Another case of help with NC behind a reverse proxy

ℹ️ Support
, , , , ,
1

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • 30.0.5
  • Operating system and version (e.g., Ubuntu 24.04):
    • freeBSD 13.3-RELEASE
  • Web server and version (e.g, Apache 2.4.25):
    • Apache 2.4
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • HAProxy 2.8.13
  • PHP version (e.g, 8.3):
    • 8.13.12
  • Is this the first time you’ve seen this error? (Yes / No):
    • yes
  • When did this problem seem to first start?
    • from installation
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • on a freeBSD jail (like a container) and downloaded from download.nextcloud.com/server/releases
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • Not that I'm aware of

Summary of the issue you are facing:

First of all, thank you for providing NC for free. I am eager to get it running correctly. Do not let the freeBSD part put you off from trying to help. I’m fine dealing with that part. My ask for help is more about NC settings.
I have set NC up, works fin in general, there is one main problem I am trying to solve for some time.

  1. The iOS client app is unable to sign in.

Steps to replicate it (hint: details matter!):

  1. Take my iOS phone off Wifi and use Cellular data. iOS version 18.3.1
  2. Open NC app (version 6.2.5)
  3. Enter cloud.mypublicdomain.com sends me to sign in on safari browser. Enter a valid username and password
  4. I am prompted to “Connect to your account”. Please log in before granting Nextcloud/6.2.5 (it.tsweb.Nextcloud;build:1;iOS 18.3.1) Alamofire/5.10.2 access to your Nextcloud account.
    Security warning. If you are not trying to setu …
    Log in → I click on Log in
  5. Currently logged in as “username” (username)
    You are about to grant …
    Grant access → Click on grant access
  6. This is as far as it goes. It just spins the animation for ever and never completes.

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

There is no entry in the /var/log/nextcloud/nextcloud.log
Of course it means that it is not hitting nextcloud but I see no reason why. The hit in apache fronting NS can be seen:
@nextcloud:~ # cat /var/log/httpd-access.log | grep 82.132.246.13
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /login/v2/flow/NeCPjETqaZ6ZBnKq7eRhSzWCtL1pP0trbsVnlu8Xb3GlZ8lDY3kgwV3gJkxGsR0nkoD4m3MuqJxG5vFdIDFPdivSmJGxAKUEkDLYaWSst7Pe7HelGsDApmexXWooaUxA HTTP/1.1" 303 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /login/v2/flow?user=&direct=0 HTTP/1.1" 200 6783 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/css/default.css?v=edff4fe3-0 HTTP/1.1" 200 4971 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /core/css/login/authpicker.css?v=cfcd2084-0 HTTP/1.1" 200 538 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /dist/core-files_client.js?v=93e829c5-0 HTTP/1.1" 200 12280 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /core/css/guest.css?v=cfcd2084-0 HTTP/1.1" 200 15771 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /dist/core-files_fileinfo.js?v=93e829c5-0 HTTP/1.1" 200 861 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /core/js/login/authpicker.js?v=93e829c5-0 HTTP/1.1" 200 580 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/js/theming.js?v=93e829c5-0 HTTP/1.1" 200 188 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /core/css/server.css?v=cfcd2084-0 HTTP/1.1" 200 131678 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /dist/files_sharing-main.js?v=93e829c5-0 HTTP/1.1" 200 351 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/manifest?v=a857b83b HTTP/1.1" 200 246 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/theme/default.css?plain=1&v=c00ac2af HTTP/1.1" 200 3738 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /js/core/merged-template-prepend.js?v=93e829c5-0 HTTP/1.1" 200 2811 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/theme/dark.css?plain=1&v=c00ac2af HTTP/1.1" 200 3703 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/theme/light.css?plain=0&v=c00ac2af HTTP/1.1" 200 3936 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/theme/light-highcontrast.css?plain=0&v=c00ac2af HTTP/1.1" 200 4158 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/theme/opendyslexic.css?plain=0&v=c00ac2af HTTP/1.1" 200 614 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/theme/dark.css?plain=0&v=c00ac2af HTTP/1.1" 200 3900 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/theme/dark-highcontrast.css?plain=0&v=c00ac2af HTTP/1.1" 200 4227 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /dist/core-main.js?v=93e829c5-0 HTTP/1.1" 200 955014 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /index.php/apps/files/preview-service-worker.js HTTP/1.1" 200 14637 "https:" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:59 +0000] "GET /dist/icons.css HTTP/1.1" 200 291055 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /dist/core-common.js?v=93e829c5-0 HTTP/1.1" 200 5066546 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:04:06 +0000] "GET /apps/theming/theme/light.css?plain=1&v=c00ac2af HTTP/1.1" 200 3738 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:04:06 +0000] "GET /core/img/logo/logo.svg HTTP/1.1" 200 815 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:04:06 +0000] "GET /apps/theming/img/background/jenna-kim-the-globe-dark.webp HTTP/1.1" 200 180762 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:04:12 +0000] "GET /apps/theming/theme/light-highcontrast.css?plain=1&v=c00ac2af HTTP/1.1" 200 3783 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:04:14 +0000] "GET /apps/theming/theme/dark-highcontrast.css?plain=1&v=c00ac2af HTTP/1.1" 200 3835 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:05:56 +0000] "GET /login/v2/grant?user=&direct=0&stateToken=dCMWd9jGsGFL3v2YJjn3hX66GJeWiZLb7fMgNcxHDqLidf5QgG7uCIoe8KYBgpOM HTTP/1.1" 200 6463 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:05:57 +0000] "GET /core/js/login/grant.js?v=93e829c5-0 HTTP/1.1" 200 564 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:05:57 +0000] "GET /apps/theming/manifest?v=a857b83b HTTP/1.1" 200 246 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:05:57 +0000] "GET /index.php/apps/files/preview-service-worker.js HTTP/1.1" 200 14637 "https:" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:06:47 +0000] "GET /core/img/loading-small-dark.gif HTTP/1.1" 200 1816 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:07:34 +0000] "GET /apps/theming/img/background/jenna-kim-the-globe.webp HTTP/1.1" 200 98876 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:09:05 +0000] "GET /apps/theming/img/background/jenna-kim-the-globe.webp HTTP/1.1" 200 98876 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"

And I can also see the hit in the reverse proxy of course.

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "localhost",
            "1": "cloud.mypublicdomain.com",
            "3": "192.168.5.158",
            "4": "192.168.5.1"
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "30.0.5.1",
        "overwrite.cli.url": "http:\/\/192.168.5.158",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "Europe\/London",
        "default_phone_region": "GB",
        "log_type": "file",
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "loglevel": 2,
        "logrotate_size": "104847600",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0
        },
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "htaccess.RewriteBase": "\/",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "maintenance_window_start": 5,

Apps

The output of occ app:list (if possible).
occ app:list
Enabled:

  • activity: 3.0.0
  • app_api: 4.0.5
  • bruteforcesettings: 3.0.0
  • circles: 30.0.0
  • cloud_federation_api: 1.13.0
  • comments: 1.20.1
  • contactsinteraction: 1.11.0
  • dashboard: 7.10.0
  • dav: 1.31.1
  • federatedfilesharing: 1.20.0
  • federation: 1.20.0
  • files: 2.2.0
  • files_downloadlimit: 3.0.0
  • files_pdfviewer: 3.0.0
  • files_reminders: 1.3.0
  • files_sharing: 1.22.0
  • files_trashbin: 1.20.1
  • files_versions: 1.23.0
  • firstrunwizard: 3.0.0
  • logreader: 3.0.0
  • lookup_server_connector: 1.18.0
  • nextcloud_announcements: 2.0.0
  • notifications: 3.0.0
  • oauth2: 1.18.1
  • onlyoffice: 9.5.0
  • password_policy: 2.0.0
  • photos: 3.0.2
  • privacy: 2.0.0
  • provisioning_api: 1.20.0
  • recommendations: 3.0.0
  • related_resources: 1.5.0
  • serverinfo: 2.0.0
  • settings: 1.13.0
  • sharebymail: 1.20.0
  • support: 2.0.0
  • survey_client: 2.0.0
  • systemtags: 1.20.0
  • text: 4.1.0
  • theming: 2.5.0
  • twofactor_backupcodes: 1.19.0
  • updatenotification: 1.20.0
  • user_status: 1.10.0
  • viewer: 3.0.0
  • weather_status: 1.10.0
  • webhook_listeners: 1.1.0-dev
  • workflowengine: 2.12.0
    Disabled:
  • admin_audit: 1.20.0
  • encryption: 2.18.0
  • files_external: 1.22.0
  • suspicious_login: 8.0.0
  • twofactor_nextcloud_notification: 4.0.0
  • twofactor_totp: 12.0.0-dev
  • user_ldap: 1.21.0

Additional information.

  • If I use the safari browser to sign in, it is successful.
  • My intention is to get native apps working so that I can have my family and a small group of writers to share and collaborate with their writing work. It is not commercial, they are in a writing group helping each other. Currently using dropbox but the main “admin” is leaving the group. They are mostly Android and iOS users. We are at home a mix of MS Windows, Ubuntu linux desktop and macOS.
  • I have of course read reddit, this forum posts, web resources, the available documentation and I have focused on a misconfiguration of NC to work correctly with my reverse proxy.
  • I am unwilling to open NC to the open internet. It must be behind a reverse proxy, which terminates the TLS/SSL connections. There are a number of protections there because it sits on a Next Generation Firewall which hosts haproxy. Therefore the flow is Internet > haproxy TLS → NC server (http)
  • There is a DNS split brain setup but not in use. I am having of course to use http://nc-ip-address:80 because there are no certificates for NC.

Thank you for your help.

2

You are viewing a log of successful requests. Perhaps httpd-error.log will have more useful information for you.

3

I failed to mention that, I have checked there too.
The only entries there are of normal operation, see latest tail:

[Tue Feb 11 23:13:44.345667 2025] [core:notice] [pid 22226] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
[Wed Feb 12 11:47:36.096177 2025] [mpm_prefork:notice] [pid 22226] AH00169: caught SIGTERM, shutting down
[Wed Feb 12 11:47:36.140917 2025] [mpm_prefork:notice] [pid 73007] AH00163: Apache/2.4.62 (FreeBSD) configured -- resuming normal operations
[Wed Feb 12 11:47:36.140982 2025] [core:notice] [pid 73007] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
[Wed Feb 12 12:04:29.594402 2025] [mpm_prefork:notice] [pid 73007] AH00169: caught SIGTERM, shutting down
[Wed Feb 12 12:04:29.637652 2025] [mpm_prefork:notice] [pid 76313] AH00163: Apache/2.4.62 (FreeBSD) configured -- resuming normal operations
[Wed Feb 12 12:04:29.637711 2025] [core:notice] [pid 76313] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
[Wed Feb 12 12:24:41.094759 2025] [mpm_prefork:notice] [pid 76313] AH00169: caught SIGTERM, shutting down
[Wed Feb 12 12:24:41.141369 2025] [mpm_prefork:notice] [pid 80349] AH00163: Apache/2.4.62 (FreeBSD) configured -- resuming normal operations
[Wed Feb 12 12:24:41.141423 2025] [core:notice] [pid 80349] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
4

Have you tested if it works with another nc server? Just to rule out any bug with the app…

If everything is working in the browser it’s very weird it does not on the app. However the sequence is a bit weird, did you have to log in twice? You mentioned in step 3 you entered user pass but in step 4 youre asked to login again?

Could you share your haproxy config? Just remember to change personal details!

Edit:
I just looked closer at your config.php and found a potential culprit: your overwrite.cli.url should not be the IP, but the domain you use to connect to nc with (for example ‘https://cloud.mypublicdomain.com/’). That string is used when links are generated by nc, so I’d guess for example sharing does not work now. More info: here
I also needed to add ‘overwriteprotocol’ => ‘https’, to the config, (since you are acessing with https, but with http between proxy and nc). I dunno if that was necessary because I forgot forwarded headers or something but it does not hurt anyway…

5

thank you for looking at this with me Rinkana.
Strangely the overwrite.cli.url was part of the testing I’ve been doing. It was commented out with a leading # when the config was “exported” with occ.
And I have been also testing with overwrite.protocol on and off. When I say off, I mean I comment it out and then restart php_fpm and apache.
Regarding the sequence, that is how it moves along: open app, send to log in in browser, stays there.
I did a network packet capture and spent some time yesterday looking for clues. Nothing I can spot but I might have missed something relevant.
What I’ll do is start fresh round of testing and add the overwrite.protocol . You see this is what I’ve found very hard, to understand the correct values for my scenario.
Example, according to docs and many online posts on this forum:
docs

Overwrite parameters

The automatic hostname, protocol or webroot detection of Nextcloud can fail in certain reverse proxy situations. This configuration allows the automatic detection to be manually overridden. If Nextcloud fails to automatically detect the hostname, protocol or webroot you can use the overwrite parameters inside the config/config.php.

  • overwritehost set the hostname of the proxy. You can also specify a port.
  • overwriteprotocol set the protocol of the proxy. You can choose between the two options http and https.
  • overwritewebroot set the absolute web path of the proxy to the Nextcloud folder.
  • overwritecondaddr overwrite the values dependent on the remote address. The value must be a regular expression of the IP addresses of the proxy. This is useful when you use a reverse SSL proxy only for https access and you want to use the automatic detection for http access.
  • overwrite.cli.url the base URL for any URLs which are generated within Nextcloud using any kind of command line tools. For example, the value set here will be used by the notifications area.

So it does not tell me what I should use in my case for overwriteprotocol. Is it referring to the protocol of the proxy facing out or facing into the nextcloud server?
The same for each parameter. Documentation basically tells you that they exist but not a lot more. Not enough to understand them nor to figure out how to use them in your particular case.
So your post I find it helpful. You explicitly tell me in my proxy scenario, which to be honest will be the most common, I need to add it.
I’m going to do another test with your suggestions. Thanks.

6

Yeah the documentation about it can be confusing because proxy stuff is difficult, especially when reading community discussions about it (as people are confused).

The example you linked in the docs link (at the bottom of the page) is for multiple ssl domains, or in other words if you access your nc trough the reverse proxy at cloud.mypublicdomain.com but the proxy is not on the same network as your nextcloud installation, and you wish to encrypt communication between the two, the proxy might be accessing the nextcloud trough (for example) nc.myprivatedomain.com, and in that case that complex example config is required. You however don’t have multiple domains (few do).

The part in the documentation where overwrite.cli.url is explained is pretty clear you should use your public domain, but yeah its easy to miss and it also suggest it can be autocompleted with magic in some scenarios which to me are unclear.

Debugging proxying is a real pain, id say at the level of dns problems :sweat_smile:, luckily if it works, it works xD

To be clear, I suspect your config.php should contain this:

'overwrite.cli.url' => 'https://cloud.mydomain.com/',
'overwriteprotocol' => 'https',
'trusted_proxies'   => ['192.168.5.XX'],

And none of the other overwritehost, overwritecondaddr and whatnot

And your haproxy at least with:

backend your-nc-backend
    option forwardfor
    ...
1 Like
7

You have no idea how grateful I am.
I applied your suggestions and I was finally able to make the iOS app connect. I’ve been trying the permutations and failing.
I know now that the decision to finally come to ask for help was the right one, and lucky that you decided to help me.
Thank you very much. Have a great day.

8

Oh. Internally in the LAN where the Nextcloud server sits, I have been accessing it with http on its ip address i.e. http://192.168.5.158/
Now with the changes that have allowed the app to function from the external network, internally I am unable to access it.
It would make sense if the requests are “upgraded” to https and https is terminated from the outside by the reverse proxy.
On the inside there is no ssl available. Apache is only set to http on port 80.
Any suggestions whilst I hunt around a solution?

To http://192.168.5.158

The page isn’t redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

This problem can sometimes be caused by disabling or refusing to accept cookies.

Watching with developer tools (Firefox) I can see a list of 302 hits i.e redirect to Location : /apps/dashboard/ and eventually erroring with:
NS_ERROR_REDIRECT_LOOP

** To https://192.168.5.158**
Knowing it would not succeed but looking for clues, the error is:
NS_ERROR_CONNECTION_REFUSED
As I said, this is for completeness in diagnostics.

I must add. My internal DNS server has an override for the host. Trying both http and https to the cloud.mydomain.com results in the same results as above of course.

So the question is how do we reach NC internally when we have made those changes that are for the reverse proxy/

9

A little update.
I have added (without understanding it completely):
'overwritecondaddr' => '^192\.168\.5\.1$',
which is the ip address (192.168.5.1) of the reverse proxy and that has allowed me to reach NC from a computer client on the lan. I also disabled https on the web browser settings, which I think is not necessary but was the first change I made in the attempts.
All good except the client app on the mobile phone works OK on the external network (mobile network, not WiFi) but when WiFi is enabled putting in in the LAN again, it fails. It shouldn’t because is in the same network as the pc client.
I am investigating this now. It seems it is the last hurdle.

10

Anyone can share their thoughts on how to go about it?

11

Someone please? This is to help a group of 20 people who are amateur writers. They are losing patience and they will soon lose access to their dropbox documents. Many can not afford a subscription service.
To clarify what the pending question is, what settings must I use in the Nextcloud configuration to have succesful http connection on the LAN side (split dns is already set, resolving to the local ip in RFC1918 range) in a setup where NC is behind a reverse proxy (haproxy)?

12

Which IP? The IP of Nextcloud or the IP of the reverse proxy?

I recommend pointing it to the RFC1918 address of the reverse proxy and also using the reverse proxy on the LAN.

Of course, all devices must be configured to actually use your local DNS resolver. Ideally, you would assign the DNS server to the devices via DHCP.

If some devices are still unable to connect, make sure that DNS over HTTPS or DNS over TLS is not enabled anywhere on the devices (browsers, network settings, etc…).

13

Which IP? The IP of Nextcloud or the IP of the reverse proxy?

The ip of nextcloud i.e. 192.168.x.x so the idea of course is that devices in the same network will not have to go out to the internet and back in through the reverse proxy, staying local. So your suggestion of using the reverse proxy also on the LAN is not viable unless I misunderstand your suggestion.

Of course, all devices must be configured to actually use your local DNS resolver. Ideally, you would assign the DNS server to the devices via DHCP.

If some devices are still unable to connect, make sure that DNS over HTTPS or DNS over TLS is not enabled anywhere on the devices (browsers, network settings, etc…).

It is a bit of a longish thread now but the problem is not all devices on LAN. It is only the iOS app on the iphones when in the LAN. The app is accessed fine from the outside of LAN, using a fqdn with a public DNS entry pointing to the reverse proxy. All good. When the device is on the LAN, the split DNS will send it to the local LAN ip of nextcloud server. That is my problem and hence the question. So thank you for your suggestion but it seems to be about more of the basics, those aren’t a problem.
Is that a better desription of the situation?

14

No, traffic won’t go out to the internet unless HAProxy is running directly with a public IP address. In that case, you could either assign it another frontend with a local address or change its current address to a local one and set up port forwarding in your router.

But you might want to share a few more details here about your network setup and how and where you have your HA proxy running.

Yes, from what I’ve heard (not using any iOS devices myself) they don’t like plain HTTP or self-signed certificates, which is why I suggested using the reverse proxy internally as well.

Also, to avoid connection failures, all devices should always use the same HTTPS certificate and not have to switch back and forth between HTTP/HTTPS or signed and self-signed certificates. This is particularly important if the same domain name is used in each of these situations, which is obviously preferable, otherwise you’d have to reconfigure the client apps every time you leave your local network, and the share links you created on your LAN wouldn’t match your public domain.

Another possible way to achieve this would be to copy Let’s Encrypt certificates from the HAproxy to the Nextcloud server, either manually or via some script, but this makes the setup more complicated and introduces additional potential sources of error.

15

Just saw in some of your previous posts that HA proxy is running on 192.168.5.1, which is a local address. What happens if you point your local DNS record to that address? And no, traffic won’t leave your LAN if you do so.

If that doesn’t work or your routers web interface is showing up at that address (pfSense? OPNsense? :wink: ), you could do the following…

Create a VIP (Virtual IP) on your LAN port e.g. 192.168.5.2 and assign that to your HAproxy frontend instead of the WAN address. Then change the Redirect Target IP of the NAT port forwading from 127.0.0.1 to 192.168.5.2, and also change the corresponding firewall rule accordingly. Last but not least, point the local DNS for Nextcloud to 192.168.5.2.

So if I haven’t forgotten anything, Nextcloud should then still be accessible from the Internet, same as before, but now also internally via HA proxy at 192.168.5.2.

Hope that helps. :slight_smile:

16

I hope this explains it better than my prose

image
image1084×276 21.7 KB

Yes OPN as router/firewall with haproxy terminating the tls for external client. That client (iOS) is working fine from outside using fqdn for cloud.mydomain.com. Once it moves to the LAN, same where nextcloud is, then of course the connection is now what I want to make able to connect successfully with only the local ip of nextcloud.
Please bear in mind, networking-wise, it all works fine. For instance I can connect via that local ip from a laptop, as I can tell the browser to ignore the lack of tls/no certificate.
The iOS app is the problem, it will only accept a fqdn. But it seems there are settings in nextcloud (as above before to get it to accept both ip and fqdn), that will allow the iOS app to behave in the same way.
A bit clearer?

17

That is an interesting take. I can try that.
Edit: tried, hasn’t worked but I it makes sense it does’t. Unbound redirects to its local lan ip where haproxy is listening. Oh wait, just a have an idea. Let me try it.
Edit 2: No that idea didn’t work. That was to point the local dns override to the local ip where haproxy is bound (taking your thinking). Thinking about it a bit, it fails because that local ip is bound to a TLS listener, there’s no dedicated http listener, it is the same ip with a http-request redirect scheme https code 301. That is a 192.168.5.100 VIP
Back to re-reading your suggestions now.

18

You seem to have a good grasp of where I’m trying to get this going. Perhaps this helps you to help me (and thank you by the way). This is the cut-down version of the haproxy config so as you can see it is already bound to a VIP of 192.168.5.100. I say cut-down because there are other front and backends that work fine but aren’t necessary for this thread.
So on OPN at the WAN/LAN boundary, the SNI frontend is there to bind to 0.0.0.0:443 so we can direct by SNI (tcp for services on tcp). Then those directed are sent to https_frontend for “normal” https services which uses a map file to map request to service by header. So cloud.mydomain.com will be directed to a backend and anotherservice.mydomain.com could be sent to another. I’ve left other bits so it looks more complete. Does that provide you means for your idea perhaps?

# Frontend: 0_SNI_frontend 
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443 
    mode tcp
    default_backend SSL_backend

# Frontend: 1_HTTP_frontend 
frontend 1_HTTP_frontend
    bind 192.168.5.100:80 name 192.168.5.100:80 accept-proxy 
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_Condition
    acl acl_619439805021f2.97978352 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_619439805021f2.97978352

# Frontend: 1_HTTPS_frontend
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 192.168.5.100:443 name 192.168.5.100:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/648b26ac6f5421.99835538.certlist 
    mode http
    option http-keep-alive

    # logging options
    option httplog

    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/619521e7265391.88020289.txt)] 
    # WARNING: pass through options below this line
    stick-table type ip size 10k expire 30m # declare a stick table to cache captcha verifications
    http-request lua.crowdsec_allow # action to identify crowdsec remediation
    http-request track-sc0 src if { var(req.remediation) -m str "captcha-allow" } # cache captcha allow decision 
    http-request redirect location %[var(req.redirect_uri)] if { var(req.remediation) -m str "captcha-allow" } # redirect to initial url
    http-request use-service lua.reply_captcha if { var(req.remediation) -m str "captcha" } # serve captcha template if remediation is captcha
    http-request use-service lua.reply_ban if { var(req.remediation) -m str "ban" } # serve ban template if remediation is ban
    

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    server SSL_server 192.168.5.100 send-proxy-v2 check-send-proxy

# Backend: nextcloud_backend (nextcloud_backend)
backend nextcloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # WARNING: pass through options below this line
    #acl url_discovery path /.well-known/caldav /.well-known/carddav
    #http-request redirect location /remote.php/dav/ code 301 if url_discovery
    
    acl caldav-endpoint path_beg /.well-known/caldav                                                   
    http-request set-path /remote.php/dav if caldav-endpoint
    
    acl carddav-endpoint path_beg /.well-known/carddav      
    http-request set-path /remote.php/dav if carddav-endpoint
    http-reuse safe
    option forwardfor
    server nextcloud 192.168.5.158:80 

# Backend: crowdsec (crowdsec backend needed for lua)
backend crowdsec
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server crowdsec 192.168.5.1:8081 

# Backend: captcha_verifier (captcha_verifier)
backend captcha_verifier
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server turnstile_verifier challenges.cloudflare.com:443
19

I have to say that I don’t use OPNsense myself, and am also not an HA proxy expert.

I only know HA proxy from pfSense and only use it for a few local services, so the procedure I described is related to pfSense’s webUI and should be understood as “I think it should work like this” rather than “I tested it and it works”. So there may be more to it than I wrote. :wink:

Nextcloud is the only locally hosted application I expose to the Internet, and it runs in a VM in a separate “DMZ” vlan, so I’m forwarding ports 80/443 directly to that VM, i.e. I don’t have a reverse proxy in front of Nextcloud.

Unfortunately, I don’t think I can help you with further details on how to configure HAproxy on OPNsense for this scenario. But I am sure it is possible, and I think you are already close to the finish line :slight_smile:

In case you don’t get any more answers here, and since this is no longer Nextcloud-specific at this point, I would recommend posting your question also in the OPNsense forums.

Good luck :slight_smile:

20

No no, these are definitely NC and not OPN ones, hence I am here.
The reverse proxy is doing exactly what it needs to do. Unbound too.
The NC iOS app isn’t.
All other services work fine this way, albeit they don’t have their own app.
Thanks for trying though.
Additionally I do not want to expose NC nor any other service with a port forward. This is why I use reverse proxy.
It is so hard to understand why this setup seems so difficult for NC when is a pretty standard one.