Nextcloud behind a IIS Reverse Proxy

🏷️ General
1

My company has a Nextcloud setup with a ADFS/SAML login to prompt the 2FA. I have all this working inside the VPN. Outside the VPN, no one can get to the ADFS page so I am looking into a Web Application Proxy to meet that need while keeping the 2FA prompts. As part of this, I also pulled the nextcloud server back into the VPN and am trying to reverse proxy it on the same WAP server through IIS.

Setup:

  • Microsoft 2016 Hosting IIS acting as WAP and Reverse Proxy through IIS/Remote Access Manager, placed in DMZ and can ping/talk to everything it needs to

  • Microsoft 2016 Hosting ADFS inside VPN

  • Ubuntu 16.04 hosting Apache2, PHP 7.1.19, MySQL 15.1 with Nextcloud configs

I am so close to having everything working, but I cannot get Nextcloud to load for external users. I keep getting the “to many redirects error”. I think I’ve narrowed it down to being on the Nextcloud side after playing with settings.

The current setup I have on nextcloud doesn’t allow HTTP traffic. It redirects all traffic to HTTPS (as seen in the configs). So I think I am getting the to many redirects since the proxy redirects and then nextcloud redirects. But I can’t figure out how to open Nextcloud to allow HTTP, or how to have the redirect between the WAP and Nextcloud be HTTPS instead of HTTP so nextcloud wont redirect it again. I’ve tried playing with a handful of settings, such as adding most of the configs in the 443 apache settings into 80 (without the SSL portions), toying with SSL offloading, etc. all with no luck. Any ideas?

I know its possible because I see a handful of people doing it after some google searches.

Guide used to setup Nextcloud - https://www.linuxbabe.com/cloud-storage/setup-nextcloud-server-ubuntu-16-04-apache-mariadb-php7

Guide used to setup ADFS/SAML - https://rephlex.de/blog/2018/04/05/how-to-connect-nextcloud-to-active-directory-using-ad-fs-without-losing-your-mind/

Guide used to install Reverse Proxy - https://blogs.msdn.microsoft.com/friis/2016/08/25/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world-apps/

Nextcloud config file - https://hastebin.com/kowukexuvu.xml

Apache config file - https://hastebin.com/xezifakusu.apache

2

What is giving you the ‘too many redirects error’, IIS or Nextcloud? Is your WAP working for anything else? Does Nextcloud work by directly accessing it using HTTPS, and no redirects from HTTP?

I’m guessing you’ve seen this?

3

Thanks for the reply/help.

What is giving you the ‘too many redirects error’, IIS or Nextcloud?

  • Nextcloud. If I turn off the HTTP settings in Apache I get an Ubuntu error meaning the traffic is reaching Nextcloud. Since Nextcloud is currently configured to redirect HTTP to HTTPS (as seen in the configs), this leads to the error.

Is your WAP working for anything else?

  • This is the first thing I am implementing on it. I plan to utilize other sites behind it after I get this working and understand it more. The only things currently configured on it are the ADFS through remote manager which is showing green and working, and the reverse proxy (both of which are utilized by this nextcloud setup)

Does Nextcloud work by directly accessing it using HTTPS, and no redirects from HTTP?

  • Nextcloud works inside the VPN in either case; both HTTPS and HTTP (through redirect to HTTPS).

I’m guessing you’ve seen this?

  • Yes, and I’ve placed those setting in Nextcloud’s config (see Nextcloud config). or at least to the settings I would think they should be. I reworded what I set in my linked configs but you get the point. I would think this would throw a different error than to many redirects too; but cant guarantee that.
4

My advice would be to simplify the problem, possibly by setting up a server with a static web page, and getting that working first. Making Nextcloud directly accessible using HTTPS would also help.