Dynamic DNS issue

danraymond · May 2, 2020, 8:12am

I have Nextcloud setup on a local linux server. Its works fine across the internal intranet with"trusted sites" including ‘localhost’ and also the ip address of the server ‘192.168.1.5’

I am trying to acces via external dynu ddns site as I have a changing IP. I know I have the routing fine as I get the “from untrusted domain” notice on the ip domain names when I try to access that way.
I have all my dynu URL’s in the config file. However, the only way it gives access is if I put my actual current public IP address in the config file. All my domains direct to whatever my periodic updates public ip address is (as all dyn dns do).

How can I overcome this so the URL domain names work (since they point to my current public IP) and not have to keep changing it manually in the config file. Kind of defeats the point of having dynamic dns?

Thanks for any suggestions

tflidd · May 2, 2020, 8:12am

In the config file, you add the hostname, not the URL! Check the trusted domain settings here:
https://docs.nextcloud.com/server/10.0/admin_manual/configuration_server/config_sample_php_parameters.html#default-parameters

danraymond · May 2, 2020, 11:28pm

Hi tflidd,

My bad. I do have it set up as domain names. I mistakenly said URLs in the post.

Here is that part of my config:

=== if I do this:

0 => ‘localhost’,
‘192.168.1.200’,
‘daxxxxxnd.us’,
‘drive.daxxxxxnd.us’,
‘daxxxxxnd.us:81/nextcloud’,
‘drive.daxxxxxnd.us:81’,
),

==== I get the “untusted domain” message====

But if I do this:

0 => ‘localhost’,
‘192.168.1.200’,
‘daxxxxxnd.us’,
‘drive.daxxxxxnd.us’,
‘daxxxxxnd.us:81/nextcloud’,
‘drive.daxxxxxnd.us:81’,

‘220.XXX.135.YY:81’,
),

Everthing works, because all those domains of course resolve to that IP.

Any thoughts. Could it be something to do with how DYNU sends the data?

As my ISP blocks ports 80 and 443 I have to do a port forward to get around that, hence the 81. But I figure that the routing is okay as I do get the "untrusted domain’ message in the first case and the correct site if I include the current IP.

Thank you

Dan

KarlF12 · May 3, 2020, 4:03am

The proper solution is to use split-horizon DNS and only use the FQDN to access it.

Split-horizon DNS is where you run a local DNS server that resolves the name to the local IP while on your local network. If you use a reverse proxy, the local copy of the DNS zone should point to it.

danraymond · May 3, 2020, 5:21am

KarlF12,

Thank you. I am not sure how this, helps as the issue is I can’t access nextcloud by the FQDN from outside. I can easy from inside using the 192.xxx.xxx.xxx IP.

Are you suggesting from outside would come into my internal DNS split-horizon server via the FQDN and then that server would resolve it to the local IP. Sorry, I am a bit new to some of this.
Thank you for helping.
Dan

tflidd · May 3, 2020, 9:13am

The syntax is not right, try it like this:

array(
0 => 'localhost',
1 => '192.168.1.200',
2 => 'daxxxxxnd.us',
3 => 'drive.daxxxxxnd.us',
4 => 'drive.daxxxxxnd.us:81',
5 => '220.XXX.135.YY:81',
),

Either run nextcloud in a subfolder or directly in the main directory. I would run it always in the main directory and in case you want to run other services, use a different subdomain. Either way, you wouldn’t put the folder here at all. To define the primarily used name (for notification mails, mails for sharing, …), use the overwrite.cli.url parameter and the overwritewebroot parameter for subfolders (if you don’t use a subfolder, it’s just ‘/’)

danraymond · May 3, 2020, 8:26am

Thank you,

re did as you suggested. No change, still have proper access on intranet and localhost but not from outside (still the untrusted domain error).

nextcloud is in a subfolder and works great on the intranet.

Any other thoughts?

Dan

tflidd · May 3, 2020, 9:04am

So you have:

'overwrite.cli.url' => 'https://drive.daxxxxxnd.us/nextcloud',
'overwritewebroot' => '/nextcloud',
'htaccess.RewriteBase' => '/nextcloud',

And the ssl-certificates don’t show warnings (it’s an indicator if the setup with hostnames is right)? You have a certificate for drive.daxxxxxnd.us and daxxxxxnd.us (or a wildcard)?

tflidd · May 3, 2020, 9:16am

And why are you using the default port and also 81?

I just corrected my earlier post, so I only use straight quotes ', not the curly ones ´`

danraymond · May 3, 2020, 11:22pm

Hi,

As my ISP blocks 80 and 443 so I take the port 80 on the dynu DNS site port forward to 81. Then my router forwards 81 to 80 on my server.

As I was not sure what nextcloud sees, I also included the FQND and one with the changed port. Maybe I don’t need to do that.

Thank you

Dan

danraymond · May 3, 2020, 11:23pm

Hi,

I have a wildcard certificate.

Thank

Dan

tflidd · May 4, 2020, 11:43am

If you change the port during forwarding, Nextcloud has to take this into account, check out the additional proxy settings here:

github.com

nextcloud/server/blob/master/config/config.sample.php

<?php

/**
 * This configuration file is only provided to document the different
 * configuration options and their usage.
 *
 * DO NOT COMPLETELY BASE YOUR CONFIGURATION FILE ON THIS SAMPLE. THIS MAY BREAK
 * YOUR INSTANCE. Instead, manually copy configuration switches that you
 * consider important for your instance to your working ``config.php``, and
 * apply configuration options that are pertinent for your instance.
 *
 * This file is used to generate the configuration documentation.
 * Please consider following requirements of the current parser:
 *  * all comments need to start with `/**` and end with ` *\/` - each on their
 *    own line
 *  * add a `@see CONFIG_INDEX` to copy a previously described config option
 *    also to this line
 *  * everything between the ` *\/` and the next `/**` will be treated as the
 *    config option
 *  * use RST syntax

This file has been truncated. show original

port 80 and 443 are really blocked all the time, you can’t unblock them if you want to use them? The problem with non-default ports is that they might be blocked in some networks (e.g. free hotel wifi)

devnull · May 4, 2020, 12:07pm

Change your ISP.
It is only kidding people.

KarlF12 · May 4, 2020, 1:48pm

The only thing I’ve found my ISP to block is port 25, so I can do whatever I want except host my own email. I’ve been tempted to run a cheap VPS mail relay.

Are you sure about that? You’re saying your DDNS provider is relaying traffic for you through their system and NATing the port for you…? I would suggest checking your web server logs or running tcpdump to verify outside traffic is reaching the system at all.

Ok, let me try to explain. When you run split-horizon DNS, this means that you have public DNS records that are used by everything that isn’t on your local network, and these point to your external IP address.

But then you also have a DNS server on your local network, used only by computers on your local network, running a different copy of your DNS zone, which has the private IPs in the records.

So let’s say you have Nextcloud on your phone. When you are away from your LAN, the DNS records will point your phone to the external IP. But when your phone gets on your WiFi and used your private DNS server, now DNS resolves the same name to the LAN IP.

In this setup, you never use 192.xxx.xxx.xxx to access the server. You always use the same name, regardless of where you are.

danraymond · May 4, 2020, 11:07pm

Hi,

Yes. ISP is iinet in Australia. There is an on going major issue with them re port blocking when they shouldn’t be on Fibre to the building nbn. It may become a class action as so many complaints.

I use dynu DNS. It’s great and yes I can access my web server from anywhere. Dynu port forwards 80 to 81, my router picks up the 81 and port forwards to 80 on the internal server. All works for website and other things. It’s only when I setup nextcloud that I have issues with nextcloud and the untrusted domain thing.

My phone seems to happily swap between internal IP and external when I come into my network.

I have decided to start from scratch with nextcloud and use a docker container.

Will see how that goes. Would really like to get it going as I having a Dropbox alternative would complete my endeavor to have all my needed functions not reliant on third-party solutions.

Thank you for all your help.

Dan

ccurley · May 4, 2020, 11:10pm

I suggest you use ssl for email, which would be on port 443. If your ISP isn’t also blocking that.

ccurley · May 4, 2020, 11:16pm

Instead of putting your local IP address in, put your DYNU domain name in the array. E.g. I have something like:

...
   4 => 'myDomainName.ddns.info',
...

KarlF12 · May 4, 2020, 11:36pm

Email doesn’t use port 443… it uses:

25 for SMTP (client or server)
465 for SMTP/SSL (client only)
587 for SMTP/TLS (client only)

If it says access from untrusted domain, that means the domain in the browser address bar isn’t among those in the config as trusted domains, or that a reverse proxy needs additional setup.

I wrote a guide for doing a Docker setup. Take a look.

https://help.nextcloud.com/t/howto-ubuntu-docker-nextcloud-talk-collabora/76430