Hi, I had a small issue that I wanted to check in about.

First I wanted to say thank you to the NextCloud Community for being so helpful! I believe this is one of the most important open source projects happening right now and I’m trying to get as many of my friends to convert over. Related to that, I recently decided to install a personal cloud server for my parents.

We’ve got everything working… mostly but there seems to be a small issue.

They can connect to their nextcloud server when they are home and on their local network wifi, but when I try to connect to it from any other place, I can not.

I see 3 potential causes:

1. Their computer is simply too slow. It only has 3 gigs of RAM. They plan on upgrading it to 16 very soon, but right now it chugs a bit.

2. Their connection is simply too slow. They are using a consumer ISP.

3. I have configured something wrong with their IP address etc.

Their public IP is 90.50.125.237 I have a DNS pointing family.jackalope.tech to this address.

• On local network and goes to family.jackalope.tech = success
• On local network and goes to localhost.localdomain = success
• On the local network and goes to 90.50.125.237 = connection failure
• On outside network and goes to family.jackalope.tech = connection failure
• On outside network and goes to 90.50.125.237 = connection failure

I know I should be using a dynamic DNS but for now I’m just trying to get this thing working.

I am running NextCloud 14.03 on nginx. I have not set up virtual hosts so the only /enabled-sites/ is default. I have set up virtual hosts on my personal cloud server at home but as they aren’t intending on using this machine for anything else except for storage, there didn’t seem to be much point in doing that.

What am I missing? The fact that their public IP is not even accessible from the local network makes me think there’s some issue with how I set up their IP address etc. But it seems to work fine with the DNS forwarding?! So any clues on what I’ve done wrong?

Nothing in the NextCloud logs seems relevant, but I’ll post the last couple of entries anyway. I believe I can account for pretty much all of these error logs though.

Even with the localnetwork the connection times out somewhat often, or the entire computer will freeze which I just assume is because of how old this desktop is, and maybe that’s the issue with connecting from outside the local network. I don’t know. I wanted to check though if this might be something different though dealing with the IP or some other configuration that I could fix.

Thank you again.

Okay I figured out one piece of the puzzle. I didn’t have my settings in nginx.conf set up correctly. I had switched the server address to localhost the last time I was at their house because that was the only way I could get it to work. I’ve switched it back over to their public domain. It was working with the family.jackalope.tech because that had been listed as an alternative url in the array. Now I’m getting connection refused from 443. I’ve tried opening the port using ufw but that hasn’t worked. Not quite sure what to do next, but I’m trying to get the let’s encrypt bot to recert and see if that fixes things. At least then I won’t be getting a security exception from the browser.

EDIT: Okay so I am kind of at the end of my thought process here. The only other information I can think to add here is the results of service nginx status which seems to indicate some kind of process blocking 443

● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2018-10-22 19:16:32 CDT; 4s ago
     Docs: man:nginx(8)
  Process: 9046 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
  Process: 9492 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
  Process: 9479 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
 Main PID: 9493 (nginx)
    Tasks: 5 (limit: 3479)
   CGroup: /system.slice/nginx.service
           ├─9493 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           ├─9494 nginx: worker process
           ├─9495 nginx: worker process
           ├─9496 nginx: worker process
           └─9497 nginx: worker process

Oct 22 19:16:32 aslan systemd[1]: Starting A high performance web server and a reverse proxy server...
Oct 22 19:16:32 aslan nginx[9479]: nginx: [warn] conflicting server name "family.jackalope.tech" on 0.0.0.0:443, ignored
Oct 22 19:16:32 aslan nginx[9492]: nginx: [warn] conflicting server name "family.jackalope.tech" on 0.0.0.0:443, ignored
Oct 22 19:16:32 aslan systemd[1]: Started A high performance web server and a reverse proxy server.

Are you really sure that you can connect there from outside?

Google the warning.
[warn] conflicting server name

What I said is that I can’t connect from outside. I’m not sure if this is because my system is not properly set up to connect from outside or if this is simply because the system is too slow to properly connect to computers outside it’s network.

Ilooking up the conflicting server name stuff and after fiddling with the conf files etc for a bit I decided to just reinstall things using the ansible script that I used to install it in the first place a couple of months ago.

I’ve got it successfully running. Still not connecting to anything outside the local network. I’ve got some missing index errors and code integrity issues which I’m looking at fixing. Again, not sure if it’s unable to connect outside it’s local area network because of a lack of hardware speed or if this is due to some reconfiguration error. Though, from what I can tell everything should now be configured correctly as it’s using using all brand new conf files that were generated by the ansible playbook.

Yes, I know. I meant if it’s possible to connect from outside. If there’s ISP’s firewall which blocks connections from outside. Or something else which makes it impossible to connect from outside. Most consumer connections are not for server use and some ISPs may use blocks.

If you’re running only Nextcloud, 3GB ram is more than enough for your use.

To that, I’m not sure. I have used ufw to unblock 80 and 443. But I’m guessing that’s only the firewall on my side of the equation and not the ISP right?

I scanned your url and only port 80 and 5900 are open. (and maybe uncommon ports, which wasn’t scanned…)
Port 443 is closed. So https isn’t working.

Thank you. I’m on the phone now with the ISP to see if I can get stuff to work.

I have just gotten off the phone with my parent’s ISP. They seem to have opened up the 443 port. I am still getting a “connection reset” error from my phone, but when I curl it from my laptop I am now at least getting an SSL error which is different than before. Can anyone confirm if my 443 port is properly open now? (as my only connection besides mobile phone is the local network that the server is using).

EDIT: Okay so, I had my letsencrypt cert reinstalled, so no more SSL error BUT something weird happens… instead of loading nextcloud it loads my parent’s printer???

I go to 99:50:125:237 and I get an error code. If I got to family.jackalope.tech I get a browser for the printer? I checked and my public IP is still 99:50:125:237 and my DNS should still be set to point towards that.

I can confirm that my nginx server is still running:

aslan@aslan:~$ service nginx status
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2018-10-23 20:14:26 CDT; 26min ago
     Docs: man:nginx(8)
  Process: 2061 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
  Process: 1638 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
 Main PID: 2062 (nginx)
    Tasks: 5 (limit: 3479)
   CGroup: /system.slice/nginx.service
           ├─2062 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           ├─8037 nginx: worker process
           ├─8038 nginx: worker process
           ├─8039 nginx: worker process
           └─8040 nginx: worker process

Oct 23 20:14:25 aslan systemd[1]: Starting A high performance web server and a reverse proxy server...
Oct 23 20:14:26 aslan nginx[1638]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/etc/letsencrypt/live/family.jackalope.tech/fullchain.pem
Oct 23 20:14:26 aslan nginx[2061]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/etc/letsencrypt/live/family.jackalope.tech/fullchain.pem
Oct 23 20:14:26 aslan nginx[2061]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/etc/letsencrypt/live/family.jackalope.tech/fullchain.pem
Oct 23 20:14:26 aslan nginx[2061]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/etc/letsencrypt/live/family.jackalope.tech/fullchain.pem
Oct 23 20:14:26 aslan systemd[1]: Started A high performance web server and a reverse proxy server.

And I can successfully run occ commands so I think the nextcloud server itself is still running. I just can’t tell where?

Check the port forwarding on your router.

I have it setup on a domain that it’s being redirected to my ipaddress and from there to the local network server.

Yes, that is also

Yes that is also what I’m doing. I’ve got port forwarding set up on the router, and I also just called the ISP for them to not block it on the backend.

Okay so I’ve just gotten off the phone talking with the ISP people again and maybe they didn’t understand what I was asking but as far as I can tell port 443 should be available to connect to. When I curl family.Jackalope.tech I get a 301. When I try to connect through a proxy (to see if I can connect from outside the lan) I get a connection time out. When I try to connect through my phone over mobile cellular data I get connection refused. When I try to connect through the computer the server it’s working on, it works. When I try to connect via the public ip it connects but it also tells me that it’s not a trusted domain (this is expected though).

I don’t know I’d this is a problem with configuration or if the isp is just too slow to handle a cloud server. Its supposed to be 100mbs fiber but the company is also AT&T and they’re real dirt bags so they might be throttling or something.

I’m about ready to give up. Does anybody have any additional ideas of what I can try?

Starting Nmap 7.40 ( https://nmap.org ) at 2018-10-24 08:15 UTC
Nmap scan report for family.jackalope.tech (99.50.125.237)
Host is up (0.042s latency).
PORT     STATE    SERVICE
21/tcp   filtered ftp
22/tcp   closed   ssh
23/tcp   filtered telnet
80/tcp   open     http
110/tcp  filtered pop3
143/tcp  filtered imap
443/tcp  filtered https
3389/tcp filtered ms-wbt-server

make sure you are forwarding to the proper port 80/443 and the correct ip address of your box.

if any of those are not configured with the proper ip addresses and ports, you are only going to be able to access them locally.

I apologize for my ignorance but there is more than one port 80 or port 443?

Also how can I tell if I’m forwarding to the correct number? I am as far as I can tell. I look up “what’s my IPv4 address” and i consistently see 99.50.125.237

Also @MeiRos it looks like my 443 is not open? It says filtered? Also what script or program are you using to check that info? I’ve had trouble finding a way to check this info that wasn’t overwhelmed with a bunch of junk info but your output is much more nicely formatted.

EDIT: Ah, I see. The program is called nMap. I’ll download that. Seems very useful. Also found this tool useful for being to check from outside the LAN : https://portchecker.co/check

On the phone with ATT again. Not sure how to get them to understand I want 443 COMPLETELY open. They keep trying to add port forwarding rules to my router, but those are always device specific and I need basically any device to be able to connect, correct? Is there a more technical term for that?

the ports 80 and 443 need to be configured in the port forwarding setup within your router.

the 99.50.125.237 seems to be your public ip address.

you need to point the internal address to your server, something like 192 or 10 or whatever you have it configured.

so it should be something like 99.50.125.237 -> port forwarding 80/443 -> local ip address of your server.

I did first test with this.

Next test with this.

And yes, you can also download nmap, but online tool is easy and fast to use.

It should be set up to do that. Portforwarding is set on a per device basis and I had it set to ‘aslan’ which is the name of the server