Lighttpd as Reverse Proxy going to Raspberry Pi running NGINX

sruckh · October 6, 2023, 4:43pm

I used to run Nextcloud behind Lighttpd on Raspberry Pi on a dedicated port (port forwarding from the router) with https. I have now switched up the configuration so that Nextcloud runs behind NGINX on the same server but with HTTP.

I am now terminating the connection (SSL) to Nextcloud with lighttpd 1.4 as a Reverse Proxy (on another server) and forwarding the request to the Nextcloud instance running with the NGINX server.

For the most part, the configuration is working.

In the Administration->Overview->Security & Setup Warnings I am getting the following warnings:

Your web server is not properly set up to resolve “/.well-known/webfinger”.
Your web server is not properly set up to resolve “/.well-known/nodeinfo”.
Your web server is not properly set up to resolve “/.well-known/caldav”.
Your web server is not properly set up to resolve “/.well-known/carddav”.

If I am reading the documentation correctly it sounds like this needs to be handled at the reverse proxy level. As lighthttpd is not officially supported, documentation on how this should be handled does not appear to exist.

I am reaching out to the community to see if there are any ideas to remove those warnings. I have used Lighttpd on the upstream server for many years and have too many things depending on that configuration to switch it up to NGINX at this time.

Below is the lighttpd configuration I am trying to use:

$HTTP[“host”] == “nextcloud.my.domain” {
proxy.server = ( “” => ( ( “host” => “1.2.3.4”, “port” => “80” ) ) )
proxy.header = (
“map-urlpath” => (
“/.well-known/caldav” => “/remote.php/dav”,
“/.well-known/carddav” => “/remote.php/dav”,
“/.well-known/webfinger” => “/index.php/.well-known/webfinger”,
“/.well-known/nodeinfo” => “/index.php/.well-known/nodeinfo”,
),
“upgrade” => “enable”,
“connect” => “enable”
)
ssl.ec-curve = “secp384r1”
ssl.honor-cipher-order = “enable”
ssl.cipher-list = “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”
setenv.add-response-header = (
“Strict-Transport-Security” => “max-age=15552000”
)
ssl.use-sslv2 = “disable”
ssl.use-sslv3 = “disable”
ssl.pemfile = “/etc/pki/lighttpd/private/nextcloud.my.domain.pem”
}

Besides the proxy.server and ssl.pemfile directives, I don’t know if any of the other stuff works or is necessary. I have removed everything else and I get the same results so I have kept the other stuff in case it has benefits.

If anyone has suggestions, I would appreciate the help.

Thank You.

tflidd · October 8, 2023, 9:55pm

Are this tests called from the server? Or the client. I’d check and use wget/curl etc. from some outside server to verify the redirections.

sruckh · October 10, 2023, 3:37pm

I am not sure what the appropriate curl test would be. I also do not know how Nextcloud tests this feature from its internal administration page.

I tried ’ curl -Is https://nc.tld.suf/.well-known/webfinger ’ and got 404 error. I don’t know if that is the correct URL, or if authentication is necessary before that URL would be valid.

I used to have something like the following in the old configuration when lighttpd was serving up the pages:

url.redirect += (
“^/.well-known/caldav” => “/remote.php/dav”,
“^/.well-known/carddav” => “/remote.php/dav”,
“^/.well-known/webfinger” => “/.well-known/webfinger”,
“^/.well-known/nodeinfo” => “/.well-known/nodeinfo”
)

Depending on the version of Nextcloud that was running, this redirection would work.

The nextcloud documentation reads like this needs to be handled at the proxy level if using reverse proxy. I am using the NGINX configuration from the Nextcloud documentation where NGINX is running, but do not know for sure if all those options are necessary when used behind a reverse proxy.

Thank You.

tflidd · October 10, 2023, 3:48pm

If I run the same thing, I get a 301 message (permanent redirect).