Apache Reverse Proxy on same machine as Nextcloud

Hi all. I would like to run Nextcloud behind an Apache web server set up as a reverse proxy. Both Nextcloud and Apache will be running on the same computer accessible on the web via it’s ip address since I’m just practicing for now. My configuration is a VPS running Ubuntu 20.04LTS and Nextcloud installed via SNAP, version 19.0.1.1. Let’s say the ip address of the vps is x.x.x.x and when I type that it, I’m greeted with the Nextcloud login screen.

Next I set Nextcloud to listen on port 444 and enabled https with a self signed certificate. I can still access Nextcloud with a few warnings. Now I want to set it up to be behind the Apache reverse proxy. I’ve tried various combinations of settings learning what I could from other posts but thought it might be time to ask some questions, specifically about what needs to be done in Nextcloud’s config.php.

Should I add localhost to trusted_domains and trusted_proxies?

‘trusted_domains’ =>
array (
0 => ‘x.x.x.x’,
1 => ‘127.0.0.1’,
),
‘trusted_proxies’ =>
array (
0 => ‘127.0.0.1’,
),

And for the parameters found in the documentation (with questions after the parameters):

‘overwritehost’ => ‘x.x.x.x’, (Should this be the ip address as seen from a browser? I don’t have a DNS record for this machine.)
‘overwriteprotocol’ => ‘https’,
‘overwritewebroot’ => ‘/’,
‘overwritecondaddr’ => ‘^x.x.x.x$’, (This represents the address that the browser used to reach the Apache proxy, correct?)
‘overwrite.cli.url’ => ‘http://x.x.x.x’, (Is this even needed with the latest version of Nextcoud? If so, is this correct?

The Apache virtual hosts file:

/etc/apache2/sites-available/000-default.conf

<VirtualHost *:443>

    ProxyPreserveHost On
    
    ProxyPass               /       https://localhost:444/
    ProxyPassReverse        /       https://localhost:444/

I know more has to be done with the virtual host, for webDAV and calDAV, but shoudln’t this get me to a login screen? Or instead of localhost:444 shoud I be using x.x.x.x:444/ ?

I’d appreciate any feedback you may have. Thank you.

Is your reverse proxy on the same host as Nextcloud?

I have an example Apache config here. It was written for Docker but should work similarly for snap.

https://help.nextcloud.com/t/howto-ubuntu-docker-nextcloud-talk-collabora/76430

What are you getting when you hit the proxy?

Yes, I’m trying to do this one one machine without any virtual machines, so that means the same host, correct?

By the way, if you don’t have a DNS name for the server, you have the cart before the horse. Doing it backward to get to the fun part first will cause you trouble later.

What Apache mods have you enabled?

My “production” version of Nextcloud has a DNS name. I figure I’d get this working before messing with that. However, if I can get past this step, I’ll probably try to set up a record for this server.

For the Apache instance I enabled:

proxy
proxy_http
ssl

What error are you getting when you load the page through the proxy? Just a timeout or something else?

One thing I did notice is you’re proxying to HTTPS but not disabling the certificate check. That’s a possible sticking point. You can disable the reverse proxy certificate check, or proxy to HTTP on the backend since that leg of the connection isn’t even leaving the box.

  SSLProxyEngine On
  SSLProxyVerify None
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerName Off

KarlF12, that is a very nice write up you did! I really appreciate the time you took to do that and will definitely be studying it. Thank you.

I added the lines you suggested and the behavior is the same. From a browser, I navigate to https://x.x.x.x and get the following message:

Secure Connection Failed

An error occurred during a connection to x.x.x.x. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

You mention in your tutorial, and here as well that I should have a FQDN for the server. For a testing server, can’t I just type in the ip address? When I moved my Nextcloud from one server to another, I just accessed it via IP address while waiting for the DNS’s to pick up the ip change, and it worked fine. Or does the reverse proxy need that text string? Just wondering.

Thanks again.