Nginx reverse proxy, what to write in nextcloud's config.php?

q_fleuren · May 12, 2017, 11:37pm

for Apache id have to check where they have hidden the file,

in de php ive changed the overwrite protocol to http just to try.

further more now when accessing locally it redirects to the domain and then end up with the same too many redirect message
almost as if nextcloud is redirecting to le proxy and proxy to le nextcloud 0_o

not sure that it is in a loop like that because i changed settings to see where the problem lies
nginx

> load_module /usr/local/libexec/nginx/ngx_mail_module.so;
> load_module /usr/local/libexec/nginx/ngx_stream_module.so;

> #user  nobody;
> worker_processes  8;

> # This default error log path is compiled-in to make sure configuration parsing
> # errors are logged somewhere, especially during unattended boot when stderr
> # isn't normally logged anywhere. This path will be touched on every nginx
> # start regardless of error log location configured here. See
> # https://trac.nginx.org/nginx/ticket/147 for more info.
> #
> #error_log  /var/log/nginx/error.log;
> #

> #pid        logs/nginx.pid;


> events {
>     worker_connections  1024;
> }


> http {
>     include       mime.types;
>     default_type  application/octet-stream;

>     #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
>     #                  '$status $body_bytes_sent "$http_referer" '
>     #                  '"$http_user_agent" "$http_x_forwarded_for"';

>     #access_log  logs/access.log  main;

>     sendfile        on;
>     #tcp_nopush     on;

>     #keepalive_timeout  0;
>     keepalive_timeout  65;

>     #gzip  on;

>     server {
>         listen 80;
>         server_name derp.org;

>         return 301 https://$server_name$request_uri;
>         }

>     server {
>         listen       443 ssl;
>         server_name  derp.org;
>         include ssl_common.conf;
>         include proxy_setup.conf;

>         #charset koi8-r;

>         #access_log  logs/host.access.log  main;

>         location / {
>             root   /usr/local/www/nginx;
>             index  index.html index.htm;
>         }

>         #error_page  404              /404.html;

>         # redirect server error pages to the static page /50x.html
>         #
>         error_page   500 502 503 504  /50x.html;
>         location = /50x.html {
>             root   /usr/local/www/nginx-dist;
>         }

>         # proxy the PHP scripts to Apache listening on 127.0.0.1:80
>         #
>         #location ~ \.php$ {
>         #    proxy_pass   http://127.0.0.1;
>         #}

>         # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
>         #
>         #location ~ \.php$ {
>         #    root           html;
>         #    fastcgi_pass   127.0.0.1:9000;
>         #    fastcgi_index  index.php;
>         #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
>         #    include        fastcgi_params;
>         #}

>         # deny access to .htaccess files, if Apache's document root
>         # concurs with nginx's one
>         #
>         #location ~ /\.ht {
>         #    deny  all;
>         #}
>     }


>     # another virtual host using mix of IP-, name-, and port-based configuration
>     #
>     #server {
>     #    listen       8000;
>     #    listen       somename:8080;
>     #    server_name  somename  alias  another.alias;

>     #    location / {
>     #        root   html;
>     #        index  index.html index.htm;
>     #    }
>     #}


>     # HTTPS server
>     #
>     #server {
>     #    listen       443 ssl;
>     #    server_name  localhost;

>     #    ssl_certificate      cert.pem;
>     #    ssl_certificate_key  cert.key;

>     #    ssl_session_cache    shared:SSL:1m;
>     #    ssl_session_timeout  5m;

>     #    ssl_ciphers  HIGH:!aNULL:!MD5;
>     #    ssl_prefer_server_ciphers  on;

>     #    location / {
>     #        root   html;
>     #        index  index.html index.htm;
>     #    }
>     #}

}

riegerCLOUD · May 15, 2017, 4:15am

hi guys,
you may find a complete installation and configuration procedure for Nextcloud and NGINX as reverse proxy and webserver at my blog

Please compare the following files to yours:
nginx.conf
gateway.conf
nextcloud.conf
and Nextclouds config.php

That works fine for many servers on different plattforms.
cheers, carsten

Martinius · August 2, 2017, 12:52pm

Did someone find a solution for this problem?

Max_Papush · January 7, 2018, 2:27pm

Facing the same ERR_TOO_MANY_REDIRECTS using Nginx reverse proxy.
Did someone find a solution?

linucksrox · January 8, 2018, 2:20pm

This isn’t a problem with Nextcloud, it’s a problem with your Apache and/or Nginx configuration. Without posting your configuration, we can’t know what might be wrong in your scenario. I would recommend opening a new thread and posting your configuration because your redirect issue probably isn’t related to the original question here which was asking what to write in Nextcloud’s configuration.

Gardosen · January 8, 2018, 3:04pm

I had the same issue.

it happen for me when i tried to join the website the first time, but accidently still had cookies from an old session refering to this address.

i was going into an incognito mode and noticed it is working there.
so i removed all cookies related to the url /ip and it worked.

Kind regards
Gardosen

CLDMV · January 25, 2018, 6:53am

The fix is available on github https://github.com/nextcloud/server/pull/8042

Took me a day to track down the issue for my reverse proxy setup. I’ve also solved how to run it via a sub folder of a reverse proxy while the Nextcloud instance is installed in a root setup. I’ll post those config a when I’m able to.

linucksrox · January 25, 2018, 1:42pm

Somehow we’ve determined that this needs to be fixed in Nextcloud without showing that the nginx/apache configurations are correct? I don’t understand this…

CLDMV · January 25, 2018, 7:05pm

The issue is in the routes. The request path comes in as “/login/“ but if you notice in the routes most of them don’t have a trailing slash. Specifically the login only works if the route is “/login”. There is code already present in nextcloud to account for adding a slash to the route but there is no code for removing a trailing slash on the route.

Thus due to what is stated in the pull request the nextcloud will constantly send you to “/login/“ due to the code adding a trailing slash to the url. Then when it detects you’re not logged in will send you back to “/login”. Which creates an infinite loop.

linucksrox · January 25, 2018, 8:40pm

Ok. The github issue generalizes that Nextcloud is broken when trying to use it behind nginx as a reverse proxy. This is false, because I personally have been using Nextcloud this way for a while, and my nginx config is posted earlier.

Maybe the issue only happens when the path to Nextcloud is https://domain.com/nextcloud? If so, I think that needs to be clarified in the github issue.

CLDMV · January 27, 2018, 6:11am

The issue is actually multiple issues. Part being nginx, part being nextcloud and part being symfony.

The root cause is due to how symfony processes and generates urls for nextcloud. The pseudo standard on the internet is to have trailing slashed unless it’s a file being access IE psudeo urls or seo urls.

Symfony generates the urls without those trailing slashes. And processes them as the url received which is where the pull request fixes the processing to allow trailing slashes to be processed without the trailing slash.

The next issue is nginx and some browsers in general. While some of the issues in my case appeared mostly due to nginx config and a fault in how nginx handles requests. I did several tests and nginx itself would add a trailing slash at some points even without having a directive to do so.

Ultimately I setup a separate sub domain for my nextcloud proxy and left the proxy config at its basics. They allowed nextcloud to operate without an issue.

Note: the pull request has been updated with additional details of issues present even when the patch is applied to allow trailing slashes to run.

linucksrox · January 30, 2018, 4:49pm

Thank you for explaining it in more detail. I don’t fully understand the problem and solution, but it’s awesome that other people do understand it and can fix it so that other people don’t have to worry about it!

visualblind · October 13, 2019, 8:50pm

If anyone else runs into this issue I’d like to mention that turning off Rocket Loader in CloudFlare fixed this problem for me, although I wasn’t having the exact same issue with the redirect loop. After configuring an NGINX reverse proxy in front of NextCloud (in addition to the CloudFlare reverse proxy), the site would begin loading then redirect to https://nextcloud.sysinfo.io/login and sit there permanently. I would like to add that you can turn Rocket Loader off using a page rule if you don’t want to turn it off site wide. Using a page rule, you can either select the “Disable Performance” option in the drop-down, or set Rocket Loader to “Off” with the toggle switch.

Here is my working nginx site config:

server {
listen 80;
listen [::]:80;
    server_name nextcloud.sysinfo.io cloud.sysinfo.io;
    return 301 https://$host$request_uri;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name nextcloud.sysinfo.io cloud.sysinfo.io;

    include /etc/nginx/h5bp/directive-only/ssl.conf;
    include /etc/nginx/proxy_params;
    ssl_certificate_key /etc/letsencrypt/live/sysinfo.io-0001/privkey.pem; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/sysinfo.io-0001/fullchain.pem; # managed by Certbot
    ssl_client_certificate /etc/nginx/ssl/cloudflare.crt;
    ssl_verify_client on;

    access_log   /var/log/nginx/nextcloud.sysinfo.io.access.log main_ext;
    error_log    /var/log/nginx/nextcloud.sysinfo.io.error.log warn;

    root /var/www/nextcloud.sysinfo.io;

#        #Send websocket data to the backend aswell
#        #proxy_http_version 1.1;
#        proxy_set_header Upgrade $http_upgrade;
#        proxy_set_header Connection $http_connection;

    location / {
            proxy_cache off;
            proxy_pass https://docker3.ad.sysinfo.io;
    }
}

And this is the nginx access log of the site experiencing the problem. There are no indications of an issue on my internal reverse proxy:

(IP redacted) - - [13/Oct/2019:13:30:30 -0700] "GET /nextcloud HTTP/1.1" 302 5 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/77.0.3865.90 Chrome/77.0.3865.90 Safari/537.36" "(IP redacted)" "nextcloud.sysinfo.io" sn="nextcloud.sysinfo.io" rt=0.025 ua="10.10.10.28:443" us="302" ut="0.024" ul="0" cs=-
(IP redacted) - - [13/Oct/2019:13:30:30 -0700] "GET /login HTTP/1.1" 302 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/77.0.3865.90 Chrome/77.0.3865.90 Safari/537.36" "(IP redacted)" "nextcloud.sysinfo.io" sn="nextcloud.sysinfo.io" rt=0.091 ua="10.10.10.28:443" us="302" ut="0.092" ul="0" cs=-
(IP redacted) - - [13/Oct/2019:13:30:30 -0700] "GET /login HTTP/1.1" 200 3351 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/77.0.3865.90 Chrome/77.0.3865.90 Safari/537.36" "(IP redacted)" "nextcloud.sysinfo.io" sn="nextcloud.sysinfo.io" rt=0.031 ua="10.10.10.28:443" us="200" ut="0.028" ul="10921" cs=-
(IP redacted) - - [13/Oct/2019:13:30:30 -0700] "GET /apps/theming/styles?v=0 HTTP/1.1" 200 957 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/77.0.3865.90 Chrome/77.0.3865.90 Safari/537.36" "(IP redacted)" "nextcloud.sysinfo.io" sn="nextcloud.sysinfo.io" rt=0.020 ua="10.10.10.28:443" us="200" ut="0.020" ul="957" cs=-
(IP redacted) - - [13/Oct/2019:13:30:30 -0700] "GET /svg/core/logo/logo?color=fff&v=1 HTTP/1.1" 200 321 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/77.0.3865.90 Chrome/77.0.3865.90 Safari/537.36" "(IP redacted)" "nextcloud.sysinfo.io" sn="nextcloud.sysinfo.io" rt=0.021 ua="10.10.10.28:443" us="200" ut="0.020" ul="321" cs=-
(IP redacted) - - [13/Oct/2019:13:30:32 -0700] "GET /login HTTP/1.1" 200 3348 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/77.0.3865.90 Chrome/77.0.3865.90 Safari/537.36" "(IP redacted)" "nextcloud.sysinfo.io" sn="nextcloud.sysinfo.io" rt=0.029 ua="10.10.10.28:443" us="200" ut="0.032" ul="10921" cs=-
(IP redacted) - - [13/Oct/2019:13:30:33 -0700] "GET /apps/theming/styles?v=0 HTTP/1.1" 200 957 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/77.0.3865.90 Chrome/77.0.3865.90 Safari/537.36" "(IP redacted)" "nextcloud.sysinfo.io" sn="nextcloud.sysinfo.io" rt=0.018 ua="10.10.10.28:443" us="200" ut="0.016" ul="957" cs=-
(IP redacted) - - [13/Oct/2019:13:30:33 -0700] "GET /svg/core/logo/logo?color=fff&v=1 HTTP/1.1" 200 321 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/77.0.3865.90 Chrome/77.0.3865.90 Safari/537.36" "(IP redacted)" "nextcloud.sysinfo.io" sn="nextcloud.sysinfo.io" rt=0.020 ua="10.10.10.28:443" us="200" ut="0.020" ul="321" cs=-
(IP redacted) - - [13/Oct/2019:13:30:36 -0700] "GET /login HTTP/1.1" 200 3352 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/77.0.3865.90 Chrome/77.0.3865.90 Safari/537.36" "(IP redacted)" "nextcloud.sysinfo.io" sn="nextcloud.sysinfo.io" rt=0.033 ua="10.10.10.28:443" us="200" ut="0.032" ul="10921" cs=-
(IP redacted) - - [13/Oct/2019:13:30:36 -0700] "GET /apps/theming/styles?v=0 HTTP/1.1" 200 957 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/77.0.3865.90 Chrome/77.0.3865.90 Safari/537.36" "(IP redacted)" "nextcloud.sysinfo.io" sn="nextcloud.sysinfo.io" rt=0.020 ua="10.10.10.28:443" us="200" ut="0.016" ul="957" cs=-

shperrung · November 5, 2019, 7:45pm

Hi, guys!
I have Xigmanas (based on FreeBSD if you’r not aware).
Nextcloud is installed on the host without SSL certificate deployment.
Reverse proxy is made in Jail. Jail is native FreeBSD hypervisor like Docker for Linux. VirtualBox also can be used for install below.
All commands for CLI below are for FreeBSD but no problem to change them for Linux. For example, ‘pkg install’ equal to ‘apt-get install’. Configuration of nginx is the same for both systems excluding default nginx installation folder. Check paths after installing and replace paths in configuration texts.

replace following settings below for yours:
allcash.asuscomm.com - ddns address
192.168.1.4:23456 - standard Nextcloud installation on the host machine
192.168.1.32 - IP assigned to Jail with nginx-reverse
/usr/local/etc/nginx/nginx.conf - default install path for FreeBSD. Change it for /etc/nginx/nginx.conf for example if you use Linux.

#Install acme.sh agent and nginx:
pkg install security/acme.sh nginx mc tmux

create web-root folders

mkdir -p /mnt/data/www/webroot/
chown -R root:www /mnt/data/www/webroot/
chmod -R 0555 /mnt/data/www

create simple web-page for “diagnostic” purposes

cat>/mnt/data/www/webroot/index.html unfortunately forum engine corrupt symbols. Replace [] to <> in rows below and past.
[html]
[head]
[title]Hello[/title]
[/head]
[body] Hello World! [/body]
[/html]

CTRL+c

create folders for key and certificates. acme.sh will create .well-known folders there.

mkdir -p /usr/local/etc/nginx/ssl/allcash.asuscomm.com/

Create a place to store the certificate so that nginx can read them:

touch /usr/local/etc/nginx/ssl/allcash.asuscomm.com/fullchain.cer
touch /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.key
touch /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.cer
chmod -R 0555 /usr/local/etc/nginx/ssl

#remove default nginx configuration file
rm /usr/local/etc/nginx/nginx.conf
#create new nginx.conf
cat>/usr/local/etc/nginx/nginx.conf
Copy-past below text

#Run server as default FreeBSD web user
user www;
#Documentation says to set this to the number of CPU cores, however unless this is
#a very busy server it's hard to hard to believe that more than 2 threads are necessary
worker_processes 2;

#Defines max number of connections.  Unless this is a busy server a much lower number should suffice
events {
    worker_connections  50;
}

# Nginx log paths (Information only, do not enable these lines)
# Access Log:  /var/log/nginx/access.log
# Error Log:   /var/log/nginx/error.log
# PID:         /var/run/nginx.pid

http {

    server_tokens off;                  #Disable reporting of NGINX info
    server {
    listen 80;
    server_name allcash.asuscomm.com;
    root /mnt/data/www/webroot;
    # Let's Encrypt webroot
    location /.well-known/acme-challenge/ {
    alias /mnt/data/www/webroot/.well-known/acme-challenge/;
}
    }
# add here ssl section
}

CTRL+c

Give appropriate rights
chown www:www /usr/local/etc/nginx/nginx.conf

#Enable Nginx as daemon at jail startup
echo 'nginx_enable="YES"' >> /etc/rc.conf
Start nginx
service nginx restart

#issue real certificate
acme.sh --issue -d allcash.asuscomm.com -w /mnt/data/www/webroot

#install certificate to nginx location
acme.sh --install-cert -d allcash.asuscomm.com \--cert-file /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.cer --key-file /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.key --fullchain-file /usr/local/etc/nginx/ssl/allcash.asuscomm.com/fullchain.cer --reloadcmd "service nginx restart"

#create cron job:
crontab -e
a
45 1 * * * /usr/local/sbin/acme.sh --cron --home /var/db/acme/.acme.sh --reloadcmd "service nginx restart"
press ESC ESC (escape button two times)
:wq!
press [enter] key

#remove default nginx configuration file
rm /usr/local/etc/nginx/nginx.conf
#create new nginx.conf
cat>/usr/local/etc/nginx/nginx.conf
###############copy config below and past into terminal##################

#Run server as default FreeBSD web user
user www;

#Documentation says to set this to the number of CPU cores, however unless this is
#a very busy server it's hard to hard to believe that more than 2 threads are necessary
worker_processes 2;

#Defines max number of connections.  Unless this is a busy server a much lower number should suffice
events {
    worker_connections  50;
}

# Nginx log paths (Information only, do not enable these lines)
# Access Log:  /var/log/nginx/access.log
# Error Log:   /var/log/nginx/error.log
# PID:         /var/run/nginx.pid



http {

    server_tokens off;                  #Disable reporting of NGINX info
    server {
    listen 80;
    server_name allcash.asuscomm.com;
    root /mnt/data/www/webroot;
    # Let's Encrypt webroot
    location /.well-known/acme-challenge/ {
    alias /mnt/data/www/webroot/.well-known/acme-challenge/;
}
    }
    #Define HTTPS reverse proxy's on port 443.
    server {
server_name allcash.asuscomm.com;
    listen 443 ssl;
	access_log off;   #extra
	client_max_body_size 10G; #extra That is needed to allow transfer files with size up to 10 Gb. It is relevant when you bypass Nextcloud via this proxy. You can set value that is needed for you.
    ssl_certificate /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.cer;
    ssl_certificate_key /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.key;
    ssl_session_timeout 30m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    ssl_session_cache shared:SSL:10m;
    ssl_trusted_certificate /usr/local/etc/nginx/ssl/allcash.asuscomm.com/fullchain.cer;
    ssl_prefer_server_ciphers on;
 
    ## Improves TTFB by using a smaller SSL buffer than the nginx default
    ssl_buffer_size 8k;
 
    ## Enables OCSP stapling
    ssl_stapling on;
    resolver 127.0.0.0 8.8.8.8;
    ssl_stapling_verify on;
    
    ## Send header to tell the browser to prefer https to http traffic
    add_header Strict-Transport-Security max-age=31536000;
    expires max; #extra
	
        #Defines a home page
        location / {
            root   /mnt/data/www/webroot;
            index  index.html;
        }
       # exrta Let's Encrypt webroot
       location /.well-known/acme-challenge/ {
           alias /mnt/data/www/webroot/.well-known/acme-challenge/;
}
    #-------- END SSL config -------##
 
  # Add rest of your config below like document path and more ##
 # Proxy to the Nextcloud server
        location /Nextcloud {
    	proxy_pass         http://192.168.1.4:23456/Nextcloud;
    	proxy_redirect     off;
    	proxy_set_header   Host $host;
    	proxy_set_header   X-Real-IP $remote_addr;
    	proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    	proxy_set_header   X-Forwarded-Host $server_name;
        }
  # Proxy to Transmission
        location /transmission {
        proxy_pass http://192.168.1.4:9091;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
}

    nginx -t
    chown www:www /usr/local/etc/nginx/nginx.conf
    service nginx restart

shperrung · November 6, 2019, 5:33pm

In addition to post above let me disclose requirements to the Nextcloud config.php file specified for reverse bypass. Following rows must be added into the file

  'trusted_domains' => 
  array (
    0 => '192.168.1.4:23456',
    1 => 'allcash.asuscomm.com',
  ),

and following past in the bottom of file before );

  'trusted_proxies' => 
  array (
    0 => '192.168.1.32',
    1 => 'localhost',
    2 => 'allcash.asuscomm.com,
  ),

Also you can override route to direct all requests over DDNS and https:// adding these rows:

  'overwritehost' => 'allcash.asuscomm.com:443',
  'overwriteprotocol' => 'https',
  'overwritewebroot' => '/Nextcloud',

shperrung · November 6, 2019, 5:52pm

My settings are not ideal. Nextcloud still says that my web server is not comply with
«/.well-known/caldav»
«/.well-known/carddav»
but all features except “federation” connect are working fine. “Federation” feature refuse sharing attempts due to security reasons. Looks like it “feels” insecure http:// route on the endpoint server with Nextcloud.

PCDan · August 21, 2020, 6:36pm

@linucksrox Thank you thank you thank you!!! This is EXACTLY what I needed to get stuff running smoothly behind the nginx reverse proxy.