Need https , Nextcloud 17, ispconfig 3, nginx, ubuntu 18.04

Dameats · November 6, 2019, 5:49pm

Good afternoon evrybody ,

nextcloud 17, ispconfig 3.1, php 7.2, ubuntu 18.04 , certbot.

I installed nextcloud under a website in isp config == cloud.mydomain.com
i select ssl and letsencrypt , my port 443 is open, but i cant get it to connect in https://
ive tried to modify my vhost file with no luck at all .

can anybody plus give it a look and let me know what do i need to add to it ?? can use the app in my phone if its not https.

server {
listen 192.168.1.138:80;

    server_name cloud.mydomain.com;

    root   /var/www/cloud.mydomain.com/web/nextcloud;



    index index.html index.htm index.php index.cgi index.pl index.xhtml;



    error_page 400 /error/400.html;
    error_page 401 /error/401.html;
    error_page 403 /error/403.html;
    error_page 404 /error/404.html;
    error_page 405 /error/405.html;
    error_page 500 /error/500.html;
    error_page 502 /error/502.html;
    error_page 503 /error/503.html;
    recursive_error_pages on;
    location = /error/400.html {

        internal;
    }
    location = /error/401.html {

        internal;
    }
    location = /error/403.html {

        internal;
    }
    location = /error/404.html {

        internal;
    }
    location = /error/405.html {

        internal;
    }
    location = /error/500.html {

        internal;
    }
    location = /error/502.html {

        internal;
    }
    location = /error/503.html {

        internal;
    }

    error_log /var/log/ispconfig/httpd/cloud.mydomain.com/error.log;
    access_log /var/log/ispconfig/httpd/cloud.mydomain.com/access.log combined;

    location ~ /\. {
		deny all;
    }

    location ^~ /.well-known/acme-challenge/ {
		access_log off;
		log_not_found off;
		auth_basic off;
		root /usr/local/ispconfig/interface/acme/;
		autoindex off;
		index index.html;
		try_files $uri $uri/ =404;
    }

    location = /favicon.ico {
        log_not_found off;
        access_log off;
        expires max;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    }

    location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
    }

    location /stats/ {

        index index.html index.php;
        auth_basic "Members Only";
        auth_basic_user_file /var/www/clients/client0/web6/web//stats/.htpasswd_stats;
    }

    location ^~ /awstats-icon {
        alias /usr/share/awstats/icon;
    }

    location ~ \.php$ {
                try_files /b615814d8f2c19dbcb25b1fbae07ce38.htm @php2;
    }

    location @php {
        try_files $uri =404;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/lib/php7.2-fpm/web6.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_intercept_errors on;
    }




    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
    location = /.well-known/carddav {
            return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
            return 301 $scheme://$host/remote.php/dav;
    }
    location /.well-known/acme-challenge {

    }
        client_max_body_size 20G;
        fastcgi_buffers 64 4K;
        gzip off;
        error_page 403 /core/templates/403.php;
        error_page 404 /core/templates/404.php;
    location / {
            rewrite ^ /index.php$uri;
    }
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
            return 404;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
            return 404;
    }
    location ~ ^(.+?\.php)(/.*)?$ {
                            try_files $1 =404;
                            include fastcgi_params;
                            fastcgi_param SCRIPT_FILENAME $document_root$1;
                            fastcgi_param PATH_INFO $2;
                            fastcgi_param HTTPS $https;
                            fastcgi_pass unix:/var/lib/php7.2-fpm/web6.sock;
                            fastcgi_intercept_errors on;
                            fastcgi_index index.php;
                            fastcgi_buffers 64 64K;
                            fastcgi_buffer_size 256k;
                            fastcgi_param modHeadersAvailable true;
                            fastcgi_read_timeout 7200;
    }
    location @php2 {
                            fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
                            include fastcgi_params;
                            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                            fastcgi_param PATH_INFO $fastcgi_path_info;
                            fastcgi_param HTTPS $https;
                            fastcgi_pass unix:/var/lib/php7.2-fpm/web6.sock;
                            fastcgi_intercept_errors on;
                            fastcgi_index index.php;
                            fastcgi_buffers 64 64K;
                            fastcgi_buffer_size 256k;
                            fastcgi_param modHeadersAvailable true;
                            fastcgi_read_timeout 7200;
    }
    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param HTTPS on;
            fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
            fastcgi_param front_controller_active true;
        fastcgi_pass unix:/var/lib/php7.2-fpm/web6.sock;
            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;
    }
    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
            try_files $uri/ =404;
            index index.php;
    }
    location ~* \.(?:css|js)$ {
            try_files $uri /index.php$uri$is_args$args;
            add_header Cache-Control "public, max-age=7200";
            add_header X-Content-Type-Options nosniff;
            add_header X-Frame-Options "SAMEORIGIN";
            add_header X-XSS-Protection "1; mode=block";
            add_header X-Robots-Tag none;
            add_header X-Download-Options noopen;
            add_header X-Permitted-Cross-Domain-Policies none;
            access_log off;
    }
    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
            try_files $uri /index.php$uri$is_args$args;
            access_log off;
    }
    location = /data/htaccesstest.txt {
      allow all;
      log_not_found off;
      access_log off;
    }

}

your help is greatly appreciated .

Reiner_Nippes · November 6, 2019, 6:16pm

your nginx.conf (or nextcloud.conf) is for http only. there is no listen 443. or?

certbot normally asks if it should configure your web server to redirect everything to https. did you answer: “no”?

here https://www.c-rieger.de/nextcloud-installation-guide-ubuntu/#c05 you can find an example of a config with redirection from http to https.

Dameats · November 6, 2019, 6:31pm

Hi ,
Ive tried creating the nextcloud.conf with similar guides to the one you send me and when i restart nginx it fails

also i tried adding lines like this to the .vhost

server {
listen 80;
listen [::]:80;
server_name cloud.mydomain.com;
return 301 https://$server_name:443$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name cloud.mydomain.com;

        ssl_certificate /var/www/clients/client0/web6/ssl/ cloud.mydomain.com.crt;
        ssl_certificate /var/www/clients/client0/web6/ssl/ cloud.mydomain.com.key;

…
}

but when i reload or restart nginx it still fails .

i dont recall cerbot asking me that .

thank for taking your time and helping me

Reiner_Nippes · November 6, 2019, 6:38pm

it should look like this

ssl_certificate /var/www/clients/client0/web6/ssl/cloud.mydomain.com.crt;
ssl_certificate_key /var/www/clients/client0/web6/ssl/cloud.mydomain.com.key;
ssl_trusted_certificate /var/www/clients/client0/web6/ssl/cloud.mydomain.com.crt;

did you check the error messages with journalctl -x when nginx start failed?

Dameats · November 6, 2019, 7:11pm

so the header of my .vhost looks like this

server {
listen 192.168.1.138:80;

    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cloud.mydomain.com;

    ssl_certificate /var/www/clients/client0/web6/ssl/ cloud.mydomain.com.crt;
    ssl_certificate_key /var/www/clients/client0/web6/ssl/ cloud.mydomain.com.key;
    ssl_trusted_certificate /var/www/clients/client0/web6/ cloud.mydomain.com.crt;

    server_name  cloud.mydomain.com;

i restarted nginx with out trouble , then i try to go my nexcloud in https: and still not working .

mozilla gives error cloud.mydomain.com. PR_END_OF_FILE_ERROR

Reiner_Nippes · November 6, 2019, 8:39pm

https://support.mozilla.org/en-US/questions/1267074

grafik

no idea what’s wrong. maybe you could check your side with SSL Server Test (Powered by Qualys SSL Labs) and get some more information about your ssl settings.

if you don’t mind to start from scratch try my playbook on a new machine. it setup a working nextcloud. don’t run this on your existing server. that might break things.

Dameats · November 6, 2019, 9:06pm

haha its like you were watching me … I broke it … got frustrated , Im going to start a clean install.
Hopefully this time ill get it right .
thanks for your help !

Wytoo · December 5, 2019, 11:53am

I also got an PR_END_OF_FILE_ERROR just all of a sudden.

But even a cleaninstall doesn’t help

Can anybody help me please?

Frappe · April 20, 2020, 5:35pm

I have an ispconfig setup on debian 9 base.
For my nextcloud instance i have created a website with ssl and lets encrypt. Under Redirect check HTTP to HTTPS, in the SSL tab only check SPDY/HTTP2.
Under options I have entered the following under php.ini settings:

upload_max_filesize=15G
post_max_size=15G
always_populate_raw_post_data=-1
max_execution_time = 3600
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1
memory_limit = 2G
mbstring.func_overload=0
default_charset='UTF-8'
output_buffering=0
cgi.fix_pathinfo=1

and under nginx directives:

add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-a-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;

# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

# The following rule is only needed for the Social app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

location = /.well-known/carddav {
  return 301 $scheme://$host:$server_port/remote.php/dav;
}
location = /.well-known/caldav {
  return 301 $scheme://$host:$server_port/remote.php/dav;
}

# set max upload size
client_max_body_size 15G;
fastcgi_buffers 64 4K;

# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

location / {
rewrite ^ /index.php;
}

location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}

location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
# fastcgi_pass php-handler;
{FASTCGIPASS}
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}

location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}

# Adding the cache control header for js, css and map files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;

# Optional: Don't log access to assets
access_log off;
}

location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
 location ~ /\. { ##delete##
}
ssl_prefer_server_ciphers on;
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
# use this only if all subdomains support HTTPS!
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=300s;
resolver_timeout 5s;
#ssl_dhparam /etc/nginx/dh4096.pem;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 1d;
server_tokens off;
ssl_session_tickets off;
ssl_session_cache shared:SSL:50m;
ssl_trusted_certificate /etc/letsencrypt/live/cloud.mydomain.com/fullchain.pem;

In the last line of the nginx directive block, the domain must be replaced with yours accordingly.
I hope I could help you with this.
Kind regards,
Frappé