Nextcloud version (eg, 12.0.2): 17.0.1
Operating system and version (eg, Ubuntu 17.04): Debian GNU/Linux 10 (docker)
Apache or nginx version (eg, Apache 2.4.25): 2.4.38 (docker)
PHP version (eg, 7.1): 7.3.12
Docker : nextcloud:apache
Reverse proxy : nginx in another docker (nginx:latest)
Nginx version (reverse proxy) : 1.17.1
The issue you are facing:
Hi, I did setup a nextcloud (in a docker) behind a reverse proxy.
It mostly works, but some applications don’t (kee and talk so far).
For some reason, those apps are not redirected to port they should.
Instead, when I look at their url, I see the internal port instead of the public one.
Is this the first time you’ve seen this error? : No. I have been having this problem for a while. Tried updating nextcloud. Still got the problem.
Steps to replicate it:
- Connect to nextcloud
- Click on kee
- I am redirected from https://nextcloud.mydomain.com to https://nextcloud.mydomain.com:10080 (10080 is my docker’s internal port). Which doesn’t work because nextcloud expect HTTP at this point. (The reverse proxy recieve HTTPS).
The output of your Nextcloud log in Admin > Logging (follow link):
https://sebsauvage.net/paste/?0c846d77eb0cba17#4Vtp6pHWpmUcUEpzlncziVcq8PxcHdVLhL9ZRBLIFwA=
The output of your config.php file in /html/config (make sure you remove any identifiable information!):
<?php
$CONFIG = array (
'htaccess.RewriteBase' => '/',
'memcache.local' => '\\OC\\Memcache\\APCu',
'apps_paths' =>
array (
0 =>
array (
'path' => '/var/www/html/apps',
'url' => '/apps',
'writable' => false,
),
1 =>
array (
'path' => '/var/www/html/custom_apps',
'url' => '/custom_apps',
'writable' => true,
),
),
'passwordsalt' => 'XXXXXXXXXXXXXXXXXXXXXX',
'secret' => 'XXXXXXXXXXXXXXXXXXXXXX',
'datadirectory' => '/var/www/html/data',
'dbtype' => 'pgsql',
'version' => '16.0.3.0',
'dbname' => 'nextcloud',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'dbuser' => 'nextcloud',
'dbpassword' => 'XXXXXXXXXXXXXXXXXXXXXX',
'instanceid' => 'ocabgit3ruvv',
);
The output of your mydomain.base.php file in /html/config (make sure you remove any identifiable information!):
<?php
$CONFIG = array (
'default_language' => 'fr',
'default_locale' => 'fr',
'mail_domain' => 'mydomain.com',
'mail_from_address' => 'nextcloud',
);
The output of your mydomain.proxy.php file in /html/config (make sure you remove any identifiable information!):
<?php
$CONFIG = array (
'overwritehost' => 'nextcloud.mydomain.com',
'overwriteprotocol' => 'https',
'overwritewebroot' => '/',
'overwritecondaddr' => '^51\\.75\\.199\\.137$',
'overwrite.cli.url' => 'https://nextcloud.mydomain.com',
'trusted_proxies' =>
array (
0 => 'nextcloud.mydomain.com',
1 => '51.75.199.137',
),
'forwarded_for_headers' => array('HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR', 'X-Forwarded-For'),
'trusted_domains' =>
array (
'nextcloud.mydomain.com',
),
);
The output of your docker log in docker logs (follow link):
https://sebsauvage.net/paste/?561df59d26b84df3#Af+8QqOvf0jsQFKvN4OdqTRVjAUZ9rRFXflQB1aVnuQ=
The config of nginx as a reverse proxy :
# Sources :
# https://docs.nextcloud.com/server/16/admin_manual/installation/nginx.html
# https://docs.nextcloud.com/server/16/admin_manual/installation/harden_server.html
server {
listen 80;
server_name nextcloud.mydomain.com;
return 301 https://$http_host$request_uri;
access_log /var/log/nginx/nextcloud_access.log;
error_log /var/log/nginx/nextcloud_error.log;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name nextcloud.mydomain.com;
server_tokens off; ## Don't show the nginx version number, a security best practice
ssl_certificate /etc/letsencrypt/live/nextcloud.mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/nextcloud.mydomain.com/privkey.pem; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/nextcloud.mydomain.com/chain.pem;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
proxy_http_version 1.1;
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
proxy_pass_header Server;
# proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass "http://nextcloud.mydomain.com:10080";
}
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
access_log /var/log/nginx/nextcloud_access.log;
error_log /var/log/nginx/nextcloud_error.log;
}