Reverse Proxy/overridehost Problems

bqq100 · December 19, 2020, 3:23pm

I am running Nextcloud in a Docker container and I am using my Apache server for SSL termination and proxying to the Docker container.

The proxy is working for most pages and resources, but there are some resources that aren’t being proxied correctly. I tried adding overridehost and overrideprotocol to config.php and that seems to fix the proxy issues, but then it takes pages ~45 seconds to load.

Does anyone have any suggestions to fix the performance issues when using overridehost? Below is my proxy configuration, any suggestions to fix this on the Apache side would be appreciated as well.

<VirtualHost *:443>
ServerName nextcloud.

SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

SSLCertificateFile /cert.pem
SSLCertificateKeyFile /privkey.pem
SSLCertificateChainFile /chain.pem

RewriteEngine on
RequestHeader unset referer
RequestHeader unset origin

RequestHeader set X-Forwarded-For “nextcloud.”
RequestHeader set X-Forwarded-Proto “https”
RequestHeader set X-Forwarded-Port “443”

ProxyHTMLEnable On
ProxyHTMLExtended On
SetOutputFilter INFLATE;proxy-html;DEFLATE
ProxyHTMLInterp On

RewriteCond %{REQUEST_URI} !^/error/.*
RewriteRule ^/.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]

ProxyPass / http://nextcloud.:8090/
ProxyPassReverse / http://nextcloud.:8090/

bqq100 · December 23, 2020, 3:22am

Tried a fresh install of 20.0.4, but same problem.

It looks like something is calling a 45 second SLEEP SQL command.

Results from mysql SHOW FULL PROCESSLIST:

Id      User    Host    db      Command Time    State   Info    Progress
604     nc_user localhost       nextcloud       Sleep   43              NULL    0.000
613     root    localhost       nextcloud       Query   0       NULL    show full processlist   0.000

castillo92 · December 28, 2020, 1:03pm

I had a lot of troubles setting up the proxy with NextCloud…

Finally I get it with this config:

Proxy:
WAN: https://cloud.domain.com/
LAN: 192.168.1.61

<VirtualHost *:80>
  DocumentRoot /var/www
  ServerName cloud.domain.com

  ## Redirigir HTTP -> HTTPS
  RewriteEngine On
  RewriteRule ^/?(.*) https://%{SERVER_NAME}:443/$1 [R,L]
</VirtualHost>


<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName cloud.domain.com
    DocumentRoot /var/www
    CustomLog /var/log/apache2/cloud-access.log combined
    ErrorLog /var/log/apache2/cloud-error.log
    
# Proxy to VM 192.168.1.63
     
    ProxyPreserveHost On
    ProxyPass /          http://192.168.1.63/
    ProxyPassReverse /   http://192.168.1.63/
    
    RewriteEngine On
	RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
	RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]




# Necesario para Nextcloud
    <IfModule mod_dav.c>
        Dav off
    </IfModule>

# Security improvements
    Protocols h2 http/1.1
    SSLEngine on
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    </IfModule>
# Enable only strong encryption ciphers and prefer versions with Forward Secrecy
    SSLCipherSuite HIGH:RC4-SHA:AES128-SHA:!aNULL:!MD5
    SSLHonorCipherOrder on
# Disable insecure SSL and TLS versions
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# The following lines prevent .htaccess and .htpasswd files from being viewed by Web clients.
    <Files ".ht*">
        Require all denied
    </Files>
# Disable HTTP TRACE method.
    TraceEnable off
# Disable HTTP TRACK method.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACK
    RewriteRule .* - [R=405,L]
# Avoid "Sabre\DAV\Exception\BadRequest: expected filesize XXXX got XXXX"
    <IfModule mod_reqtimeout.c>
        RequestReadTimeout body=0
    </IfModule>



SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

.
.
.
.
.
.
Virtual machine behind proxy:
LAN: http://192.168.1.63/

<VirtualHost *:80>
	ServerName 192.168.1.63
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/nextcloud/
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	

	<Directory /var/www/nextcloud/>
	  Require all granted
	  AllowOverride All
	  Options FollowSymLinks MultiViews
	</Directory>
	
	<IfModule mod_dav.c>
      Dav off
	</IfModule>
	
	SetEnv HOME /var/www/nextcloud/
	SetEnv HTTP_HOME /var/www/nextcloud/
</VirtualHost>

Nextcloud config.php

  'overwrite.cli.url' => 'https://cloud.domain.com/',
  'htaccess.RewriteBase' => '/',
  'overwritehost' => 'cloud.domain.com',
  'overwriteprotocol' => 'https',
  'overwritewebroot' => '/',
  'overwritecondaddr' => '^192.168.1.61$',
  'trusted_proxies' => ['192.168.1.61', '192.168.5.0/24'],
  'forwarded_for_headers' => ['HTTP_X_FORWARDED_FOR','HTTP_X_FORWARDED'],

bqq100 · January 2, 2021, 5:18am

Well I think I finally got the issue resolved. I switched my docker container from running Apache to NGINX and used the NGINX config file provided here:

That seemed to resolve the performance issues when using overwritehost/overwriteprotocol/etc.

The only issue I ran into was that the “All Contacts” link was not getting working properly, so I added a 301 redirect for https:///apps/contacts to https:///apps/contacts/

With those changes made I think everything is working now.