NC Port 80 + 443, can access from lan but not outside

wolke · August 4, 2017, 12:22pm

Hi,
I installed NC 12 on nginx. No external access first for testing purposes. So Installation is on 192.168.x.x. So far so good.
Now, making it accessible from outside, I open up the mentioned ports but can not access from outside. From lan it always redirects me to the internal 192.168.x.x -ip and then works fine as if I would have directly open up via internal ip. From an external devices (e.g. phone) there won’t work that redirection (where ever it came from), so no access.
In config, I added the external domain as trusted domain and commented “overwrite.cli.url => 192.168.x.x”, also tried without commenting and changing internal ip to external dyndns-address. Won’t work.
It somehow feels to me that there somewhere is a setup of the redirection but I can not find it, but there are no more 192-lines in config.php.

Hollerauer · August 4, 2017, 1:09pm

What address are you trying to reach from outside and how were the ports (80+443) opened?

This Information is necessary to assist you.

Schmu · August 4, 2017, 3:13pm

Hi,

Did you determine your WAN IP from a website and try to enter your WAN IP in your smartphone browser?
Don’t know if you come from Germany too or if it’s different in your country, but many ISPs switch to Dual Stack which means that the IPv4 address that you have is also used by many other users. You only have your own IPv6 address.

IPv6: 1901:faae:40b::0321 (your personal address)
IPv4: 83.123.321.14 (shared address)

If that is the case for your, then you either need to enter your IPv6 in your smartphone browser and configure IPv6 portforwarding on your router or you need to request a static IPv4 address from your ISP (costs about 5,- € per month additionally in Germany).

As a hint: there are some ISP that don’t allow IPv6 portforwarding on the routers the provided to you. I have that problem for example.

Yeah, need some more info to help you more specifically.

wolke · August 4, 2017, 4:42pm

Ports were open in the WAN-Router (FritzBox) as I did for other pages too - portforwarding as usual. 80+443. If I try to access from lan, it redirects to 192.x.x.x. I have the feeling it also tries redirecting when accessed from outside(WAN), which of course does not work.
I do not really want to publish the NC-address, sorry. I hope you are not mad about me?

Ja, Ger (O2). Zero probs so far, I have to confess.
I have 4 other sites on the “raspi” and they all can be accessed smooth via ipv4. I also had Seafile on the server and could be accessed from outside just fine. It is offline for a while now, but for testing purposes, I just reactivated Seafile shortly and works fine - also https.
I assumed it might be a prob with nginx “server_name” in the 1st place, but…well, deactivated server_name and the prob is still the same. It must be something with NC.

Schmu · August 4, 2017, 5:59pm

no, not mad at all.

Can you find something in the logfiles? So, do you see your attempt to connect to the server from the Internet with your smartphone in the access.log of nginx and do you find any error messages in the error.log (nginx) and nextcloud.log file?

With some error messages we could probably request the right config files to have a look at them.

wolke · August 5, 2017, 3:17pm

I’m sorry, I can not provide any error in nginx-log, simply because there non. I tried both, from inside and outside lan.
I looked up access.log. Nothing informative from outside but from within lan:

192.168.x.x - - [05/Aug/2017:00:00:00 +0200] “GET /core/js/oc.js?v=i3j3d HTTP/1.1” 200 3250 “https://192.168.x.x/login” “Mozilla/5.0 (X11; Linux x86_64; rv:38.9) Gecko/20100101 Goanna/2.1 Firefox/38.9 PaleMoon/26.3.3”

I did cut a bit, where I wrote it. At least a hint to the internal ip.

It’s not really telling me anything from outside:

x.x.x.x - - [05/Aug/2017:00:03:12 +0200] “GET / HTTP/1.1” 301 184 “-” “Mozilla/5.0 (Linux; U; Android 2.3.7; de-de; MB525 Build/GWK74; CyanogenMod) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1”

desperate…

JasonBayton · August 6, 2017, 9:12am

Please output your Nextcloud config file, making sure to remove private info. Your overwrite URL is internal and I suspect there may be other issues.

wolke · August 6, 2017, 10:12am

cat config.php <?php
$CONFIG = array (
‘instanceid’ => ‘oc–cut–qlo’,
‘passwordsalt’ => ‘QJ–cut–WX’,
‘secret’ => ‘Kd–cut–YA’,
‘trusted_domains’ =>
array (
0 => ‘blahh.dns.de’,
#1 => ‘blahh.dns.de:(anotherportas80)’,
1 => ‘192.168.x.x’,
),
‘datadirectory’ => ‘/mnt/usb3/nextcloud/data’,
#‘overwrite.cli.url’ => ‘192.168.x.x’,
‘overwrite.cli.url’ => ‘https://www.blahh.dns.de’,
‘dbtype’ => ‘mysql’,
‘version’ => ‘12.0.0.29’,
‘dbname’ => ‘’,
‘dbhost’ => ‘localhost’,
‘dbport’ => ‘’,
‘dbtableprefix’ => ‘oc_’,
‘dbuser’ => ‘’,
‘dbpassword’ => ‘’,
‘installed’ => true,
#‘memcache.local’ => ‘\OC\Memcache\APCu’,
‘mail_smtpmode’ => ‘php’,
‘mail_smtpauthtype’ => ‘PLAIN’,
‘mail_smtpsecure’ => ‘ssl’,
‘mail_smtpauth’ => 1,
‘mail_smtphost’ => ‘’,
‘mail_smtpname’ => ‘’,
‘mail_smtppassword’ => ‘’,
‘mail_from_address’ => ‘’,
‘mail_domain’ => ‘’,
‘loglevel’ => 2,
‘maintenance’ => false,
);

I’d also post my nginx-file, but the editor here has issues with the format and hashkeys and other non-regular characters. But its pretty much the suggestion from the board here.
I remember that for Seafile, I did not even needed to open port 443, but I’m not sure if this is relevant on this case.
I hope, the config.php may help.
thx

wolke · August 11, 2017, 11:18am

further investigation… As far as I see

Nginx Configuration — Nextcloud 12 Server Administration Manual 12 documentation

“return 301”
actually is “some sort” of redirection? My conf:

upstream php-handler {
#server 127.0.0.1:9000;
server unix:/var/run/php5-fpm.sock;
}

server {
listen 80;
#server_name ~^(.+)$;
server_name mydyndns.com;
# enforce https
return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl; #http2;
server_name mydyndns.com:443;

ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
#add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
#add_header Strict-Transport-Security max-age=31536000;

# Path to the root of your installation
root /var/www/nextcloud/;

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;

location = /.well-known/carddav {
  return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
  return 301 $scheme://$host/remote.php/dav;
}

# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Disable gzip to avoid the removal of the ETag header
gzip off;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

location / {
    rewrite ^ /index.php$uri;
}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
    deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
}

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
	fastcgi_param HTTPS on;
    #Avoid sending the security headers twice
    fastcgi_param modHeadersAvailable true;
    fastcgi_param front_controller_active true;
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
    # fastcgi_request_buffering off;
}

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
    try_files $uri/ =404;
    index index.php;
}

# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js|woff|svg|gif)$ {
    try_files $uri /index.php$uri$is_args$args;
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers (It is intended to
    # have those duplicated to the ones above)
    # Before enabling Strict-Transport-Security headers please read into
    # this topic first.
    # add_header Strict-Transport-Security "max-age=15768000;
    #  includeSubDomains; preload;";
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Optional: Don't log access to assets
    access_log off;
}

location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
    try_files $uri /index.php$uri$is_args$args;
    # Optional: Don't log access to other assets
    access_log off;
}

}