https/SSL in local network for nextcloud


I have nextcloud running on Raspberry Pi 4 in localnetwork.
I can access it using either the local IP address or host name (which is http://nextcloud).

How do I get https working for local network?
I would like to generate and install SSL certificate on nextcloud so http is redirected to https.

I will also be accessing nextcloud remotely, for which there is separate certificate.


Just FYI generating a certificate and redirecting to HTTPS are two completely separate processes.

Why use a separate certificate?

Hi @KarlF12
Thanks for your reply!

I am beginner when it comes to this setup. But to help understand my setup looks like image here-

I will be accessing using WAN IP of Vultr VPS (B). Might use DynamicDNS to this IP.
Then nginx running on Vultr VPS should forward through tinc tunnel to RPI4 nextcloud (A) at tinc VPN address.

Also, when I am in home network, I want to access (A) directly using LAN IP preferably over https.

Hope that clarifies a bit more about my setup.

Right now I also have a problem with nginx-
If I open Firefox in VNC running on Vultr VPS (B) and type I can see Nextcloud login.
( is in trusted domain).
But when I forwarded using nginx proxy_pass :80 to and then try to open WAN_IP:80 from any browswer, it just keeps loading and finally fails. WAN_IP:80 is changed to in browser.

Any help highly appreciated!
Thank you.

Okay, I think I see where you’re going with that. The main thing you need to decide is how you want to access it on your LAN. You could access it by LAN IP or by another hostname that resolves to it using a self-signed certificate trusted by the client(s). You can generate the cert yourself using OpenSSL or by going to a site like Whichever you choose will have to be added as a trusted hostname in Nextcloud.

One of the pitfalls with doing it this way is you’ll have to change the server address you use based on where you are. That may not be a big deal just accessing via browser, but if you start using the sync client and WebDAV maps it will quickly become a pain.

Another option would be to use split horizon DNS (this is what I do on mine), and then use the same FQDN (and certificate) to access it on your LAN. The cert used on the VPS will be valid on your LAN this way too as long as the FQDN matches.

I also have a current setup with Nextcloud running in Docker behind a reverse proxy. I had it setup to be accessed behind the proxy directly on local network only on http. As it turns out some functions didnt seem to work for me that way. For example running Nextcloud Talk.

Is there an easy way to make that available or would you rather suggest going that self signed https way within trusted local network?

I don’t recommend a self signed cert.

If Talk isn’t working, it’s most likely due to a firewall or DNS issue.

Not 100% sure what the issue was. But it was solved after i edited the config.php from nextcloud with redirect to https and set proxies ect. Problem now is i cannot access locally because it wants to access it via https where no certificate is set.

Now it seems to be working fine…

Is there a way to configure in that config file to use a specific local ip only in http an not force https redirect?

The thing to do there is set up split horizon DNS and have the local DNS point to the LAN IP and still go through the proxy with same LE cert.

can i then just use the same certificate? or does it need to be configured? Besides dns…

Interesting. So I’ve set in my local dns the same domain name for the moment without ssl. When I enter it in the network I get redirected to ssl in public. Guess it’s still the redirect set in config.php in Nextcloud. When I will use ssl now in my nginx config will it stay locally?

Okay so to clear things up. I have a local dns pointing my domain toward a local nginx Server which redirects to local Nextcloud container. Included a copy of the ssl certificate and since it’s the same domain name it should work just fine right?

When I Access that domain locally it still gets a redirect to the public ip. Is that just not possible to get it working that way? Or am I doing something wrong?

Best regards