Nextcloud, nginx reverse proxy setup question

justinnp · December 9, 2020, 9:46pm

Hi all,

I am setting up nextcloud at the moment. I got nextcloud itself up and running on a raspberry pi 4.
The next thing I want to do is setup reverse proxy to nextcloud from another raspberry pi 4 which is the reverse proxy using nginx. The other raspberry pi is proxying to nextcloud already. The only thing I am stuck with is how to keep https to nextcloud.

I created a certification with letsencrypt on the nextcloud pi and the proxy is checking on the ssl port for a connection. But whenever it is connected to the nextcloud page it is going back to http:// and not to https:// can anyone explain to me where I am going wrong?

Or is it that I need to keep the https (ssl) letsencrypt certificate on the first raspberry pi which is in charge for the reverse proxy?

I have searched google a few evenings to find a solution but I cannot find anything which helped to keep the https.

Reiner_Nippes · December 9, 2020, 10:01pm

yes. the proxy terminates the tsl connection.

your nginx proxy file should look like this:

server {
    listen 80;
    server_name external.domain.com;
    return 301 https://$host$request_uri;
}

server {

    listen 443 ssl;
    server_name external.domain.com;

    ssl_certificate           /etc/acme.sh/external.domain.com/fullchain.cer;
    ssl_certificate_key       /etc/acme.sh/external.domain.com/external.domain.com.key;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1.3 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log /var/log/nginx/external.domain.com.access.log;

    client_max_body_size 2048M;
    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      proxy_pass          http://internal.nextcloud;
      proxy_read_timeout  300;

      proxy_redirect      http://internal.nextcloud https://internal.nextcloud;
    }
}

more less. untested.

unless you have hacker in your network you don’t need to encrypt the traffik from the proxy to nextcloud. or?

justinnp · December 9, 2020, 10:07pm

Correct but I am like better safe than sorry .
And if the encryption is available why shouldn’t be possible all the way to nextcloud itself.
So I need to copy the certificate files to the proxy raspberry and use them there in the nginx also if I am correct.

Reiner_Nippes · December 10, 2020, 10:22am

nope.

use them there (proxy) in the nginx only.

i think you can (and must) use self-signed certs on your nextcloud server.

see: the proxy is listening on server_name external.domain.com; the letsencrypt cert is only valid for this servername.

the nextcloud server is listening on proxy_pass http://internal.nextcloud; if you would apply the same cert it would be detect as fraud.

justinnp · December 10, 2020, 7:37pm

Any idea how to get it to work without https then?
If I forward it to nextcloud without it is showing not secured in the left in the top bar.
And a 404 not found when coming from the reverse proxy nginx

justinnp · December 15, 2020, 8:46pm

Any idea for this:

This is how my nextcloud looks like over reverse proxy nginx.
Whatever I try it won’t go to a normal php page

Oriann · December 16, 2020, 12:29pm

Firstly you need correct setup on nginx reverse, here is my config:

nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
worker_rlimit_nofile 100000;

events {
worker_connections 4000;
multi_accept on;
use	epoll;
}

http {
# Return 404 if no server name matches
server {
listen 80 default_server;
server_name _;
return 444;
}

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##

#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_protocols TLSv1.2 TLSv1.3;	# Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip  on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
gzip_disable "MSIE [1-6]\.";

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

and here nextcloud conf.

	server {
	listen 80;
	listen [::]:80;
	server_name  your.domain.com;
	return 301 https://$server_name:443$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name  your.domain.com;

set $upstream  yournextcloudLANIP; #ex.192.168.2.100	

proxy_http_version 1.1;
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_buffering    off;

client_max_body_size 1024M;

# GZIP
gzip off;

# SSL config
ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/your.domain.com/privkey.pem;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
ssl_prefer_server_ciphers on;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/your.domain.com/chain.pem;


location / {

proxy_pass https://$upstream;
proxy_redirect off;
}
}

With this configuration I am up and runnin. To get ssl certificate from Letsencrypt you must comment out ssl and 443 ports and replace it with ports 80, after you get cert you get that config to default as its here from me.

Also if you CDN via Cloudflare make sure you have Full Strict SSL enabled otherwise youľl get redirect loops and other baddies.

Oriann · December 16, 2020, 12:32pm

For letsencrypt on reverse proxy, I am running it for all my domains without problems, dunno whats fraud by you…I need secured connection from LAN to WAN and opposite and its perfectly done with certbot and ubuntu 20.04.

Reiner_Nippes · December 16, 2020, 1:39pm

sure. for the proxy.

and you use the same certs for the nextcloud server?

justinnp · December 16, 2020, 5:16pm

I will try that tonight. But can it be the problem that nextcloud is running on apache2 and reverse proxy on nginx?
Maybe I need them both nginx?

justinnp · December 16, 2020, 8:22pm

Is it correct that with your configuration you can connect to nextcloud from outside the network?
Because my reverse proxy goes to the lan ip. And it will work internal but not when connecting from the outside.

It looks like you switched nextcloud conf and nginx reverse proxy conf in your comment is that correct?

Oriann · December 16, 2020, 9:09pm

Nope I have 2 sets of certs, one certbot on reverse proxy and one on nextcloud server/container

Oriann · December 16, 2020, 9:11pm

Its not a problem however I call this myself a crossed backend and I had always problems with that. So for easier setup I have all runing on nginx and I dont need to hop from apache to nginx and opposite way when I have conf problems.

It looks like you switched nextcloud conf and nginx reverse proxy conf in your comment is that correct?

Nope its correct. Nginx.conf is general setup for nginx and nextcloud.conf is setup only for nextcloud. And yes I am able to get to my cloud from WAN because why have cloud when its only on LAN ?

Because my reverse proxy goes to the lan ip. And it will work internal but not when connecting from the outside.

I dont get this. But my reverse proxy in nextcloud.conf is poiting to LAN IP too, otherwise it wont work.

justinnp · December 16, 2020, 9:54pm

It is working from outside lan now. But still not the correct page view.

Can it be a problem with reverse proxy (nginx) to nextcloud (apache)?

Probably to rule out this problem I should install nextcloud with/on nginx and see if it solves my problem. As I find nginx easier to understand

justinnp · December 16, 2020, 10:24pm

What I mean with that last part is, that the correct page layout is showed when the reverse proxy redirects me to the nextcloud ip. But when it is coming through reverse proxy it is shown as before.

justinnp · December 17, 2020, 6:28pm

Tried your configuration. But can’t get any clue on what you are doing there with those settings. and two different files. It is giving me errors that I cannot use it there like user and so on. How is your configuration layout exactly?