Hi, I had a small issue that I wanted to check in about.
First I wanted to say thank you to the NextCloud Community for being so helpful! I believe this is one of the most important open source projects happening right now and I’m trying to get as many of my friends to convert over. Related to that, I recently decided to install a personal cloud server for my parents.
We’ve got everything working… mostly but there seems to be a small issue.
They can connect to their nextcloud server when they are home and on their local network wifi, but when I try to connect to it from any other place, I can not.
I see 3 potential causes:
Their computer is simply too slow. It only has 3 gigs of RAM. They plan on upgrading it to 16 very soon, but right now it chugs a bit.
Their connection is simply too slow. They are using a consumer ISP.
I have configured something wrong with their IP address etc.
Their public IP is 90.50.125.237 I have a DNS pointing family.jackalope.tech to this address.
On local network and goes to family.jackalope.tech = success
On local network and goes to localhost.localdomain = success
On the local network and goes to 90.50.125.237 = connection failure
On outside network and goes to family.jackalope.tech = connection failure
On outside network and goes to 90.50.125.237 = connection failure
I know I should be using a dynamic DNS but for now I’m just trying to get this thing working.
I am running NextCloud 14.03 on nginx. I have not set up virtual hosts so the only /enabled-sites/ is default. I have set up virtual hosts on my personal cloud server at home but as they aren’t intending on using this machine for anything else except for storage, there didn’t seem to be much point in doing that.
What am I missing? The fact that their public IP is not even accessible from the local network makes me think there’s some issue with how I set up their IP address etc. But it seems to work fine with the DNS forwarding?! So any clues on what I’ve done wrong?
Nothing in the NextCloud logs seems relevant, but I’ll post the last couple of entries anyway. I believe I can account for pretty much all of these error logs though.
Error
no app in context
GuzzleHttp\Exception\ClientException: Client error: GET https://cloud.nastuzzi.fr/s/HftfHyLXNNTYmNm/download resulted in a 404 Not Found response: 404 Not Found
Not Found (truncated…)
2018-10-22T14:02:49-0500
Error
files_antivirus
OCA\Files_Antivirus\Item::processClean, exception: An exception occurred while executing ‘SELECT lastval()’: SQLSTATE[55000]: Object not in prerequisite state: 7 ERROR: lastval is not yet defined in this session
2018-10-22T12:30:31-0500
Error
index
Error: Class ‘OCA\FullTextSearch\Api\v1\FullTextSearch’ not found
2018-10-22T12:19:58-0500
Error
index
Error: Class ‘OCA\FullTextSearch\Api\v1\FullTextSearch’ not found
2018-10-22T12:18:59-0500
Error
index
Error: Class ‘OCA\FullTextSearch\Api\v1\FullTextSearch’ not found
2018-10-22T12:18:56-0500
Error
index
Error: Class ‘OCA\FullTextSearch\Api\v1\FullTextSearch’ not found
2018-10-22T12:18:53-0500
Error
files_antivirus
OCA\Files_Antivirus\Item::processClean, exception: An exception occurred while executing ‘SELECT lastval()’: SQLSTATE[55000]: Object not in prerequisite state: 7 ERROR: lastval is not yet defined in this session
2018-10-22T11:45:26-0500
Error
index
Error: Class ‘OCA\FullTextSearch\Api\v1\FullTextSearch’ not found
2018-10-22T11:35:42-0500
Error
index
Error: Class ‘OCA\FullTextSearch\Api\v1\FullTextSearch’ not found
2018-10-22T11:35:40-0500
Error
index
Error: Class ‘OCA\FullTextSearch\Api\v1\FullTextSearch’ not found
2018-10-22T11:35:38-0500
Error
index
Error: Class ‘OCA\FullTextSearch\Api\v1\FullTextSearch’ not found
2018-10-22T11:35:32-0500
Error
core
ImagickException: not authorized `/upload_tmp/oc_tmp_uOJQUD-.pdf’ @ error/constitute.c/ReadImage/412
2018-10-21T23:56:40-0500
Error
core
ImagickException: not authorized `/upload_tmp/oc_tmp_2ROxBC-.pdf’ @ error/constitute.c/ReadImage/412
2018-10-21T23:56:39-0500
Error
core
ImagickException: not authorized `/upload_tmp/oc_tmp_0vRoLB-.pdf’ @ error/constitute.c/ReadImage/412
2018-10-21T23:56:39-0500
Error
core
ImagickException: not authorized `/upload_tmp/oc_tmp_RAnsuw-.pdf’ @ error/constitute.c/ReadImage/412
2018-10-21T23:56:37-0500
Error
core
ImagickException: not authorized `/upload_tmp/oc_tmp_FoOMmq-.pdf’ @ error/constitute.c/ReadImage/412
2018-10-21T23:56:35-0500
Error
remote
Error: Class ‘OCA\FullTextSearch\Api\v1\FullTextSearch’ not found
2018-10-21T22:42:04-0500
Error
remote
Error: Class ‘OCA\FullTextSearch\Api\v1\FullTextSearch’ not found
2018-10-21T22:41:50-0500
Even with the localnetwork the connection times out somewhat often, or the entire computer will freeze which I just assume is because of how old this desktop is, and maybe that’s the issue with connecting from outside the local network. I don’t know. I wanted to check though if this might be something different though dealing with the IP or some other configuration that I could fix.
Okay I figured out one piece of the puzzle. I didn’t have my settings in nginx.conf set up correctly. I had switched the server address to localhost the last time I was at their house because that was the only way I could get it to work. I’ve switched it back over to their public domain. It was working with the family.jackalope.tech because that had been listed as an alternative url in the array. Now I’m getting connection refused from 443. I’ve tried opening the port using ufw but that hasn’t worked. Not quite sure what to do next, but I’m trying to get the let’s encrypt bot to recert and see if that fixes things. At least then I won’t be getting a security exception from the browser.
EDIT: Okay so I am kind of at the end of my thought process here. The only other information I can think to add here is the results of service nginx status which seems to indicate some kind of process blocking 443
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2018-10-22 19:16:32 CDT; 4s ago
Docs: man:nginx(8)
Process: 9046 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
Process: 9492 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 9479 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 9493 (nginx)
Tasks: 5 (limit: 3479)
CGroup: /system.slice/nginx.service
├─9493 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─9494 nginx: worker process
├─9495 nginx: worker process
├─9496 nginx: worker process
└─9497 nginx: worker process
Oct 22 19:16:32 aslan systemd[1]: Starting A high performance web server and a reverse proxy server...
Oct 22 19:16:32 aslan nginx[9479]: nginx: [warn] conflicting server name "family.jackalope.tech" on 0.0.0.0:443, ignored
Oct 22 19:16:32 aslan nginx[9492]: nginx: [warn] conflicting server name "family.jackalope.tech" on 0.0.0.0:443, ignored
Oct 22 19:16:32 aslan systemd[1]: Started A high performance web server and a reverse proxy server.
What I said is that I can’t connect from outside. I’m not sure if this is because my system is not properly set up to connect from outside or if this is simply because the system is too slow to properly connect to computers outside it’s network.
Ilooking up the conflicting server name stuff and after fiddling with the conf files etc for a bit I decided to just reinstall things using the ansible script that I used to install it in the first place a couple of months ago.
I’ve got it successfully running. Still not connecting to anything outside the local network. I’ve got some missing index errors and code integrity issues which I’m looking at fixing. Again, not sure if it’s unable to connect outside it’s local area network because of a lack of hardware speed or if this is due to some reconfiguration error. Though, from what I can tell everything should now be configured correctly as it’s using using all brand new conf files that were generated by the ansible playbook.
Yes, I know. I meant if it’s possible to connect from outside. If there’s ISP’s firewall which blocks connections from outside. Or something else which makes it impossible to connect from outside. Most consumer connections are not for server use and some ISPs may use blocks.
If you’re running only Nextcloud, 3GB ram is more than enough for your use.
To that, I’m not sure. I have used ufw to unblock 80 and 443. But I’m guessing that’s only the firewall on my side of the equation and not the ISP right?
I have just gotten off the phone with my parent’s ISP. They seem to have opened up the 443 port. I am still getting a “connection reset” error from my phone, but when I curl it from my laptop I am now at least getting an SSL error which is different than before. Can anyone confirm if my 443 port is properly open now? (as my only connection besides mobile phone is the local network that the server is using).
EDIT: Okay so, I had my letsencrypt cert reinstalled, so no more SSL error BUT something weird happens… instead of loading nextcloud it loads my parent’s printer???
I go to 99:50:125:237 and I get an error code. If I got to family.jackalope.tech I get a browser for the printer? I checked and my public IP is still 99:50:125:237 and my DNS should still be set to point towards that.
I can confirm that my nginx server is still running:
aslan@aslan:~$ service nginx status
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2018-10-23 20:14:26 CDT; 26min ago
Docs: man:nginx(8)
Process: 2061 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 1638 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 2062 (nginx)
Tasks: 5 (limit: 3479)
CGroup: /system.slice/nginx.service
├─2062 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─8037 nginx: worker process
├─8038 nginx: worker process
├─8039 nginx: worker process
└─8040 nginx: worker process
Oct 23 20:14:25 aslan systemd[1]: Starting A high performance web server and a reverse proxy server...
Oct 23 20:14:26 aslan nginx[1638]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/etc/letsencrypt/live/family.jackalope.tech/fullchain.pem
Oct 23 20:14:26 aslan nginx[2061]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/etc/letsencrypt/live/family.jackalope.tech/fullchain.pem
Oct 23 20:14:26 aslan nginx[2061]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/etc/letsencrypt/live/family.jackalope.tech/fullchain.pem
Oct 23 20:14:26 aslan nginx[2061]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/etc/letsencrypt/live/family.jackalope.tech/fullchain.pem
Oct 23 20:14:26 aslan systemd[1]: Started A high performance web server and a reverse proxy server.
And I can successfully run occ commands so I think the nextcloud server itself is still running. I just can’t tell where?
Yes that is also what I’m doing. I’ve got port forwarding set up on the router, and I also just called the ISP for them to not block it on the backend.
Okay so I’ve just gotten off the phone talking with the ISP people again and maybe they didn’t understand what I was asking but as far as I can tell port 443 should be available to connect to. When I curl family.Jackalope.tech I get a 301. When I try to connect through a proxy (to see if I can connect from outside the lan) I get a connection time out. When I try to connect through my phone over mobile cellular data I get connection refused. When I try to connect through the computer the server it’s working on, it works. When I try to connect via the public ip it connects but it also tells me that it’s not a trusted domain (this is expected though).
I don’t know I’d this is a problem with configuration or if the isp is just too slow to handle a cloud server. Its supposed to be 100mbs fiber but the company is also AT&T and they’re real dirt bags so they might be throttling or something.
I’m about ready to give up. Does anybody have any additional ideas of what I can try?
I apologize for my ignorance but there is more than one port 80 or port 443?
Also how can I tell if I’m forwarding to the correct number? I am as far as I can tell. I look up “what’s my IPv4 address” and i consistently see 99.50.125.237
Also @MeiRos it looks like my 443 is not open? It says filtered? Also what script or program are you using to check that info? I’ve had trouble finding a way to check this info that wasn’t overwhelmed with a bunch of junk info but your output is much more nicely formatted.
EDIT: Ah, I see. The program is called nMap. I’ll download that. Seems very useful. Also found this tool useful for being to check from outside the LAN : https://portchecker.co/check
On the phone with ATT again. Not sure how to get them to understand I want 443 COMPLETELY open. They keep trying to add port forwarding rules to my router, but those are always device specific and I need basically any device to be able to connect, correct? Is there a more technical term for that?