I have a pretty simple set up. Nextcloud 19.0.2 on debian 10, apache2, lets encrypt. works well for me. Also I have a zentyal 6.2 server doing DHCP,DNS, LDAP, mail.
This works, but zentyal is using a self signed certificate which I believe is causing me a bit of a headache.
If I use a mail client like thunderbird, I can tell it to make an exception for the certificate, and all is fine.
I tried to make some Apache2 reverse proxy conf… but I can’t get my head around how thats supposed to work.
I tried adding the mail app to the nextcloud install, but when it tries to access the imap server, an error occurs, and I am pretty sure its to do with the certificate on zentyal being self signed. Where do I find the logs for the mail app? Because it also fails when I try to manually configure IMAP & SMTP without START/TLS or SSL.
Things I don’t get… If I had reverse proxy working, the lets encrypt just works the same on the nextcloud/apache2 server. Do I have to make that somehow trust the self signed certificate/connection of the zentyal apache2 server its being a proxy for ?
Could I get around that, by having 2 domains? Because I have a second domain, but only used an mx record to get mail to the zentyal server, obvious I can’t direct 443/80 to both.
Which ever server is actually listing to 80:443 ( the server you ported 80:443 to in your modem) Is your reverse proxy for the other server that has no ports routed in your modem.
Thanks your example certainly gives me some clues that what I’m trying can be done, and how to go about it.
I have made modifications to my nextcloud site conf(s). However when I use SSLProxyCheckPeerName Off
So my configuration is obviously pretty close, much closer than ever before. by adding the /sogo as the proxy to the IP of the other server, now when I go to https://nc.jansen.computer/SOGo I get the content of the login page, but its text & code rather than the right graphics layout.
I haven’t added any lets encrypt certificate stuff to the zentyal server. Maybe its not required as the URL seems to be trusted as is.
You can let the last hop be unencrypted (HTTPS from client to proxy, HTTP from proxy to server). Or you can configure Apache to not check the backend server’s cert.
The reverse proxy can fix that because it can serve a different site based on the SNI, even on the same IP and port. You may find it easier to use different subdomains (e.g. mail.jansen.computer) that point to the same IP (or one can be a CNAME of the other). This is done by setting the ServerName in your Apache sites. Then it can tell which one the client wanted.
After rebooting both the nextcloud and zentyal servers, I’m getting a “Service unavailable” error message via the proxy. Both nextcloud, and zen are working directly. On nextcloud in /var/log/apache2/error.log I see
AH00957: HTTP: attempt to connect to 10.0.55.2:80 (10.0.55.2) failed
[Mon Sep 07 17:37:20.614405 2020] [proxy_http:error] [pid 1215] [client 2406:1e00:9b10:10:3d77:5ab0:5e00:7ad0:2673] AH01114: HTTP: failed to make connection to backend: 10.0.55.2
Is ipv6 complicating it? If I try to ping 2406:1e00:9b10:10:3d77:5ab0:5e00:7ad0:2673 it doesn’t resolve, and neither server lists that as an IP they have… I might disable ipv6 on the network for now.