Hi,
I’d like to convert my nextcloud instance running on nginx into a reverse proxy. Atm I have it set up with certificate from letsencrypt, scoring A+ in the security test and I’m generally very happy with it. I’d like to extend the functionality into making it also a reverse proxy, preferably with keeping the existing certificate and using [existing nextcloud address]/whatever (but I don’t mind setting certbot for multiple hosts either).
this is my current nginx *.conf managing nextcloud:
(disclaimer: I’ve setup this by blindly following a tutorial from now defunct blog, which also summarises the extent of most of my linux “experience”):
server {
server_name stats;
listen 9753 default_server;
listen [::]:9753 default_server;
location /nginx-status {
stub_status on;
access_log off;
allow 127.0.0.1;
allow ::1;
deny all;
}
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name redacted;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
#SOCIAL app enabled? Please uncomment the following row
#rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
#WEBFINGER app enabled? Please uncomment the following two rows.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
client_max_body_size 10240M;
location / {
rewrite ^ /index.php;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ^~ /apps/rainloop/app/data {
deny all;
}
location ~ .(?:flv|mp4|mov|m4a)$ {
mp4;
mp4_buffer_size 100M;
mp4_max_buffer_size 1024M;
fastcgi_split_path_info ^(.+?.php)(/.|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
include php_optimization.conf;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+).php(?:$|/) {
fastcgi_split_path_info ^(.+?.php)(/.|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
include php_optimization.conf;
}
location ~ ^/(?:updater|oc[ms]-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
location ~ .(?:css|js|woff2?|svg|gif|map|png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
access_log off;
expires 30d;
}
}
I subscribe to noip.com so I can make multiple *.ddns.net addresses. I use [my nextcloud].ddns.net to access the nextcloud instance.
I was able to reverse proxy [different hostname].ddns.net to a local machine different than the nextcloud instance by adding this block at the top of the file and restarting nginx:
server {
listen 443 ssl;
server_name [different hostname].ddns.net;
location / {
proxy_pass http://[different local machine].lan/;
}
}
This works with the caveat when accessing the [different hostname].ddns.net it complains the certificate is invalid as it was issued for [my nextcloud].ddns.net. Not great, not terrible. Which is why I wanted to use “[my nextcloud].ddns.net/something” to do the same, hoping it would not necessitate new certificate for each machine I’d add to the reverse proxy setup.
So I added this above the acme-challenge location block:
location /whatever {
proxy_pass http://[different local machine].lan;
}
And no dice. Accessing “[my nextcloud].ddns.net/whatever” keeps loading [my nextcloud].ddns.net/apps/files/?dir=/&fileid=6 regardless of where I paste it. This is also consequently the point where I’m getting in way above my head. I tried reading nginx documentation, but it’s all to much for me. I suspect the rewrite directive causes this, but I do not really understand the syntax enough to make it do what I want.
Any help appreciated!