Moving Nextcloud behind reverse proxy

LogicalUnit · May 23, 2019, 10:38am

Hi everyone, I have Nextcloud running on a Debian 9 server at my home. I have a static IP from my ISP, and I have pointed a domain to it. My router forwards ports 443 and 80 to my server. Everything is working well, and I can access Nextcloud at https://mydomain.com

I would like to put my Nextcloud behind a secure reverse proxy at https://nextcloud.mydomain.com.

I have created the CNAME record, and my SSL certificates are ready to go. I just need to know which Apache2 mods to enable, and what to put in the config. Here is my current Apache config for Nextcloud:

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    DocumentRoot /var/www/nextcloud
    CustomLog /var/log/apache2/nc-access.log combined
    ErrorLog  /var/log/apache2/nc-error.log
    SSLEngine on
    #SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateFile /home/john/ssl/certificate.crt
    #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    SSLCertificateKeyFile /home/john/ssl/private.key
    <IfModule mod_rewrite.c>
      RewriteEngine On
      #RewriteBase /
      RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
      RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
    </IfModule>
  </VirtualHost>
  <Directory /var/www/nextcloud/>
    Options +FollowSymlinks
    AllowOverride All
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
    LimitRequestBody 0
    SSLRenegBufferSize 10486000
  </Directory>
</IfModule>

Any help appreciated.

ralfi · May 23, 2019, 1:45pm

Hi LogicalUnit,

what tells your your browser if you try your site from outside via internet?
What the error message in your apache log?
Why do you not set the apache log level to debug?
What is the message from your browser if you try from inside your nc instance?

Please beware here are not magician with glass sphere.

LogicalUnit · May 23, 2019, 11:26pm

Hi ralfi,

There are no errors. Nextcloud is up and running. I am looking for help to configure Apache2 as a reverse proxy.

ralfi · May 24, 2019, 1:33pm

My working home config is the nearly the same.

I am using a free Dyn-DNS provider with ACME support and Letsencrypt Certs. Its only differs in the nextcloud instance, at me this works as docker container with user volume. Works like a charme from everywhere. Further informations also here:

https://www.c-rieger.de/

The apache config for my nextcloud sub domain and the nextcloud docker container at port 81:

IfModule mod_ssl.c
VirtualHost *:443

ServerName nextcloud."my-DynDNS-Name".de:443

ProxyAddHeaders Off

SetEnvIf Host "^(.*)$" THE_HOST=$1
RequestHeader setifempty X-Forwarded-Proto https
RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e

<IfModule mod_headers.c>
 Header always set Strict-Transport-Security "max-age=155520000; includeSubDomains"
</IfModule>

ProxyPassMatch (.*)(\/websocket)$ "ws://nextcloud."my-DynDNS-Name".de:81/$1$2"
ProxyPass / "http://nextcloud."my-DynDNS-Name".de:81/"
ProxyPassReverse / "http://nextcloud."my-DynDNS-Name".de:81/"

LogLevel debug
ErrorLog ${APACHE_LOG_DIR}/nextcloud-error.log
CustomLog ${APACHE_LOG_DIR}/nextcloud-access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf

SSLCertificateFile /etc/letsencrypt/live/nextcloud.“my-DynDNS-Name”.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.“my-DynDNS-Name”.de/privkey.pem

/VirtualHost
/IfModule

As you can see i use TLS only for access to the apache server, internal LAN traffic to the docker container is unencrypted. Helps to detect anomalies and something like this with IDS. Hope this helps.

Regards, ralfi