No LAN Access to nextcloud, but external access is fine

Hi i am facing the problem that i am not able to connect to my nextcloud inside my network. Connection to my nextcloud from outside my network works fine…

I am running nextcloud on a FreeNas system. My Setup is as follows:

  1. I am having a nginx reverse proxy which is handling all the traffic and takes care for https certificate (IP:192.168.0.9)
  2. nextcloud is running on apache24. (IP: 192,168.0.10)
  3. on my router i have openned port 443 and 80 (tcp/udp)

I post my config files, so you can help me :smiley:

config.php

<?php
$CONFIG = array (
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/usr/local/www/nextcloud/apps',
      'url' => '/apps',
      'writable' => true,
    ),
    1 =>
    array (
      'path' => '/usr/local/www/nextcloud/apps-pkg',
      'url' => '/apps-pkg',
      'writable' => false,
    ),
  ),
  'overwriteprotocol' => 'https',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'instanceid' => '---',
  'passwordsalt' => '---',
  'secret' => '---',
  'trusted_domains' =>
  array (
    0 => '192.168.0.10',
    1 => 'nextcloud.myserver.com,
  ),
  'trusted_proxies' => ['192.168.0.9'],
  'datadirectory' => '/mnt/data',
  'dbtype' => 'mysql',
  'version' => '20.0.12.1',
  'overwrite.cli.url' => '192.168.0.10',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/tmp/mysql.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '---',
  'dbpassword' => '---',
  'installed' => true,
  'redis' =>
  array (
    'host' => '/tmp/redis.sock',
    'port' => 0,
  ),
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 0,
);

nginx.conf

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include mime.types;
    default_type application/octet-stream;
    sendfile on;
    keepalive_timeout 65;

    # Redirect all HTTP traffic to HTTPS
    server {

        listen 80 default_server;
        listen [::]:80;

        return 301 https://$host$request_uri;
    }

    # Import server blocks for all subdomains
    include "vdomains/*.conf";
}

and the vdomain.conf:

server {
        listen 443 ssl http2;

        server_name nextcloud.myserver.com;
        access_log /var/log/nginx/nextcloud.access.log;
        error_log /var/log/nginx/nextcloud.error.log;

        include snippets/myserver.cert.conf;
        include snippets/ssl-params.conf;

        location / {
                include snippets/proxy-params.conf;
                proxy_pass http://192.168.0.10;
        }
        location /.well-known/carddav {
                return 301 $scheme://$host/remote.php/dav;
        }
        location /.well-known/caldav {
                return 301 $scheme://$host/remote.php/dav;
        }
}


Thanks in advance for any help you can provide. In case you need any further information or clarification, just let me know :slight_smile:

to make my point clear:
I am also not able to access my server from lan when trying :

  • 192.168.0.10 → ERR_CONNECTION_REFUSED
  • nextcloud.blendl.info → ERR_CONNECTION_TIMED_OUT

I allready found out that probably my router is the problem, but at least access via 192.168.0.10 should be possible … :face_with_head_bandage:

most likely you hit different problems.

  • Access to https sites via IP always results in certificate error (IP is never part of TLS cert)
  • you reverse proxy might not accept connection to direct IP (because it only listen to specific domain name)
  • accessing public FQDN from local network might fail because of rebind protection of you router

maybe you find this threads useful

Thank you very much for your reply!

Unfortunately I am not able to figure out how I can establish internal connection via ip again.
Can you point me a direction or sth. ? :slight_smile:

take a look at

https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=reverse%20proxy

for me the config setting

makes no sense - it rewrites all internal URL/links to local IP - which is definitely wrong for both internet and internal setup as all resources are defined as https://192.168.0.10/xyz and subsequently fail

  1. internally as you can’t access .10 with https
  2. you can’t access 192.168.x.x from the internet

I would suggest you configure you system to run with https and public DNS name by changing the overwritecli parameter. If this works you can easily access you system locally by adding local DNS record or editing hosts file

Thank you very much for you answer! Thanks to your help I am again able to acces my nextcloud via lan.
Next to deleting the overwrite.cli.url statement i also had to delete the ‘overwriteprotocol’ => ‘https’, statement, so that my cloud again accepts http.
I accept this for now, as this is only a workaround until my fritzbox is delivered, where i will be able to circumvent rebind protection.
Thank you very much :slight_smile:

(Oder auch : Vielen Dank für deine Hilfe!!! )

1 Like

You can look NAT-Loopback and Hairpinning . Perhaps your new Fritzbox can solve your problem.

Please also use then in LAN only your worldwide address https://nextcloud.blendl.info and not your internal ip. With this configuration /worldwide address you can e.g. not only use correct certificates. You also can use your nextcloud clients (Windows, macOS, Linux, Android, iOS) in your LAN and from internet without modify the configuration or a second profile.

1 Like

With ‘overwriteprotocol’ not set to ‘https’ don’t you then suffer from a problem whereby users cannot change their passwords?

I’m working with a setup where the public address is through a tunnel that takes care of the https security certs etc and initially I could also access over the local LAN with http. But, in order to solve the password issue when users connect over the public tunnel, I enabled the overwriteprotocol => https which disables access over the local lan.

Seems like a catch 22.