Hi, guys!
I have Xigmanas (based on FreeBSD if you’r not aware).
Nextcloud is installed on the host without SSL certificate deployment.
Reverse proxy is made in Jail. Jail is native FreeBSD hypervisor like Docker for Linux. VirtualBox also can be used for install below.
All commands for CLI below are for FreeBSD but no problem to change them for Linux. For example, ‘pkg install’ equal to ‘apt-get install’. Configuration of nginx is the same for both systems excluding default nginx installation folder. Check paths after installing and replace paths in configuration texts.
replace following settings below for yours:
allcash.asuscomm.com - ddns address
192.168.1.4:23456 - standard Nextcloud installation on the host machine
192.168.1.32 - IP assigned to Jail with nginx-reverse
/usr/local/etc/nginx/nginx.conf - default install path for FreeBSD. Change it for /etc/nginx/nginx.conf for example if you use Linux.
#Install acme.sh agent and nginx:
pkg install security/acme.sh nginx mc tmux
create web-root folders
mkdir -p /mnt/data/www/webroot/
chown -R root:www /mnt/data/www/webroot/
chmod -R 0555 /mnt/data/www
create simple web-page for “diagnostic” purposes
cat>/mnt/data/www/webroot/index.html
unfortunately forum engine corrupt symbols. Replace [] to <> in rows below and past.
[html]
[head]
[title]Hello[/title]
[/head]
[body] Hello World! [/body]
[/html]
CTRL+c
create folders for key and certificates. acme.sh will create .well-known folders there.
mkdir -p /usr/local/etc/nginx/ssl/allcash.asuscomm.com/
Create a place to store the certificate so that nginx can read them:
touch /usr/local/etc/nginx/ssl/allcash.asuscomm.com/fullchain.cer
touch /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.key
touch /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.cer
chmod -R 0555 /usr/local/etc/nginx/ssl
#remove default nginx configuration file
rm /usr/local/etc/nginx/nginx.conf
#create new nginx.conf
cat>/usr/local/etc/nginx/nginx.conf
Copy-past below text
#Run server as default FreeBSD web user
user www;
#Documentation says to set this to the number of CPU cores, however unless this is
#a very busy server it's hard to hard to believe that more than 2 threads are necessary
worker_processes 2;
#Defines max number of connections. Unless this is a busy server a much lower number should suffice
events {
worker_connections 50;
}
# Nginx log paths (Information only, do not enable these lines)
# Access Log: /var/log/nginx/access.log
# Error Log: /var/log/nginx/error.log
# PID: /var/run/nginx.pid
http {
server_tokens off; #Disable reporting of NGINX info
server {
listen 80;
server_name allcash.asuscomm.com;
root /mnt/data/www/webroot;
# Let's Encrypt webroot
location /.well-known/acme-challenge/ {
alias /mnt/data/www/webroot/.well-known/acme-challenge/;
}
}
# add here ssl section
}
CTRL+c
Give appropriate rights
chown www:www /usr/local/etc/nginx/nginx.conf
#Enable Nginx as daemon at jail startup
echo 'nginx_enable="YES"' >> /etc/rc.conf
Start nginx
service nginx restart
#issue real certificate
acme.sh --issue -d allcash.asuscomm.com -w /mnt/data/www/webroot
#install certificate to nginx location
acme.sh --install-cert -d allcash.asuscomm.com \--cert-file /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.cer --key-file /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.key --fullchain-file /usr/local/etc/nginx/ssl/allcash.asuscomm.com/fullchain.cer --reloadcmd "service nginx restart"
#create cron job:
crontab -e
a
45 1 * * * /usr/local/sbin/acme.sh --cron --home /var/db/acme/.acme.sh --reloadcmd "service nginx restart"
press ESC ESC (escape button two times)
:wq!
press [enter] key
#remove default nginx configuration file
rm /usr/local/etc/nginx/nginx.conf
#create new nginx.conf
cat>/usr/local/etc/nginx/nginx.conf
###############copy config below and past into terminal##################
#Run server as default FreeBSD web user
user www;
#Documentation says to set this to the number of CPU cores, however unless this is
#a very busy server it's hard to hard to believe that more than 2 threads are necessary
worker_processes 2;
#Defines max number of connections. Unless this is a busy server a much lower number should suffice
events {
worker_connections 50;
}
# Nginx log paths (Information only, do not enable these lines)
# Access Log: /var/log/nginx/access.log
# Error Log: /var/log/nginx/error.log
# PID: /var/run/nginx.pid
http {
server_tokens off; #Disable reporting of NGINX info
server {
listen 80;
server_name allcash.asuscomm.com;
root /mnt/data/www/webroot;
# Let's Encrypt webroot
location /.well-known/acme-challenge/ {
alias /mnt/data/www/webroot/.well-known/acme-challenge/;
}
}
#Define HTTPS reverse proxy's on port 443.
server {
server_name allcash.asuscomm.com;
listen 443 ssl;
access_log off; #extra
client_max_body_size 10G; #extra That is needed to allow transfer files with size up to 10 Gb. It is relevant when you bypass Nextcloud via this proxy. You can set value that is needed for you.
ssl_certificate /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.cer;
ssl_certificate_key /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_session_cache shared:SSL:10m;
ssl_trusted_certificate /usr/local/etc/nginx/ssl/allcash.asuscomm.com/fullchain.cer;
ssl_prefer_server_ciphers on;
## Improves TTFB by using a smaller SSL buffer than the nginx default
ssl_buffer_size 8k;
## Enables OCSP stapling
ssl_stapling on;
resolver 127.0.0.0 8.8.8.8;
ssl_stapling_verify on;
## Send header to tell the browser to prefer https to http traffic
add_header Strict-Transport-Security max-age=31536000;
expires max; #extra
#Defines a home page
location / {
root /mnt/data/www/webroot;
index index.html;
}
# exrta Let's Encrypt webroot
location /.well-known/acme-challenge/ {
alias /mnt/data/www/webroot/.well-known/acme-challenge/;
}
#-------- END SSL config -------##
# Add rest of your config below like document path and more ##
# Proxy to the Nextcloud server
location /Nextcloud {
proxy_pass http://192.168.1.4:23456/Nextcloud;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
# Proxy to Transmission
location /transmission {
proxy_pass http://192.168.1.4:9091;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}
nginx -t
chown www:www /usr/local/etc/nginx/nginx.conf
service nginx restart