No internal access, only from internet - ERR_SSL_PROTOCOL_ERROR

Hi all,
i’ve finally end my configuration to access nextcloud from internet by cloudflare zero trust.

Now the problem is that if i try to access nextcloud from inside (192.168.x.x:port) i get ERR_SSL_PROTOCOL_ERROR

i think the problem born after this line configuration:

‘overwrite.cli.url’ => ‘https://nextcloud.mydomain.com’,
‘overwriteprotocol’ => ‘https’,

this was necessary because on my app i got “Strict mode, no HTTP connection allowed!”

Any idea?

Thank you

You shouldn’t use the IP address to connect in any case. If hairpin routing doesn’t work for you, set up split-horizon DNS.

That may solve your whole problem.

That error means you have HSTS enabled, but the app tried to connect unsecured (due to proxy confusion usually). But the certificate can’t be validated if you put an IP address in the URL.

Also just a side note… it’s not zero trust if you allow LAN clients any less restrictive access (e.g. allowing unvalidated HTTPS connections to the LAN IP).

1 Like

how to disable hsts?

Also just a side note… it’s not zero trust if you allow LAN clients any less restrictive access (e.g. allowing unvalidated HTTPS connections to the LAN IP).

on my nginx i configured a dns entry only for LAN net (so i think i’m already into your Split-horizon dns suggestion)

You should leave HSTS enabled and just use a verifiable certificate and URL. If you really want to disable it (not recommended) then refer to your web server documentation.

I don’t think so. Nginx isn’t a DNS server. Split-horizon DNS means that the same URL points to the LAN IP while on your LAN.

If you use split-horizon DNS then there would be no need to use https://192.168.x.x. It will resolve the HTTPS validation error because the URL will still match the name on the certificate.

1 Like