my setup
I setup nextcloud at https://drive.recolic.net/
. I have nginx listening 0.0.0.0:443, and nextcloud docker port exposing host:8080 -> container:80
. I wrote proxy_pass http://127.0.0.1:8080
in my nginx.conf
, and had HSTS preload (including subdomain) enabled.
problem
I run curl https://drive.recolic.net/ -L -vv
, then it returns 302 http://drive.recolic.net/login
. OH YOU REDIRECT HTTPS TO UNSAFE HTTP!!! Then Chinese government attacked the connection, hijacking my http traffic because the government controls the routers, and saying You must report your personalInfo+domain to the gangleader or you'll get fu*ked!
.
My config.php
<?php
$CONFIG = array (
'trusted_proxies' => ['127.0.0.1'],
'overwritehost' => 'drive.recolic.net',
'overwriteprotocol' => 'https',
'overwritewebroot' => '',
'overwritecondaddr' => '^127\.0\.0\.1$',
'htaccess.RewriteBase' => '/',
'memcache.local' => '\\OC\\Memcache\\APCu',
'apps_paths' =>
array (
0 =>
array (
'path' => '/var/www/html/apps',
'url' => '/apps',
'writable' => false,
),
1 =>
array (
'path' => '/var/www/html/custom_apps',
'url' => '/custom_apps',
'writable' => true,
),
),
'instanceid' => 'HIDDEN',
'passwordsalt' => 'HIDDEN',
'secret' => 'HIDDEN',
'trusted_domains' =>
array (
0 => 'https://drive.recolic.net',
),
'datadirectory' => '/var/www/html/data',
'dbtype' => 'sqlite3',
'version' => '15.0.7.0',
'overwrite.cli.url' => 'http://127.0.0.1:8080',
'installed' => true,
'mail_smtpmode' => 'smtp',
'mail_smtpsecure' => 'tls',
'mail_sendmailmode' => 'smtp',
'mail_from_address' => 'no-reply',
'mail_domain' => 'recolic.net',
'mail_smtpauthtype' => 'LOGIN',
'mail_smtpauth' => 1,
'mail_smtphost' => 'smtp.recolic.net',
'mail_smtpport' => '587',
'mail_smtpname' => 'no-reply@recolic.net',
'mail_smtppassword' => 'HIDDEN',
);
My nginx.conf
server {
listen 443 ssl http2;
server_name drive.recolic.net;
server_tokens off;
ssl_certificate "/home/ubuntu/.acme.sh/drive.recolic.net_ecc/fullchain.cer";
ssl_certificate_key "/home/ubuntu/.acme.sh/drive.recolic.net_ecc/drive.recolic.net.key";
ssl_certificate "/home/ubuntu/.acme.sh/drive.recolic.net/fullchain.cer";
ssl_certificate_key "/home/ubuntu/.acme.sh/drive.recolic.net/drive.recolic.net.key";
proxy_set_header X-Forwarded-For $remote_addr;
location / {
proxy_pass http://127.0.0.1:8080;
}
}
What should I do? Thanks a lot!