Nextcloud behind nginx reverse proxy: always https not working

my setup

I setup nextcloud at https://drive.recolic.net/. I have nginx listening 0.0.0.0:443, and nextcloud docker port exposing host:8080 -> container:80. I wrote proxy_pass http://127.0.0.1:8080 in my nginx.conf, and had HSTS preload (including subdomain) enabled.

problem

I run curl https://drive.recolic.net/ -L -vv, then it returns 302 http://drive.recolic.net/login. OH YOU REDIRECT HTTPS TO UNSAFE HTTP!!! Then Chinese government attacked the connection, hijacking my http traffic because the government controls the routers, and saying You must report your personalInfo+domain to the gangleader or you'll get fu*ked!.

My config.php

<?php
$CONFIG = array (
  'trusted_proxies'   => ['127.0.0.1'],
  'overwritehost'     => 'drive.recolic.net',
  'overwriteprotocol' => 'https',
  'overwritewebroot'  => '',
  'overwritecondaddr' => '^127\.0\.0\.1$',

  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => 'HIDDEN',
  'passwordsalt' => 'HIDDEN',
  'secret' => 'HIDDEN',
  'trusted_domains' => 
  array (
    0 => 'https://drive.recolic.net',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'sqlite3',
  'version' => '15.0.7.0',
  'overwrite.cli.url' => 'http://127.0.0.1:8080',
  'installed' => true,
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'tls',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'no-reply',
  'mail_domain' => 'recolic.net',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'smtp.recolic.net',
  'mail_smtpport' => '587',
  'mail_smtpname' => 'no-reply@recolic.net',
  'mail_smtppassword' => 'HIDDEN',
);

My nginx.conf

    server {
        listen       443 ssl http2;
        server_name  drive.recolic.net;
        server_tokens off;
    
        ssl_certificate "/home/ubuntu/.acme.sh/drive.recolic.net_ecc/fullchain.cer";
        ssl_certificate_key "/home/ubuntu/.acme.sh/drive.recolic.net_ecc/drive.recolic.net.key";
        ssl_certificate "/home/ubuntu/.acme.sh/drive.recolic.net/fullchain.cer";
        ssl_certificate_key "/home/ubuntu/.acme.sh/drive.recolic.net/drive.recolic.net.key";

        proxy_set_header X-Forwarded-For $remote_addr;

        location / {
		proxy_pass http://127.0.0.1:8080;
	}
}

What should I do? Thanks a lot!

thanks for any help…

I had a similar problem when setting up a docker instance of nextcloud, and as I remember I had to use this to get it working:

‘overwrite.cli.url’ => ‘https://drive.recolic.net’

btw I also think you should remove https:// from trusted_domain - it should only be the domain or with port, ref config.sample.php:

• • the exact hostname of your host or virtual host, e.g. demo.example.org.
• • the exact hostname with permitted port, e.g. demo.example.org:443.
• This disallows all other ports on this host
• • use * as a wildcard, e.g. ubos-raspberry-pi*.local will allow
• ubos-raspberry-pi.local and ubos-raspberry-pi-2.local
  */
  ‘trusted_domains’ =>
  array (
  ‘demo.example.org’,
  ‘otherdomain.example.org’,
  ),

You’re right!

I also removed overwritecondaddr line. It seems to prevent the overwriting…

now it’s working. thanks