Docker install behind Nginx Reverse Proxy

I have installed Nextcloud using docker following this example:

I have an existing instance of Nginx I am already using reverse proxy other applications. I am trying to set it to reverse proxy the docker Nextcloud install. When I check the “Security & setup warnings” I have the following:

• The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.
• The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
• The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

I have tried a few things but I can’t seem to resolve them, any suggestions? Also, I am still just testing the installation of Nextcloud, so I am fine blowing it away and staring again.

Thank you,

Here is my Nginx config:

server {
    server_name                        domain.tld;

    client_max_body_size               10G;
    
    # security headers
    add_header X-Frame-Options        SAMEORIGIN;
    add_header X-XSS-Protection        "1; mode=block" always;
    add_header X-Content-Type-Options  nosniff;
    add_header Referrer-Policy         "no-referrer-when-downgrade" always;
    add_header Strict-Transport-Security "max-age=63072000" always;

    # . files
    location ~ /\.(?!well-known) {
        deny all;
    }
    
    # favicon.ico
    location = /favicon.ico {
        log_not_found off;
        access_log    off;
    }

    # robots.txt
    location = /robots.txt {
        log_not_found off;
        access_log    off;
    }

    # gzip
    gzip            on;
    gzip_vary       on;
    gzip_proxied    any;
    gzip_comp_level 6;
    gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

    # reverse proxies
    
    location / {
        proxy_pass                         http://192.168.0.16:8080;
        proxy_http_version                 1.1;
        proxy_cache_bypass                 $http_upgrade;
        proxy_request_buffering            off;
        
        # Proxy headers
        proxy_set_header Upgrade           $http_upgrade;
        proxy_set_header Connection        "upgrade";
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host  $host;
        proxy_set_header X-Forwarded-Port  $server_port;

        # Proxy timeouts
        proxy_connect_timeout              60s;
        proxy_send_timeout                 60s;
        proxy_read_timeout                 60s;
    }
    
location /.well-known/carddav {
  return 301 $scheme://$host/remote.php/dav;
}

location /.well-known/caldav {
  return 301 $scheme://$host/remote.php/dav;
}
    

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

} 
server {
if ($host = domain.tld) {
    return 301 https://$host$request_uri;
} # managed by Certbot


    listen                             80;
    server_name                        domain.tld;
return 404; # managed by Certbot
}

And my config.php:

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => 'ocm5bdhufslw',
  'passwordsalt' => 'J2tzB1IyXYQNzPTAQ/lg0ZO6hEPQCH',
  'secret' => 'hSxQkuBFSgPT/H4zlV3MOFlEyQMUG4lYAlhpzpOdoqwr9EbC',
  'trusted_domains' =>
  array (
    0 => '192.168.0.16:8080',
    1 => 'domain.tld',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '20.0.2.2',
  'overwrite.cli.url' => 'http://192.168.0.16:8080',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'xUDAPByJaR6ajP4D',
  'installed' => true,
);

I’m not a nginx user, but I believe those settings are detailed in the Nextcloud documentation:

Thank you for sharing
Unless I am missing something, this documentation looks to be for using Nginx to serve the Nextcloud application. This is not what I am trying to do.

I have Nextcloud installed using Docker. The docker imaged I used has Apache serving the Nextcloud application. I am trying to use Nginx as a revise proxy to the docker Nextcloud install. This way I can use Nginx to add SSL and have more than one application use port 80, i.e. virtual hosts.

I have reading through the following documentation and tried a few things.


However, I don’t seem to be smart enough to get it working.

Thank you,

I also run the Docker version but I reverse proxy with another instance of Apache and run certbot there as well. So basically the same, minus nginx. Maybe someone who knows nginx can chime in.

The only header I have to modify on Apache reverse proxy is for HSTS. If you’d be interested in trying it this way instead or maybe just want to compare notes, I wrote a guide for it.

did you try to add this to your nginx proxy config?

grafik

i use traefik as the proxy and add these headers to it.

same problem here with nextcloud 21 als docker container (using apache) behind nginx reverse proxy. i still get these warnings …

Got the same issue here. I added the relevant rules to nginx in both the server and location directives, and I’m still getting warnings. Nginx isn’t the easiest thing to use, so I’m sure I must be making a mistake. But I’ve no idea what.

Does anyone have a working nginx config for docker without warnings?

First. i’m sorry for my bad english.
I use nginx as reverse proxy and nextcloud in docker.
I’m using nginx conf like this:

Спойлер

server
{
listen 443 ssl;
server_name mycompanydomain.ru;
ssl on;
error_log /var/log/nginx/nginx.log;
server_tokens off;
client_max_body_size 1024M;
###Set headers###
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;

proxy_set_header Accept-Encoding “”;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Content-Type-Options “nosniff”;
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;
add_header Front-End-Https on;
proxy_redirect off;

location / {
proxy_pass http://172.48.48.127:8080;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
}
location /.well-known/carddav
{
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
ssl_certificate /etc/letsencrypt/live/mycompanydomain.ru/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mycompanydomain.ru/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {

    listen 80;
    server_name mycompanydomain.ru;
    return 301 https://$host$request_uri;

}


and i’m don’t get any warnings from nextcloud server. Maybe it will help someone.

You have no trusted proxies configured in your nextcloud config for starters.

I have the trusted_proxies directive in my config.php
aren’t trusted proxies configured in it?
maybe I’m wrong.
2

No that is correct. I just could not see it in the posted config by the thread starter. My answer was to thread starter - who should also next time remove all secrets, salt and security related information from such before posting it.

First of all: No https proxying setup in your NGINX. You even have a redirect to HTTPS if incoming is not HTTPS.

Second you do not have any added trusted proxies configured in your config.php

I’ve looked over and copied what @Gruby provided, and it turns out that add_header can add headers, but does not replace them. When using proxy_pass this becomes an issue, apparently. I’ve replaced add_header with proxy_set_header, and I now have a proper rating as well! Thanks :grin:

The example in the nextcloud documentation is therefore inaccurate when using docker, and likely in other cases as well.