Nextcloud AIO problems with Reverse Proxy

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
, , , , ,
1

Hello,

I just converted my Nextcloud AIO 11.4.0 from direct to reverse proxy mode by doing a backup, resetting all the containers/networks/volumes, then restoring the backup.

The reverse proxy is Caddy, with port forwarding of tcp/udp 80/443 from my public IP. It’s working fine for other services on other servers. No ip6.

Nextcloud works in browser and for files, but some random other items don’t work anymore.

  • Administration > Overview > Security & setup warnings
    Spins, spins, spins, fails. All the failures say something like “could not resolve self”. For example:

Could not check that the data directory is protected. Please check manually that your server does not allow access to the data directory. To allow this check to run you have to make sure that your Web server can connect to itself. Therefore it must be able to resolve and connect to at least one of its trusted_domains or the overwrite.cli.url. This failure may be the result of a server-side DNS mismatch or outbound firewall rule.

  • Collabora can’t load
    The logs show a bunch of errors like this.
    cURL error 28: Connection timed out after 5002 milliseconds (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://{my-public-domain}/hosting/discovery

Some relevant info for troubleshooting…

  • The Nextcloud Security Scan works (beside the known bug Nextcloud Security Scan broken since weeks · Issue #54013 · nextcloud/server · GitHub) and gives an A+. This should rule out any public DNS and firewall issues.

  • overwriteprotocol => 'https'

  • overwritehost => '{my-public-domain}'

  • overwrite.cli.url => 'https://{my-public-domain}/'

  • 'trusted_domains' are 'localhost' and '{my-public-domain}'

  • 'trusted_proxies' are autogenerated '127.0.0.1', '::1', '172.18.0.0/16'. I’ve also added the IP of my Caddy reverse proxy: '192.168.50.40'

  • I used docker exec to confirm nslookup {my-public-domain} is correct from inside the Nextcloud bridge network. It returns my public IP address.

  • I have NAT Reflection enabled (hairpinning) on both my port forward rules.

Any ideas how to troubleshoot further? Seems like DNS is fine, firewalls are fine, and yet Collabora and Nextcloud security checks are broken.

2

Try an actual connection via curl to your overwrite.cli.url from the app container.

The errors essentially all suggest that Nextcloud is unable to connect to itself via the new RP.

1 Like
3

Ok, I figured out my NAT reflection wasn’t configured correctly!

Inbound NAT (port forwarding) was setup correctly, with reflection enabled. This means traffic to {my-public-ip}:443 would get redirected to the Caddy reverse proxy, 192.168.50.40. This also worked from internal networks (reflection).

The problem is all that traffic kept the original source IP. This works for WAN traffic, but for LAN traffic the reverse proxy was replying directly to the client. From the client’s perspective, it sends a request to {my-public-ip}, then receives & ignores unsolicited traffic from 192.168.50.40.

The solution is adding Outbound NAT rules that also replace the source IP with the router IP. Then the reverse proxy will send all its replies back to the router, which uses its NAT state history to redirect the reply to the original client.

This OPNsense guide did a great job explaining NAT. I used Method 1 to solve the issue.

I’m pretty sure this has always been misconfigured. Something janky in my old “direct” setup must have accidentally bypassed the fact that I was missing half my NAT reflection.

1 Like
4

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.