Help with reverse proxy NGINX

I have installed Nextcloud on a seperated VM and I did follow this guide:

What I want to do is to install NGINX as a reverse proxy in it’s own VM so I can have multi services on port 80 for a example so I can use different domain’s for different services etc.

I’m a little confused regarding this, I guess that it’s pretty easy?

I have done it before but for Seafile and wordpress and that was not a issue, but the NExtcloud setup has more settings in config files etc.


We would need to see your current nginx config files (the server blocks) where you tried to configure the proxy.

Could you also describe what exactly doesn’t work for Nextcloud? Are there any error messages in the web server or in the system logs?

My NGINX configuration are exatcly like in this guide:

I have installed a ubuntu dist with latest stable nginx now.
And my Nextcloud have as the internal IP I guess that I need that to route from the proxy.

Also I guess that I need to change on the Nextcloud VM so it has a selfsigned cert insted of let’s encrypt cert?
And place the Let’s encrypt cert on the NGINX proxy?

you don’t need a reverse proxy for that. nginx can listen on different fqdns. just put the conf file of your other services in /etc/nginx/conf.d and they will will included during startup.

note that carsten put a “default server” term in the nextcloud.conf file. i think that term can’t be used twice.

Hi everyone,
OK so now I have done some work and I have everything working perfect I think.
What do you think about my configuration files?


user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/;
events {
worker_connections 1024;
multi_accept on;
use epoll;
http {
server_names_hash_bucket_size 64;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
include /etc/nginx/optimization.conf;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$host" sn="$server_name" '
'rt=$request_time '
'ua="$upstream_addr" us="$upstream_status" '
'ut="$upstream_response_time" ul="$upstream_response_length" '
'cs=$upstream_cache_status' ;
access_log /var/log/nginx/access.log main;
sendfile on;
send_timeout 3600;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=500 inactive=10m;
open_file_cache_errors on;
keepalive_timeout 65;
reset_timedout_connection on;
server_tokens off;
resolver_timeout 10s;
include /etc/nginx/conf.d/*.conf;


fastcgi_read_timeout 14400;
fastcgi_buffers 64 64K;
fastcgi_buffer_size 256k;
fastcgi_busy_buffers_size 3840K;
fastcgi_cache_key $http_cookie$request_method$host$request_uri;
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+j$
gzip_disable "MSIE [1-6]\.";

And here is the file that sends everything to my internal server that runs Nextcloud.


server {
        listen 80;
        server_name xxxx;
        rewrite ^ https://$http_host$request_uri? permanent;
        server_tokens off;
server {
        listen 443 ssl http2;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/xxxx/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/xxxx/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/xxxx/fullchain.pem;
#       ssl_certificate /etc/ssl/private/cacert.pem;
#       ssl_certificate_key /etc/ssl/private/privkey.pem;
#       ssl_trusted_certificate /etc/ssl/private/cacert.pem;
        server_name xxxx;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_protocols TLSv1.2;

        ssl_dhparam /etc/ssl/certs/dhparam_nextcloud.pem;


        ssl_prefer_server_ciphers on;
        ssl_ecdh_curve secp384r1;
        ssl_stapling on;
        ssl_stapling_verify on;
        proxy_set_header X-Forwarded-For $remote_addr;
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header Referrer-Policy "same-origin" always;
        server_tokens off;
        location = /robots.txt {
               allow all;
               log_not_found off;
               access_log off;
        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Host $server_name;
                proxy_set_header X-Forwarded-Proto https;
                proxy_request_buffering off;
                access_log /var/log/nginx/nextcloud.access.log;
                error_log /var/log/nginx/nextcloud.error.log;
                proxy_read_timeout 1200s;
                client_max_body_size 0;
        location '/.well-known/acme-challenge' {
                default_type "text/plain";
                root /mnt/certbot-webroot;