OPNsense, nginx and Nextcloud

Hello,

I’d like to ask for some assistance in this matter please.

Nextcloud is installed on Ubuntu server 20.10. Deployed with the server itself, via snap. Version 20.0.7.
OPNsense is installed on a hardware device and is connected directly to internet.
I use Cloudflare as DNS.

So I tried setting it up:
Configured Nextcloud to accept HTTP at port 7444, HTTPS at port 7443, self-signed cert. Connect via HTTPS, confirm cert error, → OK
Also tested port forwarding → OK
Then I entered into the config.php file:

  'trusted_domains' =>
  array (
    0 => '192.168.110.6',
    1 => 'nextcloud.domain.com',
   ),
...
   'trusted_proxies' => array('192.168.110.254'),

.6 is the nextcloud server, .254 is the firewall (it’s actually a VLAN).

I also set up Cloudflare DNS to point to my WAN IP for nextcloud. domain .com.
I also have a second entry in DNS, call it firewall. domain. com, which is the FQDN of the OPNsense.

And then on with the OPNsense setup (this is just for a possible reference, I am aware this is not an opnsense forum):

Added upstream server: 192.168.110.6, 7443, 1
Configured Upstream: server entry = the above entry, weighted round robin, enable TLS unchecked, uncheck TLS: verify certificate (self-signed on NC)
Location: URL pattern /, match type none, URL rewriting nothing selected. Rest is default, upstream servers: previous step.
HTTP Server:
HTTP Port empty
HTTPS Port 7443
Server Name: nextcloud. domain. com
Locations: previous step
URL Rewriting Nothing selected
TLS Certificate: my *.domain .com wildcard certificate.
Rest is default afaik.

And now, if I try to access: https://nxtcld.domain.com:7443/

Nothing. Zip. Nada.
It’s not the firewall, ports are open.
Nothing in the log of nginx.

However, here’s the jist:
If I attempt to access the FQDN of the firewall (firewall. domain.com), I get untrusted domain, so apparently there is an answer from the nextcloud at port 7443. This makes sense, since it’s not trusted.
But: why does it answer at firewall. domain. com and not at nextcloud. domain. com? Basically, as soon as I enter the domain under trusted_domains, no connection is possible.

Also discovered another thing: if I then enter firewall. domain. com into trusted_domains, I get no answer any more via that FQDN. Vice versa too, if I remove nextcloud. domain. com from trusted_domains, I get untrusted domain message.

So, I am really not sure who’s at fault here. Is it wrong nextcloud config or is it OPNsense/nginx?

Can someone help a little please?

Thank you!!

Looks a bit like the nginx vhosts are not properly separated and the Nextcloud one is responding for the firewall address as well. In the first example here, you handle two domains separately:
https://www.nginx.com/resources/wiki/start/topics/examples/server_blocks/

Yours looks a bit more like the catchall case. I hope you get the idea, I know the example is a bit simplistic and doesn’t deal with SSL.

Thank you. That was the right way. I ended up reinstalling everything and then moving to a custom port. Also changed to haproxy.
I learned a lot in the last 4 hours…