hi,
i have separate VM with nginx acting as reverse proxy 10.0.1.204 all other reverse proxies works fine … but … nextcloud doesnt work at all… and i am desperate already.
nextcloud has ip 10.0.1.163
https://cloxxx.duckdns.org from internal network:
when i execute this from outside of the local network
[xp@localhost ~]$ curl -kv https://cloxx.duckdns.org/
- Trying xx217.96:443…
- Connected to cloxx.duckdns.org (xxx217.96) port 443 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- successfully set certificate verify locations:
- CAfile: /etc/ssl/certs/ca-certificates.crt
- CApath: /etc/ssl/certs
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- TLSv1.3 (IN), TLS handshake, Server hello (2):
- TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
- TLSv1.3 (IN), TLS handshake, Certificate (11):
- TLSv1.3 (IN), TLS handshake, CERT verify (15):
- TLSv1.3 (IN), TLS handshake, Finished (20):
- TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
- TLSv1.3 (OUT), TLS handshake, Finished (20):
- SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
- ALPN, server accepted to use http/1.1
- Server certificate:
- subject: CN=cloxx.duckdns.org
- start date: Aug 4 23:47:37 2022 GMT
- expire date: Nov 2 23:47:36 2022 GMT
- issuer: C=US; O=Let’s Encrypt; CN=R3
- SSL certificate verify ok.
GET / HTTP/1.1
Host: cloxx.duckdns.org
User-Agent: curl/7.74.0
Accept: /
- TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
- TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
- old SSL session ID is stale, removing
- Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Server: nginx/1.18.0 (Ubuntu)
< Date: Fri, 05 Aug 2022 16:08:37 GMT
< Content-Length: 0
< Connection: keep-alive
< Location: https://cloxxx.duckdns.org/
< Strict-Transport-Security: max-age=15768000;includeSubDomains
< - Connection #0 to host cloxxx.duckdns.org left intact
config.php
on the nextcloud vm when i execute
root@nextcloud:/usr/local/www/nextcloud/config # host 10.0.1.204
204.1.0.10.in-addr.arpa domain name pointer reverz-proxy.lan.
when i try to open nextcloud page https://cloxx…/ thats what i got in rever proxy log
10.0.1.138 - - [05/Aug/2022:16:14:04 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.0.1.138 - - [05/Aug/2022:16:14:05 +0000] "GET / HTTP/1.1" 308 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0"
nginx reverz proxy
server {
# root /var/www/cloxxx.duckdns.org/html;
#index index.html index.htm index.nginx-debian.html;
server_name cloxxx.duckdns.org;
# location / {
# try_files $uri $uri/ =404;
# }
add_header Strict-Transport-Security "max-age=15768000;includeSubDomains";
access_log /var/log/nginx/cloxxx.duckdns.org.access.log;
error_log /var/log/nginx/cloxxx.duckdns.org.error.log;
# listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/cloxxx.duckdns.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/cloxxx.duckdns.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://10.0.1.163/;
proxy_buffering off;
proxy_request_buffering off;
# proxy_set_header X-Real-IP $remote_addr;
# Enable HSTS (HTTP Strict Transport Security)
# add_header Strict-Transport-Security "max-age=15768000;includeSubDomains";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# add_header Front-End-Https on;
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 64;
#proxy_redirect off;
proxy_max_temp_file_size 0;
}
}
nextcloud was installed with that script
https://github.com/danb35/freenas-iocage-nextcloud
and this directive was enabled as described
HTTP Strict Transport Security
When you log into your Nextcloud instance as administrator, you may see a configuration warning that HSTS is not enabled. This is intentional. HSTS is a useful security measure, but it can also lock you out of your site if certificate renewal isn’t working properly. I recommend you let the system obtain its initial trusted cert, and then renewing at least once, before enabling HSTS, to ensure that automatic renewal works as intended. Ordinarily this will take about 60 days. To enable HSTS, follow these steps:
iocage console nextcloud
nano /usr/local/www/Caddyfile
- Uncomment (remove the
#
) from the line that begins withStrict-Transport-Security
- Save the edited file and exit
nano
. service caddy reload
when i changed
proxy_pass http://10.0.1.163
to
proxy_pass http://10.0.1.163:443
i got response in browser:
Client sent an HTTP request to an HTTPS server.
any idea here?
thanks!