How to Configure NGINX Reverse Proxy Server for NextcloudPi?

How to Configure NGINX Reverse Proxy Server for NextcloudPi?

I have an existing Nextcloud installation (courtesy of NextcloudPi) that’s been up and running on my RasPi for well over a year now. It has the full LetsEncrypt/SSL setup installed and all works great. Now I want to add another pi-based website to the mix, using a 3rd Pi as an NGINX-based reverse proxy server. My question is how do I handle the HTTPS stuff for the NCP installation? Connecting it directly to the reverse proxy server using a simple proxy_pass didn’t work – do I need to set up a new LetEncrypt certificate for the RP server, and if so, will that be compatible with the existing NCP certificate? I’m a bit of a noob at proxying, and am not quite sure how to proceed. Any insight would be appreciated.

Many thanks in advance!

– DL

NextCloudPi version v1.17.0
NextCloudPi image NextCloudPi_10-10-17
distribution Raspbian GNU/Linux 9 \n \l
automount yes
USB devices sda sdb
datadir /media/NC-data/nc-data
data in SD no
data filesystem btrfs
data disk usage 23G/58G
rootfs usage 5.1G/30G
swapfile /var/swap
dbdir /var/lib/mysql
Nextcloud check ok
Nextcloud version
HTTPD service up
PHP service up
MariaDB service up
Redis service up
Postfix service up
internet check ok
port check 80 open
port check 443 open
interface eth0
NAT loopback no
uptime 28days

You have to add your certificate / create a new certificate to your reverse proxy. With a reverse proxy, client connections allways end there and the proxy makes a new connection to your cloud server.

You should also point port 80 to your reverseproxy and let this proxy redirect to port 443.

Thank you so much for this info – your clear and concise answer is extremely helpful. Will I need to make any modifications to the NC installation, especially regarding the current HTTPS setup, or will it be sufficient to just install the certificate on the RP server? In other words, does the NC server need any modifications to accommodate the RP server?

No, your Nextcloud server does not need any modifications. You just need to install your RP and certbot for it.

1 Like

Many thanks for the reply – it’s really helpful. I’m still struggling to get the HTTPS stuff working on the proxy, and this helps eliminate a lot of possible causes.

I now this thread is very old but did you manage to get it running? I want do to the same now and there is still no manual for this…

well. the answer of @dst21 might be a bit misleading.

i don’t know nextcloudpi to well. but if it redirects http access automatically to https you have turn this of. or you have to provide a correct certificate for the internal nextcloudpi server name.

yes. your reverse proxy is now the ssl endpoint. and a valid certificate is needed for the url.

no. yes. what do you mean? simply speaking the certificate is the proof that your server is the correct server for the given url. so if your reverse proxys dns name is nextcloud.exampledomain.tld your certificate validates this string. if you move this fqdn to your reverse proxy you can move the certificate as well. if your reverse proxy is now proxy.exampledomain.tld you need new certificates.

said this it should be clear that if you rename your nextcloudpi server you need as well new certificates for the new name.

because normally your new name is an internal name e.g. nextcloud.home.routeryou won’t get signed certificates for this name. so you have to configure your reverse proxy to accept self signed certificates.

My apologies for neglecting this thread. I have not yet managed to get this all running to my satisfaction. My understanding from @dst21 was that once I got all the certificate stuff properly installed on my proxy server, I shouldn’t need to make any changes to the existing target (which will keep its current name). To install the Letsencrypt stuff on the proxy server, I just ran the certbot program according to the instructions on the Letsencrypt website. It sorta worked; queries to the proxy server seemed to properly redirect to the target website, but eventually I start getting odd errors and the links on the target website start breaking.

Unfortunately, due to some lingering family health crises, I simply haven’t had the time to pursue this in depth, or even to dedicate enough attention to documenting the problems fully and returning here for proper follow-up. I absolutely intend to crack this nut, but I don’t expect to have much time to devote to it until January. Many thanks to @Reiner_Nippes for his comments as well; I will address all the comments when I get the chance, but it will likely be weeks rather than days before I can get back to it in earnest.