Another case of help with NC behind a reverse proxy

ℹ️ Support
, , , , ,
1

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • 30.0.5
  • Operating system and version (e.g., Ubuntu 24.04):
    • freeBSD 13.3-RELEASE
  • Web server and version (e.g, Apache 2.4.25):
    • Apache 2.4
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • HAProxy 2.8.13
  • PHP version (e.g, 8.3):
    • 8.13.12
  • Is this the first time you’ve seen this error? (Yes / No):
    • yes
  • When did this problem seem to first start?
    • from installation
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • on a freeBSD jail (like a container) and downloaded from download.nextcloud.com/server/releases
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • Not that I'm aware of

Summary of the issue you are facing:

First of all, thank you for providing NC for free. I am eager to get it running correctly. Do not let the freeBSD part put you off from trying to help. I’m fine dealing with that part. My ask for help is more about NC settings.
I have set NC up, works fin in general, there is one main problem I am trying to solve for some time.

  1. The iOS client app is unable to sign in.

Steps to replicate it (hint: details matter!):

  1. Take my iOS phone off Wifi and use Cellular data. iOS version 18.3.1
  2. Open NC app (version 6.2.5)
  3. Enter cloud.mypublicdomain.com sends me to sign in on safari browser. Enter a valid username and password
  4. I am prompted to “Connect to your account”. Please log in before granting Nextcloud/6.2.5 (it.tsweb.Nextcloud;build:1;iOS 18.3.1) Alamofire/5.10.2 access to your Nextcloud account.
    Security warning. If you are not trying to setu …
    Log in → I click on Log in
  5. Currently logged in as “username” (username)
    You are about to grant …
    Grant access → Click on grant access
  6. This is as far as it goes. It just spins the animation for ever and never completes.

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

There is no entry in the /var/log/nextcloud/nextcloud.log
Of course it means that it is not hitting nextcloud but I see no reason why. The hit in apache fronting NS can be seen:
@nextcloud:~ # cat /var/log/httpd-access.log | grep 82.132.246.13
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /login/v2/flow/NeCPjETqaZ6ZBnKq7eRhSzWCtL1pP0trbsVnlu8Xb3GlZ8lDY3kgwV3gJkxGsR0nkoD4m3MuqJxG5vFdIDFPdivSmJGxAKUEkDLYaWSst7Pe7HelGsDApmexXWooaUxA HTTP/1.1" 303 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /login/v2/flow?user=&direct=0 HTTP/1.1" 200 6783 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/css/default.css?v=edff4fe3-0 HTTP/1.1" 200 4971 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /core/css/login/authpicker.css?v=cfcd2084-0 HTTP/1.1" 200 538 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /dist/core-files_client.js?v=93e829c5-0 HTTP/1.1" 200 12280 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /core/css/guest.css?v=cfcd2084-0 HTTP/1.1" 200 15771 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /dist/core-files_fileinfo.js?v=93e829c5-0 HTTP/1.1" 200 861 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /core/js/login/authpicker.js?v=93e829c5-0 HTTP/1.1" 200 580 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/js/theming.js?v=93e829c5-0 HTTP/1.1" 200 188 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /core/css/server.css?v=cfcd2084-0 HTTP/1.1" 200 131678 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /dist/files_sharing-main.js?v=93e829c5-0 HTTP/1.1" 200 351 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/manifest?v=a857b83b HTTP/1.1" 200 246 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/theme/default.css?plain=1&v=c00ac2af HTTP/1.1" 200 3738 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /js/core/merged-template-prepend.js?v=93e829c5-0 HTTP/1.1" 200 2811 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/theme/dark.css?plain=1&v=c00ac2af HTTP/1.1" 200 3703 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/theme/light.css?plain=0&v=c00ac2af HTTP/1.1" 200 3936 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/theme/light-highcontrast.css?plain=0&v=c00ac2af HTTP/1.1" 200 4158 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/theme/opendyslexic.css?plain=0&v=c00ac2af HTTP/1.1" 200 614 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/theme/dark.css?plain=0&v=c00ac2af HTTP/1.1" 200 3900 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /apps/theming/theme/dark-highcontrast.css?plain=0&v=c00ac2af HTTP/1.1" 200 4227 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /dist/core-main.js?v=93e829c5-0 HTTP/1.1" 200 955014 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /index.php/apps/files/preview-service-worker.js HTTP/1.1" 200 14637 "https:" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:59 +0000] "GET /dist/icons.css HTTP/1.1" 200 291055 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:03:58 +0000] "GET /dist/core-common.js?v=93e829c5-0 HTTP/1.1" 200 5066546 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:04:06 +0000] "GET /apps/theming/theme/light.css?plain=1&v=c00ac2af HTTP/1.1" 200 3738 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:04:06 +0000] "GET /core/img/logo/logo.svg HTTP/1.1" 200 815 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:04:06 +0000] "GET /apps/theming/img/background/jenna-kim-the-globe-dark.webp HTTP/1.1" 200 180762 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:04:12 +0000] "GET /apps/theming/theme/light-highcontrast.css?plain=1&v=c00ac2af HTTP/1.1" 200 3783 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:04:14 +0000] "GET /apps/theming/theme/dark-highcontrast.css?plain=1&v=c00ac2af HTTP/1.1" 200 3835 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:05:56 +0000] "GET /login/v2/grant?user=&direct=0&stateToken=dCMWd9jGsGFL3v2YJjn3hX66GJeWiZLb7fMgNcxHDqLidf5QgG7uCIoe8KYBgpOM HTTP/1.1" 200 6463 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:05:57 +0000] "GET /core/js/login/grant.js?v=93e829c5-0 HTTP/1.1" 200 564 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:05:57 +0000] "GET /apps/theming/manifest?v=a857b83b HTTP/1.1" 200 246 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:05:57 +0000] "GET /index.php/apps/files/preview-service-worker.js HTTP/1.1" 200 14637 "https:" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:06:47 +0000] "GET /core/img/loading-small-dark.gif HTTP/1.1" 200 1816 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:07:34 +0000] "GET /apps/theming/img/background/jenna-kim-the-globe.webp HTTP/1.1" 200 98876 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"
82.132.246.13 - - [12/Feb/2025:21:09:05 +0000] "GET /apps/theming/img/background/jenna-kim-the-globe.webp HTTP/1.1" 200 98876 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3 Mobile/15E148 Safari/604.1"

And I can also see the hit in the reverse proxy of course.

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "localhost",
            "1": "cloud.mypublicdomain.com",
            "3": "192.168.5.158",
            "4": "192.168.5.1"
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "30.0.5.1",
        "overwrite.cli.url": "http:\/\/192.168.5.158",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "Europe\/London",
        "default_phone_region": "GB",
        "log_type": "file",
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "loglevel": 2,
        "logrotate_size": "104847600",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0
        },
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "htaccess.RewriteBase": "\/",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "maintenance_window_start": 5,

Apps

The output of occ app:list (if possible).
occ app:list
Enabled:

  • activity: 3.0.0
  • app_api: 4.0.5
  • bruteforcesettings: 3.0.0
  • circles: 30.0.0
  • cloud_federation_api: 1.13.0
  • comments: 1.20.1
  • contactsinteraction: 1.11.0
  • dashboard: 7.10.0
  • dav: 1.31.1
  • federatedfilesharing: 1.20.0
  • federation: 1.20.0
  • files: 2.2.0
  • files_downloadlimit: 3.0.0
  • files_pdfviewer: 3.0.0
  • files_reminders: 1.3.0
  • files_sharing: 1.22.0
  • files_trashbin: 1.20.1
  • files_versions: 1.23.0
  • firstrunwizard: 3.0.0
  • logreader: 3.0.0
  • lookup_server_connector: 1.18.0
  • nextcloud_announcements: 2.0.0
  • notifications: 3.0.0
  • oauth2: 1.18.1
  • onlyoffice: 9.5.0
  • password_policy: 2.0.0
  • photos: 3.0.2
  • privacy: 2.0.0
  • provisioning_api: 1.20.0
  • recommendations: 3.0.0
  • related_resources: 1.5.0
  • serverinfo: 2.0.0
  • settings: 1.13.0
  • sharebymail: 1.20.0
  • support: 2.0.0
  • survey_client: 2.0.0
  • systemtags: 1.20.0
  • text: 4.1.0
  • theming: 2.5.0
  • twofactor_backupcodes: 1.19.0
  • updatenotification: 1.20.0
  • user_status: 1.10.0
  • viewer: 3.0.0
  • weather_status: 1.10.0
  • webhook_listeners: 1.1.0-dev
  • workflowengine: 2.12.0
    Disabled:
  • admin_audit: 1.20.0
  • encryption: 2.18.0
  • files_external: 1.22.0
  • suspicious_login: 8.0.0
  • twofactor_nextcloud_notification: 4.0.0
  • twofactor_totp: 12.0.0-dev
  • user_ldap: 1.21.0

Additional information.

  • If I use the safari browser to sign in, it is successful.
  • My intention is to get native apps working so that I can have my family and a small group of writers to share and collaborate with their writing work. It is not commercial, they are in a writing group helping each other. Currently using dropbox but the main “admin” is leaving the group. They are mostly Android and iOS users. We are at home a mix of MS Windows, Ubuntu linux desktop and macOS.
  • I have of course read reddit, this forum posts, web resources, the available documentation and I have focused on a misconfiguration of NC to work correctly with my reverse proxy.
  • I am unwilling to open NC to the open internet. It must be behind a reverse proxy, which terminates the TLS/SSL connections. There are a number of protections there because it sits on a Next Generation Firewall which hosts haproxy. Therefore the flow is Internet > haproxy TLS → NC server (http)
  • There is a DNS split brain setup but not in use. I am having of course to use http://nc-ip-address:80 because there are no certificates for NC.

Thank you for your help.

2

You are viewing a log of successful requests. Perhaps httpd-error.log will have more useful information for you.

3

I failed to mention that, I have checked there too.
The only entries there are of normal operation, see latest tail:

[Tue Feb 11 23:13:44.345667 2025] [core:notice] [pid 22226] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
[Wed Feb 12 11:47:36.096177 2025] [mpm_prefork:notice] [pid 22226] AH00169: caught SIGTERM, shutting down
[Wed Feb 12 11:47:36.140917 2025] [mpm_prefork:notice] [pid 73007] AH00163: Apache/2.4.62 (FreeBSD) configured -- resuming normal operations
[Wed Feb 12 11:47:36.140982 2025] [core:notice] [pid 73007] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
[Wed Feb 12 12:04:29.594402 2025] [mpm_prefork:notice] [pid 73007] AH00169: caught SIGTERM, shutting down
[Wed Feb 12 12:04:29.637652 2025] [mpm_prefork:notice] [pid 76313] AH00163: Apache/2.4.62 (FreeBSD) configured -- resuming normal operations
[Wed Feb 12 12:04:29.637711 2025] [core:notice] [pid 76313] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
[Wed Feb 12 12:24:41.094759 2025] [mpm_prefork:notice] [pid 76313] AH00169: caught SIGTERM, shutting down
[Wed Feb 12 12:24:41.141369 2025] [mpm_prefork:notice] [pid 80349] AH00163: Apache/2.4.62 (FreeBSD) configured -- resuming normal operations
[Wed Feb 12 12:24:41.141423 2025] [core:notice] [pid 80349] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
4

Have you tested if it works with another nc server? Just to rule out any bug with the app…

If everything is working in the browser it’s very weird it does not on the app. However the sequence is a bit weird, did you have to log in twice? You mentioned in step 3 you entered user pass but in step 4 youre asked to login again?

Could you share your haproxy config? Just remember to change personal details!

Edit:
I just looked closer at your config.php and found a potential culprit: your overwrite.cli.url should not be the IP, but the domain you use to connect to nc with (for example ‘https://cloud.mypublicdomain.com/’). That string is used when links are generated by nc, so I’d guess for example sharing does not work now. More info: here
I also needed to add ‘overwriteprotocol’ => ‘https’, to the config, (since you are acessing with https, but with http between proxy and nc). I dunno if that was necessary because I forgot forwarded headers or something but it does not hurt anyway…

5

thank you for looking at this with me Rinkana.
Strangely the overwrite.cli.url was part of the testing I’ve been doing. It was commented out with a leading # when the config was “exported” with occ.
And I have been also testing with overwrite.protocol on and off. When I say off, I mean I comment it out and then restart php_fpm and apache.
Regarding the sequence, that is how it moves along: open app, send to log in in browser, stays there.
I did a network packet capture and spent some time yesterday looking for clues. Nothing I can spot but I might have missed something relevant.
What I’ll do is start fresh round of testing and add the overwrite.protocol . You see this is what I’ve found very hard, to understand the correct values for my scenario.
Example, according to docs and many online posts on this forum:
docs

Overwrite parameters

The automatic hostname, protocol or webroot detection of Nextcloud can fail in certain reverse proxy situations. This configuration allows the automatic detection to be manually overridden. If Nextcloud fails to automatically detect the hostname, protocol or webroot you can use the overwrite parameters inside the config/config.php.

  • overwritehost set the hostname of the proxy. You can also specify a port.
  • overwriteprotocol set the protocol of the proxy. You can choose between the two options http and https.
  • overwritewebroot set the absolute web path of the proxy to the Nextcloud folder.
  • overwritecondaddr overwrite the values dependent on the remote address. The value must be a regular expression of the IP addresses of the proxy. This is useful when you use a reverse SSL proxy only for https access and you want to use the automatic detection for http access.
  • overwrite.cli.url the base URL for any URLs which are generated within Nextcloud using any kind of command line tools. For example, the value set here will be used by the notifications area.

So it does not tell me what I should use in my case for overwriteprotocol. Is it referring to the protocol of the proxy facing out or facing into the nextcloud server?
The same for each parameter. Documentation basically tells you that they exist but not a lot more. Not enough to understand them nor to figure out how to use them in your particular case.
So your post I find it helpful. You explicitly tell me in my proxy scenario, which to be honest will be the most common, I need to add it.
I’m going to do another test with your suggestions. Thanks.

6

Yeah the documentation about it can be confusing because proxy stuff is difficult, especially when reading community discussions about it (as people are confused).

The example you linked in the docs link (at the bottom of the page) is for multiple ssl domains, or in other words if you access your nc trough the reverse proxy at cloud.mypublicdomain.com but the proxy is not on the same network as your nextcloud installation, and you wish to encrypt communication between the two, the proxy might be accessing the nextcloud trough (for example) nc.myprivatedomain.com, and in that case that complex example config is required. You however don’t have multiple domains (few do).

The part in the documentation where overwrite.cli.url is explained is pretty clear you should use your public domain, but yeah its easy to miss and it also suggest it can be autocompleted with magic in some scenarios which to me are unclear.

Debugging proxying is a real pain, id say at the level of dns problems :sweat_smile:, luckily if it works, it works xD

To be clear, I suspect your config.php should contain this:

'overwrite.cli.url' => 'https://cloud.mydomain.com/',
'overwriteprotocol' => 'https',
'trusted_proxies'   => ['192.168.5.XX'],

And none of the other overwritehost, overwritecondaddr and whatnot

And your haproxy at least with:

backend your-nc-backend
    option forwardfor
    ...
1 Like
7

You have no idea how grateful I am.
I applied your suggestions and I was finally able to make the iOS app connect. I’ve been trying the permutations and failing.
I know now that the decision to finally come to ask for help was the right one, and lucky that you decided to help me.
Thank you very much. Have a great day.

8

Oh. Internally in the LAN where the Nextcloud server sits, I have been accessing it with http on its ip address i.e. http://192.168.5.158/
Now with the changes that have allowed the app to function from the external network, internally I am unable to access it.
It would make sense if the requests are “upgraded” to https and https is terminated from the outside by the reverse proxy.
On the inside there is no ssl available. Apache is only set to http on port 80.
Any suggestions whilst I hunt around a solution?

To http://192.168.5.158

The page isn’t redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

This problem can sometimes be caused by disabling or refusing to accept cookies.

Watching with developer tools (Firefox) I can see a list of 302 hits i.e redirect to Location : /apps/dashboard/ and eventually erroring with:
NS_ERROR_REDIRECT_LOOP

** To https://192.168.5.158**
Knowing it would not succeed but looking for clues, the error is:
NS_ERROR_CONNECTION_REFUSED
As I said, this is for completeness in diagnostics.

I must add. My internal DNS server has an override for the host. Trying both http and https to the cloud.mydomain.com results in the same results as above of course.

So the question is how do we reach NC internally when we have made those changes that are for the reverse proxy/

9

A little update.
I have added (without understanding it completely):
'overwritecondaddr' => '^192\.168\.5\.1$',
which is the ip address (192.168.5.1) of the reverse proxy and that has allowed me to reach NC from a computer client on the lan. I also disabled https on the web browser settings, which I think is not necessary but was the first change I made in the attempts.
All good except the client app on the mobile phone works OK on the external network (mobile network, not WiFi) but when WiFi is enabled putting in in the LAN again, it fails. It shouldn’t because is in the same network as the pc client.
I am investigating this now. It seems it is the last hurdle.