Help with Nginix Proxy / Reverse Proxy for nextcloud

example

longer
example
here

Nextcloud version _(eg, 21.0.3)
Operating system and version _(eg, Ubuntu 20.04)
Nginix reverse proxy.

I have ports 80/443 forwarded to nginx reverse proxy VM
I have nginx proxy_pass to nextcloud VM IP
I have subdomain A record setup and points to nextcloud.mysite.com etc.

No SSL or anything just Ubuntu snap install

Android app can get to login screen, allows me to login, and then stuck at GRANT ACCESS screen.

Android then sort of times out and the android displays the following error message.

" webpage not available" page at http://192.x.x.x/index.php.login could not be loaded because net:ERR_ADDRESS_UNREACHABLE

So I read all the documents about trusted_domains and trusted_proxy and massive amounts of things on the web that I also tried. No effect for android

I know it’s related to the proxy.
If point the router to nextcloud VM directly. Then turn off the proxy and reinstall nextcloud snap directly. I can login with my domain and everything works with a single VM setup and router only. It’s when I introduce the nginix reverse proxy, and point router to proxy instead that I get the android problem.

All works on android with direct nextcloud install and nothing more then port forwards to the nextcloud VM. Everything just works without ssl or port 443 or anything.

When logging from Android with that simple install, it just asks me to trust and I click yes and move on to the login and grant access etc. Come right up as it should.

However, with port forward to proxy and reinstall nextcloud snap on VM Android doesn’t like it nor my subdomain and I get that error as listed above.

Please advise
Thanks for any help and/or knowledge about this subject.

Please post both your NGINX Nextcloud conf file and Nextcloud config file. The answer is buried in there.

Thanks.

Nginix simple setup for now

server {
listen 80;
server_name racetv.xyz www.racetv.xyz;

    location / {
    proxy_pass http://192.168.1.164:8080;
    }

}

server {
listen 80;
server_name nextcloud.racetv.xyz www.nextcloud.racetv.xyz;

    location / {
    proxy_pass http://192.168.1.190;
    }

}

<?php
$CONFIG = array (
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/snap/nextcloud/current/htdocs/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/snap/nextcloud/current/nextcloud/extra-apps',
      'url' => '/extra-apps',
      'writable' => true,
    ),
  ),
  'supportedDatabases' =>
  array (
    0 => 'mysql',
  ),
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/tmp/sockets/redis.sock',
    'port' => 0,
  ),
  'log_type' => 'file',
  'logfile' => '/var/snap/nextcloud/current/logs/nextcloud.log',
  'logfilemode' => 416,
  'instanceid' => 'oc37eirn9fhc',
  'passwordsalt' => 'Eyf4Uxk4EXmWJztAEJmsE6kzBMcdb1',
  'secret' => 'mJ/1PD333kpWYQ9+RI9hIgUhTGP8zl4/ll3KnJWU+Em+E4Pn',
  'trusted_domains' =>
  array (
    0 => '192.168.1.190',
    1 => '192.168.1.199',
    2 => 'racetv.xyz',
    3 => 'nextcloud.racetv.xyz',
  ),
  'trusted_proxies' => '192.168.1.199',
  'overwriteprotocol' => 'http',
  'datadirectory' => '/var/snap/nextcloud/common/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '21.0.3.1',
  'overwrite.cli.url' => 'http://192.168.1.190',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/tmp/sockets/mysql.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'yBW4N90ls1MV-mmJmGraRbFSv82Vyo4tkM1JjIHQTuTHMyIFee09LYjKON2qhbRz',
  'installed' => true,
  'maintenance' => false,
);

Thanks

I didn’t notice you were using the snap installation. I only install by command line so I can’t dig to far into the snap aspect of things.

Below is a snippet from my Nextcloud conf file. It handles all of the Nextcloud security warnings as well as the redirect issues when the VM sits behind an NGINX reverse proxy.

server {
    
    server_name nextcloud.abcserver.ca;

    location / {
       proxy_pass http://192.168.XXX.XXX/;
       proxy_buffering off;
       proxy_set_header X-Real-IP $remote_addr;

#	Enable HSTS (HTTP Strict Transport Security)
        add_header Strict-Transport-Security "max-age=15768000;includeSubDomains";

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header Front-End-Https on;

        proxy_headers_hash_max_size 512;
        proxy_headers_hash_bucket_size 64;

        proxy_redirect off;
        proxy_max_temp_file_size 0;
    }

        location /.well-known {       
            location = /.well-known/carddav   { return 301 /nextcloud/remote.php/dav/; }
            location = /.well-known/caldav    { return 301 /nextcloud/remote.php/dav/; }
            
            # according to the documentation these two lines are not necessary, but version 21.0.0 will produce warnings in the overview setup check
            location = /.well-known/webfinger   { return 301 /nextcloud/index.php$uri; }
            location = /.well-known/nodeinfo   { return 301 /nextcloud/index.php$uri; }
            
            # anything else is dynamically handled by Nextcloud
            location ^~ /.well-known          { return 301 /nextcloud/index.php$uri; }
    
            try_files $uri $uri/ =404;
        }

This properly hands off the HTTP traffic to the proxied server but again, I have zero experience working with the snap Nextcloud install.

Hope that helps.

Paul

My Nextcloud config file looks like (truncated and marked):

<?php
$CONFIG = array (
  'instanceid' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
  'passwordsalt' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
  'secret' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
  'trusted_domains' => 
  array (
    0 => '192.168.XXX.XXX',
    1 => 'nextcloud.abcserver.ca',
  ),
  'datadirectory' => '/var/www/data',
  'dbtype' => 'mysql',
  'version' => '22.1.1.2',
  'overwrite.cli.url' => 'https://nextcloud.abcserver.ca/nextcloud',
  'overwriteprotocol' => 'https',
  'dbname' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
  'dbpassword' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'trashbin_retention_obligation' => 'auto, 30',
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud.log',
  'logfilemode' => 416,
  'loglevel' => '0',
  'logdateformat' => 'F d, Y H:i:s',
  'default_phone_region' => 'CA',
  'maintenance' => false,
  'theme' => '',
);

The one difference I see is that I use the actual URL versus the local IP. I had problems reaching the server originally when using the local IP.

I also changed the ‘overwrite.cli.url’ and ‘overwriteprotocol’ to https after installing Let’s Encrypt on the NGINX VM so you should stick with http until you get SSL set up.

I have three Nextcloud servers running with the same configuration behind an NGINX reverse proxy without issue.

Hope that helps.

Paul

Yeah I think the snap is exactly the same with exception to symlinks and creating certificates with let’s-encrypt. The location of the certificate is in a different location and also the .conf for nextcloud but other then that everything is suppose to be the same and function exactly the same.

There should be no reason that I can tell that the android won’t work.

My android cannot get to the link using the browser either so I have issues with proxy for sure.

So you have no trusted_proxies in your code whatsoever ? and only trusted_domains ?

I forgot to ask about your multiple installed nextclouds behind nginx reverse proxy.

Does your mobile devices login from WAN to your nextclouds ?

Please confirm thanks.

I noticed you have no listen port either ? Is it not required ?
Thanks

No trusted proxies and only trusted devices.

I never use Nextcloud on my Android phone but I just loaded the app and am able to access the files without issue.

Sorry, I cut off the listen ports on my last cut paste. Let’s Encrypt moves them to the bottom of the conf file and after being modified they look like:

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/nextcloud.abcserver.ca-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.abcserver.ca-0001/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



}
server {
    if ($host = nextcloud.abcserver.ca) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
    
    server_name nextcloud.abcserver.ca;
    return 404; # managed by Certbot


}

My original conf file had the following listen section before being automatically modified by Certbot:

server {
    listen 80;
    listen [::]:80;
    
    server_name nextcloud.abcserver.com;

    location / {
       proxy_pass http://192.168.XXX.XXX/;
       proxy_buffering off;
       proxy_set_header X-Real-IP $remote_addr;
    }
}

Paul

ok thanks.

Seems like this simple version with listen 80; that you posted above should work. And mine is similar and works on PC
Android does not and I don’t know why.

It actually partially works. It will login and get to grant access screen then times out or errors showing the local IP weird.

Did you include all of the the following in your NGINX Nextcloud conf file?

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

That should clear up the issue you’re having with the local IP on the app. The rest of my conf file eliminates the various Nextcloud well-known errors.

Yep, that did fix it. I wonder which one of these was not allowing the grant access to work correctly.

There are reasons for a lot of things but I wish I just knew the base line for both port 80 and 443 so that I had a working model to work from and to know exactly which basic setup is workable. Then to add more layers of security and other things after I understand the basics.

I’ll research each of these lines to know what they do and move to SSL from there.

Thanks.

So I have these lines that I commented after using lets encrypt. I wanted to get http access working and tested correctly first. Now that this is working what about encryption.

Question: Does the server{} with listen port 443 ssl have to be before port 80 in the .conf file ? Or does it matter ? I commented all this out while I was working on port 80 but this is what is looked like prior to commenting this out.
???
Thanks

#}
#
#    listen 443 ssl; # managed by Certbot
#    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
#    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
#
#}

#server {
#server_name nextcloud.mydomain.com www.nextcloud.mydomain.com;


#location /.well-known/carddav {
#    return 301 $scheme://$host/remote.php/dav;
#}

#location /.well-known/caldav {
#    return 301 $scheme://$host/remote.php/dav;
#}

Certob will have configured everything automatically so if you uncomment the Certbot commands you should connect via https. Be sure to restart the NGINX reverse proxy (sudo systemctl restart nginx) after you’ve made changes to the conf file.

FYI - you should obscure your domain when posting.

Thanks,
Ok so should I disallow http at this point forward ? http access still seems to be working.

I may have put this line into the nextcloud config.php and wonder if I need to change this ?
‘overwrite.cli.url’ => ‘http://192.xxx.x.xxx’,

Would this cause the nextcloud to continue to allow http ? Or is this my Ngnix config doing that ? Thanks

I’ll post the full Ngnix config but I’m having trouble copying and pasting atm for some reason.
I’ll try again later. thanks

I needed to include the following in my nextcloud config.php file:

'overwrite.cli.url' => 'https://nextcloud.DOMAIN.com/nextcloud',
'overwriteprotocol' => 'https',

Be sure to clear your cache before trying to reconnect to Nextcloud or try another browser (or firejail). I found my browser still wanted to connect through http even after making the config.php changes.

So is this literal ? or do you mean ‘https://mysubdomain.domain.com’, ?
Just wondering if the /nextcloud is literally a thing or if this is for your specific setup ?

Thanks

It’s specific to my setup and not required for you based on your URL.