#1077: *428 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: "GET /status.php HTTP/1.1", upstream: "https://192.168.100.156:443/status.php", host: "cloud.mydomain.de"
2021/02/17 10:53:38 [error] 1077#1077: *447 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: "GET /status.php HTTP/1.1", upstream: "https://192.168.100.156:443/status.php", host: "cloud.mydomain.de"
2021/02/17 10:54:10 [error] 1077#1077: *454 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 192.168.50.100, server: cloud.mydomain.de, request: "GET /status.php HTTP/1.1", upstream: "https://192.168.100.156:443/status.php", host: "cloud.mydomain.de"

EDIT:
IT WORKS!!!

I changed in the reverse proxy the proxy_pass from https://192.168.100.156:443; to http://192.168.100.156:80;

This is the reverse proxy config file now:

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

server {
  listen 80;
  server_name cloud.mydomain.de;
  return 301 https://$host$request_uri;
}

# SSL configuration
server {
  listen 443 ssl;
  server_name cloud.mydomain.de;
  ssl_certificate      /etc/letsencrypt/live/cloud.mydomain.de/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/cloud.mydomain.de/privkey.pem;

  # Improve HTTPS performance with session resumption
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 5m;

  # Enable server-side protection against BEAST attacks
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

  # Disable SSLv3
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  # Diffie-Hellman parameter for DHE ciphersuites
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";

  # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /etc/letsencrypt/live/cloud.mydomain.de/fullchain.pem;
  resolver 192.168.100.13 192.168.100.1 valid=600s;
  resolver_timeout 15s;

  location / {
    proxy_pass http://192.168.100.156:80;
    proxy_set_header Host $host;
    proxy_redirect http:// $scheme://;  #https://;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Connection $connection_upgrade;
    proxy_read_timeout 300;
    client_max_body_size 16400M;
    proxy_connect_timeout       600;
    proxy_send_timeout          600;
    send_timeout                600;
    proxy_max_temp_file_size           0;
  }
}

The webserver is now running apache2. What should I check if I forgot something to install/change/optimize?

Edit2: hmm firefox tells me that the connection isn’t secure for some parts like figures. How can I solve this?

17

Okay, now after 2 days it stopped working again…

This is the error within the nginx-reverse proxy:

2021/02/19 17:52:35 [error] 1104#1104: *33694 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.0.217, server: cloud.mydomain.de, request: "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1", upstream: "http://192.168.100.156:80/ocs/v2.php/apps/notifications/api/v2/notifications", host: "cloud.mydomain.de"

I can’t see any errors within apache2 of the nextcloud server.

Edit: Ah okay, I see the error. This time it was fail2ban at the nextcloud server. Someone tried to login into my server, but fail2ban identified the IP of the reverse proxy as attacker (192.168.100.110). How can I passthrough the external IPs of the attackers?

18

Sorry but I have never really used Nginx as a real reverse Proxy for some reasons. I have created new sub domains If I needed It (new services). So, I cant help you.

19

I did as well, but since I only have one IP I need a reverse proxy

20

I have one IP adress too. You can have many subdomains for one ip adress