Help with Nginix Proxy / Reverse Proxy for nextcloud

Captain86 · September 24, 2021, 1:45pm

Help me tidy this up please

 'trusted_domains' =>
  array (
    0 => '192.xxx.x.xxx', #mynextcloud VM IP
    1 => '192.xxx.x.xxx', #my Nginix reverse-proxy IP
    2 => 'mydomain.com',  #should this base domain be removed ? 
    3 => 'www.mydomain.com', # should this be removed ? 
    4 => 'nextcloud.mydomain.com',  #I'm guessing I still need this one
    5 => 'www.nextcloud.mydomain.com',  # and this one ? 

#and this line - should this be replaced with the ones suggested for https ? 
  'overwrite.cli.url' => 'http://192.xxx.x.xxx',   #this is nextcloud VM IP

So it seems Nginx with letsencrypt is ok as far as I can tell.

Sorry about the massive questioning on this. I think that once I know what is required and not required, then I can understand the documentation on this a little better.

Thanks.

mainland · September 24, 2021, 2:18pm

This is what I have for all three of my Nextcloud VMs:

  'trusted_domains' => 
  array (
    0 => '192.168.###.###',    #mynextcloud VM IP
    1 => 'nextcloud.DOMAIN.com',

And your overwrite should read:

 'overwrite.cli.url' => 'https://nextcloud.DOMAIN.com',
 'overwriteprotocol' => 'https',

Your letsencryupt is working so you just need to sort out the http redirect from NGINX to https on the VM in your overwrite.

Captain86 · September 27, 2021, 8:51pm

Thanks

So I made those changes, and I still have http:// access to unsecure site.
Probably Nginix reverse proxy needs a change or something. Am I to turn of listening to port 80 completely or how to proceed to secure the site from http access ?

Captain86 · September 27, 2021, 9:03pm

So I can login to https or http from desktop but android gets stuck at Grant access screen for https atm.

mainland · September 27, 2021, 9:07pm

Letsencrypt should have asked whether to redirect all traffic to https when issuing the SSL certificates. Did you choose yes? If not you can issue new SSL certificates and request the redirect and that should do it for you.

Captain86 · September 30, 2021, 12:34am

Thanks,

I’m sure I did not ask for redirect all because I didn’t really have http access working for starters.

I actually forgot to ask this and I don’t know what I did at the time.

Am I suppose to encrypt the proxy domain address only ? Or the subdomain or both ?
I do not recall what I did and if I create another certificate I’m not sure what happens to the existing Nginix config will the process know how to handle things if there is already line items there ?

Captain86 · September 30, 2021, 1:13am

So I made another ssl and it didn’t ask to redirect all traffic. It just asked me to select numbers 1-5 separated by commas. So I selected the one for nextcloud.mydomain.com. If I select 2 of them it gives error about not passing checks or something.

Here is what Nginix config looks like now.

server {
    if ($host = nextcloud.mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        server_name nextcloud.mydomain.com www.nextcloud.mydomain.com;

        location / {
        proxy_pass http://192.xxx.x.xxx/; #my nextcloud VM
        proxy_buffering off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        client_max_body_size 100M;
        }


}


server {
server_name nextcloud.mydomain.com www.nextcloud.mydomain.com;


location /.well-known/carddav {
    return 301 $scheme://$host/remote.php/dav;
}

location /.well-known/caldav {
    return 301 $scheme://$host/remote.php/dav;
}

location / {

proxy_pass http://192.xxx.x.xxx;  #my nextcloud VM

}

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/nextcloud.mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}


server {
    if ($host = racetv.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot



listen 80;
server_name mydomain.com www.mydomain.com;
    return 404; # managed by Certbot


}

server {
    if ($host = nextcloud.mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot



listen 80;
server_name nextcloud.mydomain.com www.nextcloud.mydomain.com;
    return 404; # managed by Certbot


}

Still stuck at Grant Access for android

I think my section for "listen port 443 needs help to match what I have for listen port 80 ?
The only thing I have for listen port 443 is certificate.
No redirect IP or anything.

I suspect I have to fix this ups to mimic more of what I have for listen port 80 ?

I think it’s getting corrupt since I created new SSL and looks like certbot is adding lines for both mydomain.com and the nextcloud.mydomain which I just created.

So I probably should pick one and get rid of the other if their not needed.
I really don’t know.

If I were encrypting on the nextcloud VM only then it seems that’s simple enough, but with a reverse-proxy I would have thought that I should only encrypt the domain going to the reverse proxy and not creating certificates for the subdomains. But I don’t really know how it’s suppose to work when the certbot asks me which address etc.

Please advise thanks.

Captain86 · October 4, 2021, 7:28pm

I broke something, android is back to being able to login but stuck at grant access screen. Likely because I have to fix some ngnix lines.

However, now images are not uploading either and failing so I guess I broke something.

Back to the drawingboard I guess.

Captain86 · October 4, 2021, 10:12pm

Soo… I removed symlink to my sites-enabled and then created a new config with symlink.

server {
    
    server_name nextcloud.mydomain.com, www.nextcloud.mydomain.com;

    location / {
       proxy_pass http://192.168.XXX.XXX/;
       proxy_buffering off;
       proxy_set_header X-Real-IP $remote_addr;

#	Enable HSTS (HTTP Strict Transport Security)
        add_header Strict-Transport-Security "max-age=15768000;includeSubDomains";

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header Front-End-Https on;

        proxy_headers_hash_max_size 512;
        proxy_headers_hash_bucket_size 64;

        proxy_redirect off;
        proxy_max_temp_file_size 0;
    }

        location /.well-known {       
            location = /.well-known/carddav   { return 301 /nextcloud/remote.php/dav/; }
            location = /.well-known/caldav    { return 301 /nextcloud/remote.php/dav/; }
            
            # according to the documentation these two lines are not necessary, but version 21.0.0 will produce warnings in the overview setup check
            location = /.well-known/webfinger   { return 301 /nextcloud/index.php$uri; }
            location = /.well-known/nodeinfo   { return 301 /nextcloud/index.php$uri; }
            
            # anything else is dynamically handled by Nextcloud
            location ^~ /.well-known          { return 301 /nextcloud/index.php$uri; }
    
            try_files $uri $uri/ =404;
        }

  listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/nextcloud.mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}
server {
    if ($host = nextcloud.mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
    
    server_name nextcloud.mydomain.com;
    return 404; # managed by Certbot
}

Site and subdomain is working for desktop but not on android.
Also existing account on android still has http access for some reason.

When I add new account on android it takes me to the login, then I get the pop under text message that says “strict no http access” but existing account with http access still working

It continues to try to login and there is the swirling thinking nextcloud circle that never logs or does anything else. Just stuck there.

However, I can add new http access account on android http://nextcloud.mydomain

Please advise thanks

Captain86 · October 5, 2021, 2:17pm

Additionally now the http access on android also fails image uploads.

I turned off the auto upload and it keeps trying and telling me failed.
I can’t seem to turn that feature off at all now. All day it keeps attempting to upload something from the camera even though that feature in nextcloud on android is turned off.

I’m sure it’s nginix related since this was not doing this prior, but the fact that I can’t turn it off is also strange.

Please advise thanks

I do appreciate all the help and I think I have the server secure atm based on those settings above.

I just need to fix the android https access and somehow avoid http access for android. I don’t know how or why android would still allow http access with the ngnix config above.

I removed all accounts from nextcloud android for now and maybe that will stop it.

Thanks

Captain86 · October 17, 2021, 3:15pm

Curious ? If I login on android with http://mydomain.com it will login and grant access fine and actually says that it’s secure ?

However, selecting the default https:// access I get a popup that says no http access allowed which is sort of strange considering that I am actually using https to login.

Is this intended to just use the http and it redirects to https by default without the popup message ?

Just wondering why I get the security message for https but not http and to add confusion http works as “secure” access.

Confused about this for sure.

indiana · December 27, 2022, 12:34pm

Hi folks, this thread seem to fit my problem, but I can’t get it to work for me.
I have to admit, my experience witrh webservers, reverse proxy and so on is not that much. So I hope you can give me some hints that I’m able to understand it.

First of all, only public access for Android / iOS Apps is not working as this shall be done via port forwarding.
Local / VPN Network with subdomain (Local Pi-hole with DNS pointing to the same reverse proxy) seems to work perfectly (Web and Apps).
The target is not to expose a whole container / VM, I want to keep it small and therefore just port forwarding with reverse proxy in the local network. Actually this is working fine for some other services / ports I use.

So lets get a bit more detailed into my setup.

My Fritz!Box synchronizes a DDNS and does also the TCP Port (9880) forwarding to the Docker LXC and therefore to the Reverse Proxy (“Nginx Proxy Manger” as Docker Container (LXC installation failed in my case) 192.168.10.199).
The NPM listens at the forwarded port (9880)
For this container the internal port 443, 80 is open so it can communicate with any other VM / LXC locally.
The automatically generated configuration from NPM (The part between ... listen 9880 ... location / { ... was manually entered as shown in the screenshot below):

server {
  set $forward_scheme https;
  set $server         "192.168.10.200";
  set $port           443;

  listen 80;
listen [::]:80;

listen 443 ssl http2;
listen [::]:443 ssl http2;

  server_name my.ddns-service.tld:9880;

  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-5/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-5/privkey.pem;

  # Block Exploits
  include conf.d/include/block-exploits.conf;

  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;

    # Force SSL
    include conf.d/include/force-ssl.conf;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;

  access_log /data/logs/proxy-host-28_access.log proxy;
  error_log /data/logs/proxy-host-28_error.log warn;

listen 9880 ssl;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

  location / {

  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;
    
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;

    # Proxy!
    include conf.d/include/proxy.conf;
  }

  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

The Nextcloud container (LXC not Docker) is being created with a turnkey template.
config.php (trusted domain, proxy and some other changes):

<?php
$CONFIG = array (
  'passwordsalt' => 'salty',
  'secret' => 'secret',
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'my.ddns-service.tld',
    2 => 'nextcloud.my.ddns-service.tld',
    3 => '192.168.10.200',
  ),
  'trusted_proxies' =>
  array (
    0 => '192.168.10.199',
  ),
  'datadirectory' => '/var/www/nextcloud-data',
  'dbtype' => 'mysql',
  'version' => '25.0.2.3',
  'overwrite.cli.url' => 'https://my.ddns-service.tld:9880/',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'password',
  'installed' => true,
  'instanceid' => 'instance',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/var/run/redis/redis.sock',
    'port' => 0,
    'timeout' => 0.0,
  ),
  'default_language' => 'de',
  'default_locale' => 'de_DE',
  'default_phone_region' => 'de',
  'filelocking.enabled' => true,
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'updater.secret' => 'secret',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
);

nextcloud.conf (only changes for caldav / carddav):

ServerName localhost

<VirtualHost *:80>
    UseCanonicalName Off
    ServerAdmin webmaster@localhost

    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/nextcloud/

    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

    <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteRule ^/\.well-known/carddav /remote.php/dav [R=301,L]
        RewriteRule ^/\.well-known/caldav /remote.php/dav [R=301,L]
    </IfModule>
</VirtualHost>

<Directory /var/www/nextcloud/>
    Options +FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

The SSL Certificate is done on the NPM.

The weird thing is when I connect my Android to the local subdomain of the nextcloud. The Pi-Hole DNS returns the Docker IP-Address. With this Address and Subdomain the NPM has another setup listening on port 443 and does more or less the same forwarding. This is working, so where is the problem between the Fritz!Box and the port forwarding?

So hope someone has the right hint for me, I’ll appreciate any help.

indiana · December 28, 2022, 4:11pm

Some update for my problem and more weird behavior maybe that’s helpfull for diagnose.

Actually the webpage from nextcloud opens with the port forwarding but tells me that this domain is not trusted.

I did some trial and error , commented the trusted_proxies lines and also removed the additional proxy_set_header settings from Nginx and changed the listen 9880 ssl; to listen 9880 ssl http2; like the other automatic generated. At least I changed the 1 = > 'my.ddns-service.tld', in the config.php to 1 = > 'my.ddns-service.tld:9880', and uncommented the trusted_proxies again.
I really don’t get it why it works now the half way and I’ve absolutely no idea why it says now it’s not a trusted domain.

Is there any log where I can see which domain is being transfered?

I was not able to see any other domain in FireFox with F12. Only a mime type conflict: Die Ressource von "https://my.ddns-service.tld:9880/index.php/js/core/merged-template-prepend.js?v=12345678-0" wurde wegen eines MIME-Typ-Konfliktes ("text/html") blockiert (X-Content-Type-Options: nosniff). index.php and session haertbeat failed.

indiana · December 29, 2022, 10:15am

And next update hopefully getting closer for anyone to help me.

I’ve got the log from nextcloud and increased log level from 2 to 0 in the config.php. Result seems to miss the port while loading the page details
Log entry (replaced public IP with 1.2.3.4):
{"reqId":"123456789101112","level":1,"time":"2022-12-29T09:43:18+00:00","remoteAddr":"1.2.3.4","user":"--","app":"core","method":"GET","url":"/index.php","message":"Trusted domain error. \"1.2.3.4\" tried to access using \"my.ddns-service.tld\" as host.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0","version":"25.0.2.3","data":{"app":"core"}}
Not sure if this is only a variable for the log which does not have the port or if its really missing.

Still hope someone has the right hint for me