Docker install behind Nginx Reverse Proxy

I have installed Nextcloud using docker following this example:

I have an existing instance of Nginx I am already using reverse proxy other applications. I am trying to set it to reverse proxy the docker Nextcloud install. When I check the “Security & setup warnings” I have the following:

• The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.
• The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
• The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

I have tried a few things but I can’t seem to resolve them, any suggestions? Also, I am still just testing the installation of Nextcloud, so I am fine blowing it away and staring again.

Thank you,

Here is my Nginx config:

server {
    server_name                        domain.tld;

    client_max_body_size               10G;
    
    # security headers
    add_header X-Frame-Options        SAMEORIGIN;
    add_header X-XSS-Protection        "1; mode=block" always;
    add_header X-Content-Type-Options  nosniff;
    add_header Referrer-Policy         "no-referrer-when-downgrade" always;
    add_header Strict-Transport-Security "max-age=63072000" always;

    # . files
    location ~ /\.(?!well-known) {
        deny all;
    }
    
    # favicon.ico
    location = /favicon.ico {
        log_not_found off;
        access_log    off;
    }

    # robots.txt
    location = /robots.txt {
        log_not_found off;
        access_log    off;
    }

    # gzip
    gzip            on;
    gzip_vary       on;
    gzip_proxied    any;
    gzip_comp_level 6;
    gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

    # reverse proxies
    
    location / {
        proxy_pass                         http://192.168.0.16:8080;
        proxy_http_version                 1.1;
        proxy_cache_bypass                 $http_upgrade;
        proxy_request_buffering            off;
        
        # Proxy headers
        proxy_set_header Upgrade           $http_upgrade;
        proxy_set_header Connection        "upgrade";
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host  $host;
        proxy_set_header X-Forwarded-Port  $server_port;

        # Proxy timeouts
        proxy_connect_timeout              60s;
        proxy_send_timeout                 60s;
        proxy_read_timeout                 60s;
    }
    
location /.well-known/carddav {
  return 301 $scheme://$host/remote.php/dav;
}

location /.well-known/caldav {
  return 301 $scheme://$host/remote.php/dav;
}
    

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

} 
server {
if ($host = domain.tld) {
    return 301 https://$host$request_uri;
} # managed by Certbot


    listen                             80;
    server_name                        domain.tld;
return 404; # managed by Certbot
}

And my config.php:

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => 'ocm5bdhufslw',
  'passwordsalt' => 'J2tzB1IyXYQNzPTAQ/lg0ZO6hEPQCH',
  'secret' => 'hSxQkuBFSgPT/H4zlV3MOFlEyQMUG4lYAlhpzpOdoqwr9EbC',
  'trusted_domains' =>
  array (
    0 => '192.168.0.16:8080',
    1 => 'domain.tld',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '20.0.2.2',
  'overwrite.cli.url' => 'http://192.168.0.16:8080',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'xUDAPByJaR6ajP4D',
  'installed' => true,
);

I’m not a nginx user, but I believe those settings are detailed in the Nextcloud documentation:

Thank you for sharing
Unless I am missing something, this documentation looks to be for using Nginx to serve the Nextcloud application. This is not what I am trying to do.

I have Nextcloud installed using Docker. The docker imaged I used has Apache serving the Nextcloud application. I am trying to use Nginx as a revise proxy to the docker Nextcloud install. This way I can use Nginx to add SSL and have more than one application use port 80, i.e. virtual hosts.

I have reading through the following documentation and tried a few things.

Thank you,

I also run the Docker version but I reverse proxy with another instance of Apache and run certbot there as well. So basically the same, minus nginx. Maybe someone who knows nginx can chime in.

The only header I have to modify on Apache reverse proxy is for HSTS. If you’d be interested in trying it this way instead or maybe just want to compare notes, I wrote a guide for it.

did you try to add this to your nginx proxy config?

i use traefik as the proxy and add these headers to it.

same problem here with nextcloud 21 als docker container (using apache) behind nginx reverse proxy. i still get these warnings …

Got the same issue here. I added the relevant rules to nginx in both the server and location directives, and I’m still getting warnings. Nginx isn’t the easiest thing to use, so I’m sure I must be making a mistake. But I’ve no idea what.

Does anyone have a working nginx config for docker without warnings?

First. i’m sorry for my bad english.
I use nginx as reverse proxy and nextcloud in docker.
I’m using nginx conf like this:

    listen 80;
    server_name mycompanydomain.ru;
    return 301 https://$host$request_uri;

11022×201 10.3 KB

21026×543 30.2 KB

and i’m don’t get any warnings from nextcloud server. Maybe it will help someone.

You have no trusted proxies configured in your nextcloud config for starters.

I have the trusted_proxies directive in my config.php
aren’t trusted proxies configured in it?
maybe I’m wrong.

No that is correct. I just could not see it in the posted config by the thread starter. My answer was to thread starter - who should also next time remove all secrets, salt and security related information from such before posting it.

First of all: No https proxying setup in your NGINX. You even have a redirect to HTTPS if incoming is not HTTPS.

Second you do not have any added trusted proxies configured in your config.php

I’ve looked over and copied what @Gruby provided, and it turns out that add_header can add headers, but does not replace them. When using proxy_pass this becomes an issue, apparently. I’ve replaced add_header with proxy_set_header, and I now have a proper rating as well! Thanks

The example in the nextcloud documentation is therefore inaccurate when using docker, and likely in other cases as well.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.