Nextcloud, nginx reverse proxy setup question

Hi all,

I am setting up nextcloud at the moment. I got nextcloud itself up and running on a raspberry pi 4.
The next thing I want to do is setup reverse proxy to nextcloud from another raspberry pi 4 which is the reverse proxy using nginx. The other raspberry pi is proxying to nextcloud already. The only thing I am stuck with is how to keep https to nextcloud.

I created a certification with letsencrypt on the nextcloud pi and the proxy is checking on the ssl port for a connection. But whenever it is connected to the nextcloud page it is going back to http:// and not to https:// can anyone explain to me where I am going wrong?

Or is it that I need to keep the https (ssl) letsencrypt certificate on the first raspberry pi which is in charge for the reverse proxy?

I have searched google a few evenings to find a solution but I cannot find anything which helped to keep the https.

yes. the proxy terminates the tsl connection.

your nginx proxy file should look like this:

server {
    listen 80;
    return 301 https://$host$request_uri;

server {

    listen 443 ssl;

    ssl_certificate           /etc/;
    ssl_certificate_key       /etc/;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1.3 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log /var/log/nginx/;

    client_max_body_size 2048M;
    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    location = /.well-known/caldav {
      return 301 $scheme://$host:$server_port/remote.php/dav;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      proxy_pass          http://internal.nextcloud;
      proxy_read_timeout  300;

      proxy_redirect      http://internal.nextcloud https://internal.nextcloud;

more less. untested.

unless you have hacker in your network you don’t need to encrypt the traffik from the proxy to nextcloud. or?

Correct but I am like better safe than sorry :stuck_out_tongue:.
And if the encryption is available why shouldn’t be possible all the way to nextcloud itself.
So I need to copy the certificate files to the proxy raspberry and use them there in the nginx also if I am correct.


use them there (proxy) in the nginx only.

i think you can (and must) use self-signed certs on your nextcloud server.

see: the proxy is listening on server_name; the letsencrypt cert is only valid for this servername.

the nextcloud server is listening on proxy_pass http://internal.nextcloud; if you would apply the same cert it would be detect as fraud. :wink:

Any idea how to get it to work without https then?
If I forward it to nextcloud without it is showing not secured in the left in the top bar.
And a 404 not found when coming from the reverse proxy nginx

Any idea for this:

This is how my nextcloud looks like over reverse proxy nginx.
Whatever I try it won’t go to a normal php page

Firstly you need correct setup on nginx reverse, here is my config:


user www-data;
worker_processes auto;
pid /run/;
include /etc/nginx/modules-enabled/*.conf;
worker_rlimit_nofile 100000;

events {
worker_connections 4000;
multi_accept on;
use	epoll;

http {
# Return 404 if no server name matches
server {
listen 80 default_server;
server_name _;
return 444;

# Basic Settings

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

# SSL Settings

#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_protocols TLSv1.2 TLSv1.3;	# Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

# Logging Settings

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

# Gzip Settings

gzip  on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
gzip_disable "MSIE [1-6]\.";

# Virtual Host Configs

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

and here nextcloud conf.

	server {
	listen 80;
	listen [::]:80;
	return 301 https://$server_name:443$request_uri;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

set $upstream  yournextcloudLANIP; #ex.	

proxy_http_version 1.1;
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_buffering    off;

client_max_body_size 1024M;

gzip off;

# SSL config
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/;

location / {

proxy_pass https://$upstream;
proxy_redirect off;

With this configuration I am up and runnin. To get ssl certificate from Letsencrypt you must comment out ssl and 443 ports and replace it with ports 80, after you get cert you get that config to default as its here from me.

Also if you CDN via Cloudflare make sure you have Full Strict SSL enabled otherwise youľl get redirect loops and other baddies.

For letsencrypt on reverse proxy, I am running it for all my domains without problems, dunno whats fraud by you…I need secured connection from LAN to WAN and opposite and its perfectly done with certbot and ubuntu 20.04.

sure. for the proxy.

and you use the same certs for the nextcloud server?

I will try that tonight. But can it be the problem that nextcloud is running on apache2 and reverse proxy on nginx?
Maybe I need them both nginx?

Is it correct that with your configuration you can connect to nextcloud from outside the network?
Because my reverse proxy goes to the lan ip. And it will work internal but not when connecting from the outside.

It looks like you switched nextcloud conf and nginx reverse proxy conf in your comment is that correct?

Nope I have 2 sets of certs, one certbot on reverse proxy and one on nextcloud server/container

Its not a problem however I call this myself a crossed backend and I had always problems with that. So for easier setup I have all runing on nginx and I dont need to hop from apache to nginx and opposite way when I have conf problems.

It looks like you switched nextcloud conf and nginx reverse proxy conf in your comment is that correct?

Nope its correct. Nginx.conf is general setup for nginx and nextcloud.conf is setup only for nextcloud. And yes I am able to get to my cloud from WAN because why have cloud when its only on LAN ? :smiley:

Because my reverse proxy goes to the lan ip. And it will work internal but not when connecting from the outside.

I dont get this. But my reverse proxy in nextcloud.conf is poiting to LAN IP too, otherwise it wont work.

It is working from outside lan now. But still not the correct page view.

Can it be a problem with reverse proxy (nginx) to nextcloud (apache)?

Probably to rule out this problem I should install nextcloud with/on nginx and see if it solves my problem. As I find nginx easier to understand

What I mean with that last part is, that the correct page layout is showed when the reverse proxy redirects me to the nextcloud ip. But when it is coming through reverse proxy it is shown as before.

Tried your configuration. But can’t get any clue on what you are doing there with those settings. and two different files. It is giving me errors that I cannot use it there like user and so on. How is your configuration layout exactly?