So i am after some help with Nginx i an attempting to serve a site via xxx.com/nextcloud as per below it’s basically part of a larger nginx config with sickrage, couchpotato and other sites so just looking to redirect nextcloud to /nextcloud
Right now you configured your nginx to act like a proxy (let’s say a traffic forwarder). So if someone connects to yourdomain.com/nextcloud it just takes this request either on port 80 or 443 and redirects the requests to port 81 on the internal network IP. Now there needs to be somebody who is listening on port 81 and handles these requests. Right now there is nobody and this results in the error message “502 Bad Gateway”.
First of all, I would you a different port number, if you want to have https. I’d simply suggest 8443. It is easier to read, that this port will listen to https request. Port 81 sounds rather like plain http.
What you would need to do is, create a server block like (just a quick example!):
In this server block you should enter everything Nextcloud suggest for the nginx config.
I’ll provide you my config as example here as a guidance. With this config you would also achieve an A+ rating on ssllabs.com/ssltest/
Careful however with the line add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload;” always; Please comment that line for now and uncomment that first, when HTTPS is correctly setup for your server!!
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name my.domain.tld;
server_tokens off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
# suggestion by https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-nginx-mainline-stable/55033 for 100% with ssllabs.com
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
resolver 192.168.1.1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/dhparam_4096.pem;
ssl_trusted_certificate /etc/ssl/ca-certs.pem;
ssl_certificate /etc/letsencrypt/live/my.domain.tld/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my.domain.tld/privkey.pem; # managed by Certbot
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# ACME challenge
location ^~ /.well-known {
allow all;
alias /var/lib/letsencrypt/.well-known/;
default_type "text/plain";
try_files $uri =404;
}
location ^~ /.well-known/acme-challenge/ {
allow all;
alias /var/lib/letsencrypt/.well-known/acme-challenge/;
}
# set max upload size
client_max_body_size 15G;
# Buffers
fastcgi_buffers 64 4K;
# Rather disable gzip! This would allow some attacks and that's not worth the performance improvement
gzip off;
location / {
rewrite ^ /index.php$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_pass_header Authorization;
fastcgi_pass_header http_oauth_token;
fastcgi_pass_header oauth_token_secret;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff|svg|gif)$ {
#try_files $uri /index.php$uri$is_args$args;
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
#try_files $uri /index.php$uri$is_args$args;
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
location ~* \.(?:flv|mp4|mov|m4a)$ {
mp4;
mp4_buffer_size 30M;
mp4_max_buffer_size 200M;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
#include fastcgi_params;
#include php_optimization.conf;
fastcgi_pass php-handler;
fastcgi_param HTTPS on;
}
}
will give it a go in the morning. Yes correct about the proxying i was basically just trying to forward the traffic is how i have it working for everything else just makes it easier.
Looking through this i’d basically replace my existing config and then at the end just place in my forwarding /proxying as per normal?
Excuse me, I don’t understand your question.
And I fear I won’t be able to answer it without further knowledge about your setup, what you proxy how and to whom and how you setup and tested nextcloud so far.
You should really look into the installation guide of nextcloud https://docs.nextcloud.com/server/13/admin_manual/installation/nginx.html
setup nextcloud as you desire listening on the port of your desire, which means: just modify the ports as you need them in the example config and check if you can access nextcloud on that port and if everything is working fine.
Let’s say: yourdomain.com/nextcloud:8443
That should work first. If it does, than you can start to setup the proxy accordingly. It will be easier then to debug issues. Doing all at once will only lead to confusing, because you don’t know if the configuration of Nextcloud is incorrect or the proxy settings.
Will try next cloud and move from there…The reason why i was asking the q re forwarding sorry i am used to either f5, riverbed or sophos appliances which are a bit more logical and have more than 1 ip to serve from.
with my setup i basically am going to have it without subdomains (for my ssl certificate single domain).
What your saying re the ports though is basically dmz port forwarding? As said will play tomorrow i am used to just proxying the connection to the desired port as said and just forwarding it and it works. hence why i just forward sickrage, couchpotato, kodi, plex, transmission etc. makes it easier to connect to those over ssl from work.
worst comes to worst will just set the port to 80 serve up my other content that’s more important to be on ssl.