Can someone share their config files for a working reverse proxy with SSL

I’ve wasted quite a few hours trying to get an Nginx reverse proxy with SSL working properly. Would someone be willing to share their config files? Specifically,

  1. Nextcloud config.php
  2. Nginx config file
  3. Apache virtualhost config file

Thanks!

For point 3. Check this out:

Nextcloud Config you can find under “Config report”:

2 Likes

I have several Nextloud servers running on Ubuntu Server 20.04 VMs behind an NGINX reverse proxy. It’s not fun to set up so here you go:

  1. Nextcloud config.php
<?php
$CONFIG = array (
  'instanceid' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
  'passwordsalt' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
  'secret' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
  'trusted_domains' => 
  array (
    0 => '192.168.###.###',
    1 => 'nextcloud.DOMAIN.com',
  ),
  'datadirectory' => '/var/www/DATAFILES',
  'dbtype' => 'mysql',
  'version' => '22.1.1.2',
  'overwrite.cli.url' => 'https://nextcloud.DOMAIN.com/nextcloud',
  'overwriteprotocol' => 'https',
  'dbname' => 'DATABASEPASSWORD',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'DATABASEUSER',
  'dbpassword' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'trashbin_retention_obligation' => 'auto, 30',
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud.log',
  'logfilemode' => 416,
  'loglevel' => '0',
  'logdateformat' => 'F d, Y H:i:s',
  'default_phone_region' => 'US',
  'twofactor_enforced' => 'true',
  'twofactor_enforced_groups' => 
  array (
  ),
  'twofactor_enforced_excluded_groups' => 
  array (
  ),
  'maintenance' => false,
  'theme' => '',
);
  1. NGINX conf file:
server {
    
    server_name nextcloud.DOMAIN.com;

    location / {
       proxy_pass http://192.168.###.###/;
       proxy_buffering off;
       proxy_set_header X-Real-IP $remote_addr;

#	Enable HSTS (HTTP Strict Transport Security)
        add_header Strict-Transport-Security "max-age=15768000;includeSubDomains";

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header Front-End-Https on;

        proxy_headers_hash_max_size 512;
        proxy_headers_hash_bucket_size 64;

        proxy_redirect off;
        proxy_max_temp_file_size 0;
    }

        location /.well-known {       
            location = /.well-known/carddav   { return 301 /nextcloud/remote.php/dav/; }
            location = /.well-known/caldav    { return 301 /nextcloud/remote.php/dav/; }
            
            # according to the documentation these two lines are not necessary, but version 21.0.0 will produce warnings in the overview setup check
            location = /.well-known/webfinger   { return 301 /nextcloud/index.php$uri; }
            location = /.well-known/nodeinfo   { return 301 /nextcloud/index.php$uri; }
            
            # anything else is dynamically handled by Nextcloud
            location ^~ /.well-known          { return 301 /nextcloud/index.php$uri; }
    
            try_files $uri $uri/ =404;
        }


    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/nextcloud.DOMAIN.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.DOMAIN.com-0001/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = nextcloud.DOMAIN.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
    
    server_name nextcloud.DOMAIN.com;
    return 404; # managed by Certbot


}
  1. Apache virtualhost config file

I run Nextcloud on standalone Ubuntu Server 20.04 VMs so here is a copy of a apache conf file found at /etc/apache2/sites-available/nextcloud.conf:

Alias /nextcloud "/var/www/nextcloud/"
<Directory /var/www/nextcloud/>
    Options +FollowSymlinks
    AllowOverride All
      <IfModule mod_dav.c>
        Dav off
      </IfModule>

     SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_HOME /var/www/nextcloud
</Directory>

Hope that helps to point you in the right direction.

3 Likes

Thank you! I won’t be able to check it until this weekend, but I see a couple of things that are different than what I had. Hopefully that will be the solution…

After I incorporatedsome changes to match what you have the login page comes up, but without a login box. Also, if I access it on browser where I was already logged in there are no Apps showing across the top and it acts like the page is still trying to load. Really have no idea what the problem is at this point.

There might be some conflict with my config settings and your site specific settings that should not be copied over.

When using a reverse proxy you are dealing with multiple systems so you need to eliminate the issues in a systematic way. Do you still have your unaltered Nextcloud config.php file? If so I’d revert to the original file version and confirm the VM is reachable at the local IP. If it’s fully functioning then you can build a stripped down NGINX conf file using only proxy pass to ensure that works and you can connect without issue using http over the web. If all of that works without issue then you know your VM, basic NGINX conf and original Apache virtualhost config file are all working.

At that point you should request an SSL certificate using Certbot and then make the suggested changes to your NGINX conf. If all of that is working you can then make the changes to the Nextcloud config.php file to accept the https overwrite.

You will likely run into issues so it’s important you take backups prior to making changes to your configuration files. I know my configuration works for my three Ubuntu Server Nextcloud VMs behind a reverse proxy so your configs should be very close or the same to connect.