Nextcloud behind multi-domain reverse proxy

Right now I have HAProxy set up on my network acting as a dedicated reverse proxy doing pass-through SSL, not SSL termination. I have a wordpress server running inside my network as well. I can access the wordpress page but not nextcloud. I looked at the nextcloud documentation and saw there was a trusted proxy array I could put in my config.php file (which I did), but I still can’t connect to it

1 Like

It works! I didn’t make any changes either…my domain name is www.mydomain.com, but I have been typing mydomain.com and it doesn’t connect. What’s weird though is even though my domain name is www.mydomain.com, I still have a ServerAlias line in my apache configuration files with www.mydomain.com. For some reason it won’t take it

I got to a different network and for some reason on This network I cannot connect (or over openvpn). I can’t even curl it when I’m on this network. Is there a reason why I can connect on some networks and not others?

Are you saying you can’t get to it internally, but can from external networks? If that’s the case I’d assume NAT redirection isn’t in place?

I can access it internally (I had to edit the hosts files), but it appears that on some external networks I can’t reach it. I would try www.mydomain.com and mydomain.com and they couldn’t be reached, but I could successfully do a “curl mydomain.com”. So far this has only happened on 2 networks, and I’m trying others as the day goes on

How new is the domain and it’s DNS records? Could be a DNS propagation issue wherein all you can do is wait, I had to delay a customer installation a full day while DNS propagated. It could be reached from the office, but not my home network or their network.

I have had the domain name for over a week now, and the SSL certs are the same age from Let’s Encrypt. I can’t confirm this but I’m wondering if this is a Comcast issue…I can connect over Verizon networks and I can connect over a local ISP, but I can’t connect via Comcast (seemingly) and a Private Internet Access VPN. My ISP is Comcast though so…I am making an edit to my statement because what I was thinking was a Nextcloud problem is now seemingly persistent on my Wordpress site. This is probably not the best forum for this problem now as it seems the problem is beyond the scope of Nextcloud

Turns out it was more HAProxy configuration problems. So, I finally have it working the way its supposed to and for people who are interested, here are the configurations!

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    maxconn 4096
    user haproxy
    group haproxy
    daemon


defaults
    log     global
    mode    tcp
    option  tcplog
    option  dontlognull
    timeout connect 15s
    timeout client  15s
    timeout server  15s
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http


frontend localhost80
    bind *:80
    mode http
    redirect scheme https code 301 if !{ ssl_fc }

frontend localhost443
    bind *:443
    option tcplog
    mode tcp

    acl tls req.ssl_hello_type 1

    tcp-request inspect-delay 5s
    tcp-request content accept if tls

    acl is_wordpress req.ssl_sni -i domain1.com   #10.0.0.165
    acl is_nextcloud req.ssl_sni -i www.domain2.com                #10.0.0.160
    acl is_nextcloud2 req.ssl_sni -i domain2.com

    use_backend nextcloud_cluster if is_nextcloud
    use_backend nextcloud_cluster if is_nextcloud2
    use_backend wordpress_cluster if is_wordpress


backend wordpress_cluster
    mode tcp

    option ssl-hello-chk

    server is_wordpress 10.0.0.165:443 check


backend nextcloud_cluster
    mode tcp

    option ssl-hello-chk

    server is_nextcloud 10.0.0.160:443 check
1 Like

Sorry I couldn’t have helped more. If it were an Apache proxy I would have :slight_smile:

Pop that into a new post with a relevant title in the howto category and others will find it much easier than in here. Thanks for your contribution :smiley:

I’ll do that! :slight_smile: I was looking at doing an Apache reverse proxy but I thought it would be easier to do this since I read Apache doesn’t handle SSL traffic. Either way, HAProxy is really nice

I can safely say Apache handles SSL perfectly fine, proxy or not. I opted for Apache as I’m more familiar with it than HAProxy, though I really should spend some time with that too as it’s likely more powerful.

It appears to be the case that it is, I guess it’s all dependent on what you want. I’m sure it is lighter weight than running Apache. That’s my gut feeling at least. Sometimes Apache can be heavy