Moving from behind IIS proxy

example

longer
example
here

Nextcloud version (eg, 20.0.5): 22.2.0.2
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04.3 LTS
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.41
PHP version (eg, 7.4): 7.4.3

The issue you are facing:
We no longer have an IIS proxy, and so I am moving Nextcloud beyond it. We are now unable to open the site on an external ISP. It opens fine internally.

Is this the first time you’ve seen this error? (Y/N):
Yes

Steps to replicate it:

1. Shut down IIS proxy
2. Remove all overwrite* directives, trusted_proxies, and forwarded_for_headers directives in config file
3. Restart Apache
4. Ensure network firewall routes traffic to Nextcloud instead of IIS proxy
5. Attempt to log view site from an external ISP

The output of your Nextcloud log in Admin > Logging:

N/A

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'passwordsalt' => '[redacted]',
  'secret' => '[redacted]',
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => '10.100.200.10',
    2 => 'cloud.domain.com',
  ),
  'datadirectory' => '/var/ncdata',
  'allow_user_to_change_display_name' => false,
  'tempdirectory' => '/tmp',
  'dbtype' => 'pgsql',
  'version' => '22.2.0.2',
  'dbname' => 'nextcloud_db',
  'dbhost' => '127.0.0.1',
  'dbport' => '',
  'dbtableprefix' => 'abc_',
  'dbuser' => '[redacted]',
  'dbpassword' => '[redacted]',
  'defaultapp' => 'apporder',
  'installed' => true,
  'instanceid' => '[redacted]',
  'maintenance' => false,
  'ldapUserCleanupInterval' => 15,
  'log_rotate_size' => '10485760',
  'htaccess.RewriteBase' => '/',
  'sort_groups_by_name' => 'true',
  'loglevel' => '2',
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'logtimezone' => 'America/Chicago',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
  'mail_from_address' => 'cloud',
  'mail_domain' => 'domain.com',
  'mail_smtphost' => 'smtp-relay.gmail.com',
  'mail_smtpport' => '587',
  'mail_smtpmode' => 'false',
  'mail_smtpsecure' => 'tls',
  'trashbin_retention_obligation' => 'auto, 60',
  'remember_login_cookie_lifetime' => '1800',
  'versions_retention_obligation' => 'auto, 180',
  'simpleSignUpLink.shown' => false,
  'mail_sendmailmode' => 'smtp',
  'encryption.key_storage_migrated' => false,
  'default_phone_region' => 'us',
  'activity_expire_days' => '120',
  'upgrade.disable-web' => true,
  'log.condition' =>
  array (
    'apps' =>
    array (
      0 => 'admin_audit',
    ),
  ),
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'filelocking.enabled' => true,
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0.5,
    'dbindex' => 0,
    'password' => '[redacted]',
  ),
);

The output of your Apache/nginx/system log in /var/log/____:

[Tue Nov 02 09:55:09.553367 2021] [mpm_event:notice] [pid 1139:tid 140161095965760] AH00491: caught SIGTERM, shutting down
[Tue Nov 02 09:55:09.686691 2021] [mpm_event:notice] [pid 2570:tid 140125909171264] AH00489: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operati>
[Tue Nov 02 09:55:09.686830 2021] [core:notice] [pid 2570:tid 140125909171264] AH00094: Command line: '/usr/sbin/apache2'
[Tue Nov 02 10:02:56.831206 2021] [mpm_event:notice] [pid 2570:tid 140125909171264] AH00491: caught SIGTERM, shutting down
[Tue Nov 02 10:02:56.952885 2021] [mpm_event:notice] [pid 2960:tid 139857122950208] AH00489: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured -- resuming normal operati>
[Tue Nov 02 10:02:56.953035 2021] [core:notice] [pid 2960:tid 139857122950208] AH00094: Command line: '/usr/sbin/apache2'

Did IIS make anything more? Like SSL offloading or something like that? Is it working using url or only via ip? Which ports are routed to the nextcloud-server?

EDIT: It did not perform SSL offloading, and didn’t change ports or anything like that. I had some other rules:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <outboundRules>
                <rule name="Replace Server Header" enabled="true">
                      <match serverVariable="RESPONSE_Server" pattern=".+" />
                      <action type="Rewrite" value="The Tornado Belt" />
                </rule>
                <rule name="Replace X-Powered-By Header" enabled="true">
                      <match serverVariable="RESPONSE_X_Powered_By" pattern=".+" />
                      <action type="Rewrite" value="Powered by Tornados" />
                </rule>
                <rule name="Outbound Rewrite HTTPS Already" preCondition="ResponseIsHtml1" enabled="true" stopProcessing="true">
                    <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^https://10.100.200.10/(.*)" />
                    <action type="Rewrite" value="https://cloud.domain.com/{HtmlEncode:{R:1}}" />
                </rule>
                <rule name="Outbound Rewrite HTTP to HTTPS" preCondition="ResponseIsHtml1" enabled="true">
                    <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^http://10.100.200.10/(.*)" />
                    <action type="Rewrite" value="https://cloud.domain.com/{HtmlEncode:{R:1}}" />
                </rule>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                </preConditions>
            </outboundRules>
            <rules>
                <rule name="Forward Remote IP Address" enabled="true">
                    <match url="(.*)" />
                    <serverVariables>
                        <set name="HTTP_X_FORWARDED_FOR" value="{REMOTE_ADDR}" />
                    </serverVariables>
                    <action type="None" />
                </rule>
                <rule name="Let's Encrypt Challenge" enabled="true" stopProcessing="true">
                    <match url="/.well-known/acme-challenge/.*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="None" />
                </rule>
                <rule name="HTTP to HTTPS Redirect" enabled="true" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="^OFF$" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
                </rule>
                <rule name="SSL Passthrough" enabled="true" stopProcessing="true">
                        <match url="(.*)" />
                        <conditions>
                            <add input="{CACHE_URL}" pattern="^(https?)://" />
                        </conditions>
                        <action type="Rewrite" url="https://10.100.200.10/{HtmlEncode:{R:1}}" />
                        <serverVariables>
                            <set name="HTTP_ACCEPT_ENCODING" value="" />
                        </serverVariables>
                </rule>
            </rules>
        </rewrite>
        <httpProtocol>
            <customHeaders>
                <remove name="X-Powered-By" />
            </customHeaders>
        </httpProtocol>
        <urlCompression doStaticCompression="false" doDynamicCompression="false" />
    </system.webServer>
</configuration>

More than anything it was a simple forward to Nextcloud.

@swindhab
Thanks for your help.

Turns out I had accidentally incremented an IP address by one on the firewall. Well, that was easy enough to fix.