NGINX Reverse Proxy and Passwords App [solved]

🍱 Features & apps passwords
1

I have Nextcloud setup with the Passwords app, I’m having troubles convincing Passwords its using HTTPS. What’s unusual is it works it specific scenarios and I have tried for hours many suggestions to adjust config files to get it working.

Current issues:

  • Accessing from HTTP: as expected doesn’t work, no issue
  • Accessing from HTTPS: external (internet) doesn’t work giving the HTTPS warning
  • Accessing from HTTPS: internal network (still internet) it works

image

This is indicating to me reverse proxy issue but I have all the settings I think I require.
Below is the configuration settings I’m using, could I have some direction on what I’m doing wrong.

Nextcloud:
‘trusted_domains’ =>
array (
0 => ‘subdomain.domain’,
1 => ‘domain’,
2 => ‘NGINX IP’,
3 => ‘Nextcloud IP’,
),
‘trusted_proxies’ =>
array (
0 => ‘NGINX IP’,
),
‘overwriteprotocol’ => ‘https’,
‘overwritecondaddr’ => ‘NGINX IP’,
#‘overwritehost’ => ‘subdomain.domain’, <---- had this on and off and has no positive affect
#‘overwritewebroot’ => ‘/nextcloud’,
‘overwrite.cli.url’ => ‘Nextcloud IP’,

NGINX:
server {
set $forward_scheme http;
set $server “Nextcloud IP”;
set $port 80;

listen 8080;
#listen [::]:8080;

listen 4443 ssl http2;
#listen [::]:4443;

server_name subdomain.domain;

include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/ssl-ciphers.conf;
ssl_certificate /etc/letsencrypt/live/npm-1/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/npm-1/privkey.pem;

include conf.d/include/block-exploits.conf;

include conf.d/include/force-ssl.conf;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;

access_log /data/logs/proxy-host-7_access.log proxy;
error_log /data/logs/proxy-host-7_error.log warn;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;

location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;

include conf.d/include/proxy.conf;

}

include /data/nginx/custom/server_proxy[.]conf;
}

2

Nextcloud checks the overwritecondaddr against the REMOTE_ADDR. This does not match in your case and the overwriteprotocol is not applied.

3

Could you please elaborate.
I checked and the overwriteprotocol applied, its in the original post. :slight_smile:

4

As the https status report shows, overwriteprotocol is set, but not applied.

The first option to overwrite the protocol is with the “overwriteprotocol” setting. Then Nextcloud takes the value from $_SERVER[‘REMOTE_ADDR’] and compares it against the regex in overwritecondaddr. This doesn’t match in your case.

The other option is that Nextcloud can check if the value of $_SERVER[‘REMOTE_ADDR’] is in the trusted_proxies list and then use the value from $_SERVER[‘HTTP_X_FORWARDED_PROTO’] as protocol. This doesn’t match in your case either.

So if 154.16.81.72 is your proxy server, it needs to be in the tusted_proxies list.

5

Thanking you for your help thus far, I just can’t seem to fix it.
I have found why it doesn’t work though.

The IP in the screen shot is just from my testing VPN.
From the two available options you mentioned if I replace the DNS name with IP it works.

Option 1:
Add the DNS proxy address to the trusted proxy list (I only had the local IP) but it doesn’t work.
Change that DNS name for the current IP I have (in this case the VPN) and it works.

Option 2:
Using the overwriteprotocol and overwritecondaddr with the latter using DNS and doesn’t work. If I replace with my current IP (in this case VPN) then it works.

So do I have missing code from my NGINX for it to need the IP of every connecting source or can I use a regex expression to cover all IPs?

6

Fixed the problem!
I got it in my head from reading other config examples to configure the overwritecondaddr but for me doing so limits access externally to only that IP.

Set it to ‘overwritecondaddr’ => ’ ', and it works.
Thanks to everyone for providing assistance.