I have proxmox running nextcloud lxc and nginx lxc. I use cloudflared to tunnel to myu nginx proxy manager and have my nginx proxy manager (NPM) handle the access through reverse proxy. I have home assistant which works fine like this accessing it remotely through home.123.xyz. Heck, even NPM can be accessed remotely through proxy.123.xyz. but with the same settings, somehow nextcloud is the only instance i have trouble with, and everytime i try to access it through cloud.123.xyz, i get “the page isnt redirecting properly”, so somewhere I assume there is a infinite loop with http and https? Not sure why thats only the case with nextcloud.
I have the config.php set correctly with trusted domain and trusted proxies, NPM setting ok and matches the settings foor the rest of the instances which i can access without problem.
Why both NPM and cloudflared? I want to skip port forwarding and at the same time have NPM do reverse proxy. Not sure if im thinking correctly though.
In my opinion, what you’ve built is unnecessarily complicated. You’re stacking cloudflared and Nginx Proxy Manager, so basically two reverse proxies on top of each other. There’s no reason to do it like that, and Nextcloud is exactly the kind of app that tends to break in this setup (redirect loops, SSL re-termination issues, wrong headers).
If you want to use a tunnel, then tunnel directly to Nextcloud. If you want a reverse proxy, just let NPM handle it. You don’t need both. In my view, the simplest and most reliable setup is having a public IP and routing everything straight through NPM without cloudflared. That works stable even with large files and you won’t run into these redirect problems.
Yes, if you don’t use a tunnel, you need to forward ports from your router – 80 and 443 for NPM, and if you want Nextcloud Talk to work properly, also 3478. That’s it.
This is the setup I use myself with a public IP. In my experience it’s the simplest and most reliable solution – no double reverse proxy, no extra tunnel layer, just direct access through NPM. Less complexity means fewer things that can break, and Nextcloud runs stable like this.
Also, keep in mind that Cloudflare often causes issues with large file uploads in Nextcloud – you can find several threads on the forum about that. With NPM this is not a problem. You can check my post from June where I tested large file synchronization behind NPM.
It does, but the real question is: why do you want to prevent port forwarding? Port forwarding itself isn’t dangerous. The question is where the ports are forwarded to, and how secure that target is.
At the end of the day, Cloudflare is also just a proxy. Cloudflared creates a tunnel from your local network to Cloudflare, and they then make the services you expose through that tunnel publicly accessible via their proxies. That alone doesn’t make your Nextcloud inherently more secure. It’s still directly reachable from the internet, and any vulnerabilities could still be exploited.
The reason why exposing services through Cloudflare might be more secure than plain port forwarding isn’t because port forwarding itself is insecure, but because Cloudflare adds extra layers (WAF, DDoS protection, bot filtering, IP reputation checks, etc.) that a vanilla NGINX proxy doesn’t provide out of the box. The downside is that these same features often cause issues with services like Nextcloud, which then usually leads to dialing them back or disabling them entirely—in which case it ends up being “not that much more secure” than port forwarding directly to NGINX.
And of course, you have to trust Cloudflare, since they could theoretically inspect your traffic.
Hmm, thank you both for your perspectives. I also bookmarked both your discussion in the thread you linked to, as I foresee large uploads (family videos and photos from the past, along with auto uploads from all family members mobile phone galleries).
I am actually a beginner in all this and if you are right about security and the benefit of having a more stable and faster nextcloud (for large uploads), I am in.
Could you recommend a beginner friendly guide for the setup? I have nextcloud LXC and adguard LXC and my own domain, just need to take it from there.
I’m personally not a fan of running Nextcloud in an LXC container. I’ve already mentioned this a few times on the forum. My approach is to make use of all the features and apps Nextcloud provides, and for me the most straightforward way to do this in Proxmox is exactly what I described in my post:
not LXC, but a dedicated VM, formatted with XFS (especially important when dealing with large multimedia files),
running Nextcloud AIO, so I don’t have to tweak or interconnect anything manually. If I don’t need a specific module, I simply disable it.
For a beginner-friendly guide, my thread already contains the relevant setup – including the docker-compose.yml for Nextcloud AIO and screenshots of the Nginx Proxy Manager configuration. That’s basically all you need to get it running.
If you want to stick with LXC, there are other users here on the forum who are using it successfully and can guide you through that path.
As we say in my country – 100 people, 100 tastes.
Yeah Im gonna stick with LXC for now as I just want nextcloud to be a place for all photos and videos and no need for any modules from AIO. Appreciate your perspectives though!
