Making NextCoud VM accessible over the web

Hi. Please do bear with me. I’m a coder mainly, who is trying to get nextcloud set up on his home server. I’m afraid my networking knowledge is scrappy - so may be grating to those who know their onions!

I’m running Windows Server 2016 + IIS. This server has a static Lan IP address of, let’s say 192.168.1.25. I successfully serve IIS websites, SVN repos, FTP servers etc from it via a number of registered domain names.

I also have a static IP through my ISP.

I have successfully installed the Hansson IT Nextcloud VM via VirtualBox and can access this fine via the LAN address. I skipped the https setup - more on that later. The network adapter is set to Bridged and NextCloud appears as its own LAN IP on my router (let’s say 192.168.1.75). I’ve locked the MAC to that LAN IP address.

Ultimately, I’d like to be able to access my nextcloud server over the web via a domain. Ideally, I’d like to use the domain name that I use for all my personal applications (let’s say me.org.uk). However, this domain also maps to other servers on my server such as the ftp, svn and file servers (that is IIS maps me.org.uk to 192.1.168.25 - the server’s static IP). Thus, I realise this may not be possible. If not, then would make do with using another domain solely dedicated to the nextcloud server (or not sure if I could set up some kind of sub domain - more research needed).

Now this is where I get lost. I followed the guide here: https://docs.hanssonit.se/s/W6fMouPiqQz3_Mog/virtual-machines-vm/d/W6-83ePiqQz3_MrT/publish-your-server-online

The issue is that I can’t map ports 80 and 443 to the nextcloud IP (192.168.1.75) because these are already mapped to my server and its services (192.168.1.25).

The other issue is the https certification. I use WinAcme to auto generate free https certificates for domains on my server. Thus, me.org.uk has its own certificate managed through this. I’m not sure how I would tie this into a https connection to the nextcloud server.

Again, apologies if this is really newb, but networking stuff is a blindspot for me. I’m also VERY new to VMWare + that extra layer of abstraction blows my small head.

I’m really excited to cut the cord (and avoid being stung 2 years down the line by unscrupulous companies!), but struggling at this last step. I’d be looking to purchase the larger Hansson VM packages as I do a lot of work with large numbers of media files on the move, so lots of storage is a must.

I do hope someone can help and thanks in advance if you do.

Hi @stigzler

This is not a detailed guide but it might help you to steer in the right direction…

The easiest way is to use a subdomain. For example, cloud.yourdomain.tld. However, this does not solve the problem that port 80 and 443 are already forwarded to another internal IP…

Reverse proxy is the keyword you are looking for. But I must say that I am not an expert on this topic and therefore cannot give you detailed instructions. Especially when it comes to configuring the reverse proxy for the services, that are running on your Windows server.

Very simply explained, you put another web server in front of all your web services, that acts as a proxy and then forwards the requests to the actual servers. (IIS, Nextcloud etc…). based on the domain name / sub-domain that is requested. Popular choices are nginx or HAProxy. But also Apache can be operated in a reverse proxy configuration…

Thanks @bb77 - that got me started. I’ve had some success, but have come to a stand still.

I followed the guide here to set up reverse proxy on IIS: Setup IIS with URL Rewrite as a reverse proxy for real world apps - Microsoft Tech Community

I tried it first using 192.168.1.75:10000 as the server name on the inbound rules. I also put that and me.org.uk in the outbound server rules. This worked and I could access the Webmin over my domain name.

EDIT: Unfortunately this only work for me.org.uk on my LAN as this gets resolved to 192.168.1.75:10000. It gets resolved to that on the WAN, which obviously doesn’t work.

However, I couldn’t get it to work for accessing the normal nextcloud webapp. I can do this on my lan by typing the ip directly (192.168.1.75). However, if I set up the inbound and outbound rules using this alone (i.e. remove the port 10000 from the setup above), I get an error:

500 - Internal Server Error

I’ve also tried setting it up with the port as 443, but get:

# Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

Finally tried port 80, but get:

500 - Internal Server Error

How frustrating! I just need a leg up over the final hurdle. Hope someone can help.

I am not familiar with IIS and have no idea whether you can use it as a reverse proxy for Nextcloud. But I think that conceptually and probably also security-wise it would be better to put a reverse proxy in front of all services, from which you then access your Nextcloud and the services that run via IIS. But perhaps other users here have experience with a similliar set-up and can give you more detailed tips what best practices are in this case…

Thanks again @bb77. I’m assuming that IIS can be used given that the Webmin interface loads OK. Let’s hope there’s someone around who knows a little about IIS reverse proxies…

EDIT - OK - so the Webmin interface only works via domain name on the LAN, not WAN. See two posts up for the EDIT

is this from your iis or nextcloud?

what about turning things around. that is to say configure the apache web server on yur nextcloud vm to reverse proxy your iis? or putting a dedicated reverse proxy in front of both?

Thanks for the reply, @Reiner_Nippes. I’m afraid you’re assuming more capability than I have!

No idea - how would I find this out?

Again, I would have no idea how to do this. As stated in the OP, I’m a bit of a newb to this, but always happy to learn, but do need online guides/articles - preferably step by step.

nextcloud still working from LAN?

you’ll find a lot of tutorials: https://www.google.com/search?q=apache+reverse+proxy

you can start with a simple setup and advance step by step.

btw: are you sure that you want to expose you setup to the internet? with that little knowledge? isn’t a iis win2016 a bit outdated?

p.s.: i would setup different fqdns for each service you what to reach from the internet. so

• iis.me.org.uk
• nextcloud.me.org.uk
• whatelse.me.org.uk

instead of

• me.org.uk
• me.org.uk/nextcloud
• me.org.uk/whatelse

imho a bit easier for newbies.

@Reiner_Nippes

Yes - as outlined in my OP.

I’d like to get this working via IIS if possible. Hopefully someone can give me some direction.

It’s on the most recent version of IIS (V10)

Thanks for your efforts, though.

it seems that it is possible: https://www.google.com/search?q=iis+reverse+proxy+nextcloud there are some older postings here in the forum dealing with iis as reverse proxy.

@stigzler You have got an email.

This guy goes through step-by-step. I did the steps myself and it works GREAT! I suggest watch it through first, then follow along. Start to finish, with some debugging, it took me around 3-ish hours.

One open port on the router, SSL Wildcard certificates, zero dollars. If you have multiple VMs and want to access them from anywhere, this is the way. I’m not affiliated at all, but I saw this just after it was posted June2021 and it is slick.

Yes, this is a beautiful presentation. Except that he sets up Cloudflare as a Man in the Middle (MITM).

Thanks for this - it does look very relevant. However, I went with a different solution in the end (I would really worry about breaking stuff with this approach!)

UPDATE: In the end I just went with the built-in option of the VM to set up a free dedyn.io access route. The VM script automatically sets everything up including https certificates etc. Whilst having to use the dedyn.io domain wasn’t ideal, it beat the fun and games I was having with reverse proxies, etc. In the end, I did get it so I could access it from my own domain, but I’d have to supply a port number on any url and then I hit installing the http certificate. In the end, gave up and went for the easy option! Just hope dedyn don’t pull the trick that every other bugger seems to pull (of roping you in, getting you dependant and then starting to charge you).

Glad it all worked out in the end.

I’m pretty sure deSEC will be free forever.