Nextcloud version: 19.0.2
Operating system and version: Debian 10
Apache or nginx version: Apache/2.4.38
PHP version: PHP 7.3.19-1
The issue you are facing:
I have a fully functional nextcloud setup, letsencrypt cert and all. First, I want to thank NextCloud and the community for a great set of packages and a relatively smooth setup. Y’all are doing great work here and I hope, at some point, to extend use of this to my production environments rather than just my home lab.
I would like to move to a reverse-proxy setup so that I can host other sites from a single IP. The nginx config seems relatively straightforward. The question I have is what does the process look like for undoing the letsencrypt setup on nextcloud? If it’s behind a proxy, I’ll probably let the proxy handle the publicly visible certs and setup a private CA and certs to handle the inter-server communication.
This can also be handled by standard webservers by using server name indication (SNI). Therefore you just need to setup additional document roots (virtual servers) in your webserver configuration. You can have multiple certificates issued by Let’s Encrypt. A single certificate can also be extended to handle alternative domain names.
I think you already know the answer
Nextcloud does not handle the web communication, it’s done by the web server like Apache or Nginx so there is nothing to do in the Nextcloud config. You have to update your Webserver Config files with your own certs.
If the communication proxy → services is on a local machine and the network is isolated like it is done by docker container environments usually there is no internal encryption in common setups.
example for shared Network (I think this is how you want it to be!?):
Proxy isolated systems
+-------------------------+ +-------------------+
|https://hub.example.com | | Nextcloud.local |
|https://blog.example.com | shared network |-------------------|
|//something.example.com | | Wordpress.local |
| |-------------------------|-------------------|
| Proxy certs | encrypted communication | Analytics.local |
| Signed by Let's Encrypt | with self signed certs |-------------------|
| | by own local CA | etc. |
| | | |
+-------------------------+ +-------------------+
I finally got around to spending time on this and have a separate nginx reverse proxy setup. Currently the reverse proxy is setup with its own cert and then redirecting to the backend https://nextcloudserver.
While I like the idea of maintaining ssl all the way through to nextcloud, I suspect this will be less than ideal for the automated certbot renewals so I think i need to disable ssl on the nextcloud server so the reverse proxy redirects to http://nextcloudserver.
I know this is an apache related question but I was hoping to get some guidance on disabling ssl on my nextcloud deployment without breaking everything.
