Lost acces from inside LAN

Kurkoko · December 21, 2021, 8:57am

Nextcloud version (eg, 20.0.5): 23
Operating system and version (eg, Ubuntu 20.04): unraid
Apache or nginx version (eg, Apache 2.4.25): nginx reverse proxy v2.9.12
PHP version (eg, 7.4): replace me

The issue you are facing:
Can acces from outside but not from LAN

Is this the first time you’ve seen this error? Y

Steps to replicate it:

Install mariadb docker
Install nextcloud docker
Config nextcloud to point mariadb and create admin user
All works (only inside lan)
Modify config.php so can use nginx reverse proxy
From WAN works OK, from lan stops working. Inside lan redirects to mynextcloud.duckdns.org but nothing or error on browser.

The output of your Nextcloud log in Admin > Logging:

PASTE HERE

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

  GNU nano 5.3                                             config.php                                                       
<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'XXXXXXXXXX',
  'passwordsalt' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
  'secret' => 'XXXXXXXXXXXXXXXXXXXXXXX',
  'trusted_domains' => 
  array (
    0 => '192.168.1.20',
    1 => 'mynextcloud.duckdns.org',
  ),
  'trusted_proxies' =>
  array (
    0 => '192.168.2.2',
  ),
  'dbtype' => 'mysql',
  'version' => '23.0.0.10',
  'overwrite.cli.url' => 'https://mynextcloud.duckdns.org',
  'overwritehost' => 'mynextcloud.duckdns.org',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.2.10:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'XXXXXXXXXXXX',
  'installed' => true,
);

The output of your Apache/nginx/system log in /var/log/____:

Don't find it on my unraid server

devnull · December 21, 2021, 9:00am

If it never worked you can search Hairpinning and NAT Loopback.
Perhaps it is a configuration problem on your router.

Kurkoko · December 21, 2021, 9:01am

Was working before, just tried to restore 2 backups from docker and not able to make it work.
Decided to perform a fresh install of mariadb and nextcloud

wwe · December 21, 2021, 5:27pm

problem sounds like rebind protection of the router (prevents access to local resources using external FQDN)

Kurkoko · December 21, 2021, 7:05pm

Deleted nginx reverse proxy and installed swag from unraid. No error aparently on swag log, so certificate is correct with duckdns.org
Now getting “PR_CONNECT_RESET_ERROR” after some time. With https://mynextcloud.duckdns.org/login on site address of the browser.
I’m using a pfsense.
Using the guide from spaceinvaderone youtube from some days ago

Kurkoko · December 21, 2021, 7:06pm

Makes no sense and frustrating…

wwe · December 21, 2021, 9:05pm

I’m sorry your posts are completely nonsense… I have no idea what you tried to achieve but this sounds clueless… maybe it makes sense for you but throwing buzzwords doesn’t move you closer to the solution. If you look for support please take the time to describe the problem, collect the logs and config, list your previous troubleshooting steps with results (improvement/regression/no change) so experienced users could help you to solve the issue…

do you seriously expect other users in this forum to spend their free time and search for another “Nextcloud in 5 Minutes” tutorial and guess what you might have done wrong?

Kurkoko · December 22, 2021, 6:24am

Sorry if my post are completly nonsense.

I performed full install of mariadb and nextcloud about 3 times, ever with no errors or issues. Ever worked perfect to reach the situation were It works normal from inside network.
The problem comes when trying to expose it to internet trough a reverse proxy.
The problem is It works PERFECT from outside,adding this lines to config.php:
‘trusted_domains’ =>
array (
0 => ‘192.168.1.20:444’,
1 => ‘myurl’,
),
‘trusted_proxies’ => [‘swag’],
‘overwrite.cli.url’ => ‘https://myurl’,
‘overwritehost’ => ‘myurl’,
‘overwriteprotocol’ => ‘https’,
BUT stops working from inside.
After not seing issues on nginx reverse proxy, switched to swag reverse proxy.
The problem persist. Acces from Internet is perfect, acces from inside lan finish with a “PR_CONNECT_RESET_ERROR” on browser.

What error logs are needed?

Kurkoko · December 22, 2021, 6:28am

nginx access.log
192.168.1.130 - - [21/Dec/2021:20:20:13 +0100] “GET / HTTP/2.0” 302 0 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0”
192.168.2.4 - - [21/Dec/2021:20:20:56 +0100] “GET / HTTP/1.1” 302 5 “-” “Mozilla/5.0 (X11; Linux i686; rv:10.0) Gecko/20100101 Firefox/10.0”
192.168.2.4 - - [21/Dec/2021:20:20:57 +0100] “GET /login HTTP/1.1” 200 11839 “-” “Mozilla/5.0 (X11; Linux i686; rv:10.0) Gecko/20100101 Firefox/10.0”
192.168.1.130 - - [21/Dec/2021:20:21:22 +0100] “GET / HTTP/1.1” 400 248 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0”
192.168.1.130 - - [21/Dec/2021:20:21:35 +0100] “GET / HTTP/2.0” 302 0 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0”
192.168.2.4 - - [21/Dec/2021:20:22:17 +0100] “GET / HTTP/1.1” 302 5 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7”
192.168.2.4 - - [21/Dec/2021:20:22:18 +0100] “GET /login HTTP/1.1” 200 11839 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7”
192.168.2.4 - - [21/Dec/2021:20:22:34 +0100] “GET / HTTP/1.1” 302 5 “-” “python-requests/2.26.0”
192.168.2.4 - - [21/Dec/2021:20:22:34 +0100] “GET /login HTTP/1.1” 200 4358 “-” “python-requests/2.26.0”
192.168.2.4 - - [21/Dec/2021:20:25:37 +0100] “GET / HTTP/1.1” 302 5 “-” “python-requests/2.26.0”

nginx error.log
empty

php error.log
[21-Dec-2021 19:17:14] NOTICE: fpm is running, pid 404
[21-Dec-2021 19:17:14] NOTICE: ready to handle connections
[21-Dec-2021 19:22:09] NOTICE: Terminating …
[21-Dec-2021 19:22:09] NOTICE: exiting, bye-bye!
[21-Dec-2021 19:22:28] NOTICE: fpm is running, pid 404
[21-Dec-2021 19:22:28] NOTICE: ready to handle connections
[21-Dec-2021 20:19:14] NOTICE: Terminating …
[21-Dec-2021 20:19:14] NOTICE: exiting, bye-bye!
[21-Dec-2021 20:19:34] NOTICE: fpm is running, pid 404
[21-Dec-2021 20:19:34] NOTICE: ready to handle connections

Kurkoko · December 22, 2021, 9:16am

Seems a kind of rebind protection as you mentioned.

Stop using adguardhome as DNS server
Changed DNS server to pfsense.
The “PR_CONNECT_RESET_ERROR” dissapeared.
NOW i get a browser error (not in english so not sure about the translation) "error happened trying to conect to mynextcloudurl.
Tried to disable dns rebind check on system->advanced but makes no difference.
Access from internet keeps working perfect even all changes
Internal acces keeps broken

Kurkoko · December 22, 2021, 10:05am

After some try an error got it working but not correctly…

Removing from config.php the overwritehost and overwriteprotocol, works from internet perfect as always and from inside LAN/WIFI got able to acces to https:\lanip:444.
on PFsense added a Host override to redirect petitions from “mynextcloudurl” to “lan_Unraid_IP”.
Now from LAN https:\mynextcloudurl:444 works!!!
The problem is from outside is :443 becouse of reverse proxy and from inside :444 so when configure iPhone app with the :444 using WIFI it WORKS!! but when disconecting from WIFI and using 4G stops working.
From lan works https:\mynextcloudurl:444
From internet works https:\mynextclousurl

Kurkoko · December 22, 2021, 11:01am

WORKING 100% by the moment

History:

Using Unraid dockers
Install Mariadb with 3306 with X.X.X.25
Install Nextcloud on 443 with X.X.X.26
Configure for first time admin and mariaDB connection of nextcloud
Able to login and work.
Install SWAG reverse proxy with X.X.X.24 443 and 80. Create NAT rule on PFsense to redirect traffic from WAN any on 80 and 443 to X.X.X.24 to 80 and 443. Also firewall WAn rule
Create on PFsense a Host override for mynextcloudurl to X.X.X.26. I needed it to resolve internally mynextcloudurl to nextcloud lan IP X.X.X.26
Modify config.php so trusted domains are X.X.X.26 and mynextcloudurl. Modify overwrite.cli.url to https://mynextcloudurl.
Modify SWAG nextcloud.subdomain.conf so “server_name yournextcloudsubdomain.*”, “set $upstream_app X.X.X.26;”
Start the 3 docks and make sure no error on unraid log of each

wwe · December 22, 2021, 8:00pm

very glad you fixed the issue.

for reference and as the problem comes up from time to time I decided to make an image (matching your IPs) so hopefully it helps others in the future:

The main concept is called “split-brain dns” (split-horizon, split-dns) - basically you access the service always using a hostname but resolve the fqdn myurl different, depending on location:

from the internet: to your public IP (12.13.14.15)
from your internal network: to the local IP (192.168.1.24)

in case you use a reverse proxy (Apache, nginx, traefik, HAproxy, SWAG, f5) point the internal DNS this address - in this case you can use external TLS certificate (letsencrypt) for valid https:// connections with port 443 and in turn there is no need to have different access points like port 444 you used in previous post…

the internal “shortcut” fails sometimes due to security mechanism called rebind protection (AVM Fritzbox), so you need to allow access to internal resource (IP address 192.168.1.24) using the public fqdn myurl in the router

Kurkoko · December 22, 2021, 8:07pm

Thank you.

Actually it’s like your image BUT internally i point to nextcloud directly with host override on pfsense.

The rebind problem I think persists but bypassed by the moment. Have to investigate it. Tomorrow will try to point directly to reverse proxy.

wwe · December 22, 2021, 9:04pm

it’s definitely possible, my docker setup I don’t expose the application container at all (because I don’t want to care about TLS certificates in multiple places), so I try to make external and internal traffic flow almost same…

my setup is more like this:

I see some advantages in such setup:

all clients follow the same path (logging, monitoring)
all clients see the same TLS cert
no need to expose NC container even to internal clients (valid TLS cert, security headers, maybe reverse proxy adds some security measures)

there might be disadvantages as well but I don’t see any at the moment

Kurkoko · December 23, 2021, 2:02pm

Today changed Host override on PFsense DNS resolver so my host1,2,3…duckdns.org point to reverse proxy directly. Works OK!

Will investigate how to replicate it on pi-hole docker (the hosts overrides). Will use 2, one docked and the other on a rapsberrypi.

Sure my setup can be greater but for home user is enough and safe I think.

wwe · March 26, 2024, 8:56pm

A post was merged into an existing topic: Split DNS - Zugriff zuhause nicht über das Internet