Hallo Zusammen,
ich habe hier einen Ubuntu Server mit NGINX als Webserver am laufen. Bislang lediglich mit Matrix-Synapse.
Nun habe ich zusätzlich Nextcloud installiert und habe folgendes Problem:
- Matrix ist über chat.meinedomain.de verfügbar
- nextcloud SOLL über cloud.meinedomain.de erreichbar werden
Mein Nginx ist wie folgt konfiguriert:
Unter /etc/nginx/ gibt es die nginx.conf:
user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
server_tokens off;
include /etc/nginx/conf.d/*.conf;
}
die letzte Zeile verweist zum Unterverzeichnis conf.d mit folgenden Dateien:
element.conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name chat.meinedomain.de;
#
# Certificate configuration
#
# RSA certificates
ssl_certificate /etc/letsencrypt/live/chat.meinedomain.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/chat.meinedomain.de/privkey.pem; # managed by Certbot
# ECC certificates
ssl_certificate /etc/letsencrypt/chat.meinedomain.de/ecc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/chat.meinedomain.de/ecc/key.pem;
# This should be ca.pem (certificate with the additional intermediate certifica$
# See here: https://certbot.eff.org/docs/using.html
# ECC
ssl_trusted_certificate /etc/letsencrypt/chat.meinedomain.de/ecc/ca.pem;
# Include SSL and header snippets
include /etc/nginx/snippets/ssl.conf;
include /etc/nginx/snippets/headers.conf;
#
# Matrix Synapse configuration
#
# Disable error and access log.
# This way, no IP will be logged by nginx
access_log off;
error_log off;
# Increase timeout values
# Useful if rooms (on different server) act very slowly.
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
# If you don't wanna serve a site, comment this out
#root /var/www/html;
#index index.html index.htm;
location /_matrix {
proxy_pass http://127.0.0.1:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 50M;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "chat.meinedomain:443"}';
add_header Content-Type application/json;
}
location /.well-known/matrix/client {
return 200 '{"m.homeserver": {"base_url": "https://chat.meinedomain.de"}}';
add_header Content-Type application/json;
add_header "Access-Control-Allow-Origin" *;
}
}
sowie nextcloud.conf :
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name cloud.meinedomain.de;
# Add headers to serve security related headers
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
#I found this header is needed on Ubuntu, but not on Arch Linux.
add_header X-Frame-Options "SAMEORIGIN";
# Path to the root of your installation
root /usr/share/nginx/nextcloud/;
access_log /var/log/nginx/nextcloud.access;
error_log /var/log/nginx/nextcloud.error;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
location ~ /.well-known/acme-challenge {
allow all;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location / {
rewrite ^ /index.php;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
try_files $fastcgi_script_name =404;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
# Optional: Don't log access to assets
access_log off;
}
location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
#listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/chat.meinedomain.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/chat.meinedomain.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/cloud.meinedomain.de/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot
}
Aktuell läuft Matrix-synape (Element) probemlos, dafür habe ich kein Zugriff auf nextcloud. Hier kommt im Browser beim Zugriff auf cloud.meinedomain.de “ERR_SSL_PROTOCOL_ERROR” … Wenn ich aber die Datei “element.conf” umbenenne in “element.conf_disabled” und somit Matrix lahmlege, funktioniert plötzlich nextcloud tadelos…
Ich bin da grade echt ratlos und finde keinen Fehler. Vielleicht kann hier jemand weiterhelfen?
Ich vermute, dass es nicht an Certbot bzw. dem SSL Zertifikat selbst liegen kann, denn sonst würde der Fehler ja trotz abgeschaltetem Element noch auftreten, oder?
Grüße,
Robin