Reversproxy of nextcloud

I have a nextcloud server who is running under http://192.168.1.118 with nginx and a Apache reverse proxy whith a IP of 192.168.1.100 who is under https://cloud.xxx.ch but isn’t working.

My vhost for reverse proxy


<VirtualHost *:443>
  ServerName cloud.xxx.ch
  ProxyPreserveHost On
  ProxyPass /.well-known !
  ProxyPass / http://nas
  ProxyPassReverse / http://nas

  Include /etc/letsencrypt/options-ssl-apache.conf

  RewriteEngine On
  RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
  RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]

  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  </IfModule>
    SSLCertificateFile /etc/letsencrypt/live/cloud.xxx.ch/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.xxxx.ch/privkey.pem
</VirtualHost>

<VirtualHost *:80> 
  ProxyPreserveHost On
  ProxyRequests Off
  ServerName cloud.xxx.ch
  ServerAlias cloud.xxx.ch
  ProxyPass / "http://nas/"
  ProxyPassReverse / "http://nas/"
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =cloud.xxx.ch
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

My config


<?php
$CONFIG = array (
  'trusted_proxies'   => ['192.168.1.100'],
  'overwritehost'     => 'cloud.xxx.ch',
  'overwriteprotocol' => 'http',
  'overwritewebroot'  => '/',
  'overwritecondaddr' => '^192\.168\.1\.100$',
  'datadirectory' => '/home/data/nextcloud',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/usr/share/webapps/nextcloud/apps',
      'url' => '/apps',
      'writable' => true,
    ),
    1 => 
    array (
      'path' => '/var/lib/nextcloud/apps',
      'url' => '/wapps',
      'writable' => true,
    ),
  ),
  'passwordsalt' => 'XXX',
  'secret' => 'XXX',
  'trusted_domains' => 
  array (
	  0 => 'localhost',
	  1 => 'cloud.XXX.ch',
	  2 => '192.168.1.118',
	  3 => 'nas',
          4 => '192.168.1.100',
  ),
  'dbtype' => 'mysql',
  'version' => '23.0.0.10',
  'overwrite.cli.url' => 'http://nas',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'oc_admin2',
  'dbpassword' => 'XXX',
  'installed' => true,
  'instanceid' => 'XXX',
);

I got following error

on nextcloud.joelmueller.ch (nginx server)

Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request

Reason: DNS lookup failure for: naslogin

Additionally, a 502 Bad Gateway error was encountered while trying to use an ErrorDocument to handle the request.

on cloud.xxx.ch (reverse proxy apache)

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at mail@joelmueller.ch to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

How I can fix it?

Need really help! Plz Someone?

Hi @Morta ,

Do you run the reverse proxy and the nextcloud server on the same machine?

Do you use other webservers?

Personal Note: You should edit the post and edit all personal information out of it.

I changed from nginx to apache on the root machine and have a server with apache reverse proxy because of ssl cert isn’t accessible without direct internet connection.

I comment out the importent things. Thanks

I changed to following config with a two apache server. One as nextcloud instance and one as reverse proxy on the server

<?php
$CONFIG = array (
  'trusted_proxies'   => ['192.168.1.100', '192.168.1.0/24'],
  'overwritehost'     => 'cloud.joelmueller.ch',
  'overwriteprotocol' => 'http',
  'overwritewebroot'  => '/',
  'overwritecondaddr' => '^192.168.1.100$',
  'forwarded_for_headers' => ['HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED'],
  'loglevel' => 2,
  'log_rotate_size' => 3145728,
  'datadirectory' => '/home/data/nextcloud',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/usr/share/webapps/nextcloud/apps',
      'url' => '/apps',
      'writable' => true,
    ),
    1 => 
    array (
      'path' => '/var/lib/nextcloud/apps',
      'url' => '/wapps',
      'writable' => true,
    ),
  ),
  'passwordsalt' => 'XXX',
  'secret' => 'XXXI',
  'trusted_domains' => 
  array (
	  0 => 'localhost',
	  1 => 'cloud.joelmueller.ch',
	  2 => '85.195.234.234',
	  3 => '192.168.1.1',
	  4 => '192.168.1.0/24',
	  5 => '192.168.1.106',
  ),
  'dbtype' => 'mysql',
  'version' => '23.0.0.10',
  'overwrite.cli.url' => 'http://cloud.joelmueller.ch',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'oc_admin2',
  'dbpassword' => 'XXX',
  'installed' => true,
  'instanceid' => 'XXX',
);

Vhost on Nextcloud instance

<VirtualHost *:80>
	DocumentRoot /usr/share/webapps/nextcloud
	ServerName 192.168.1.118
	ServerAdmin mail@joelmueller.ch
	DirectoryIndex index.php index.html
	ErrorLog /var/log/httpd/error.log
	CustomLog /var/log/httpd/access.log combined
	<Directory /usr/share/webapps/nextcloud>
	  Require all granted
	  AllowOverride All
	  Options FollowSymLinks MultiViews
	</Directory>
	
	<IfModule mod_dav.c>
        Dav off
	</IfModule>
	<IfModule mpm_itk_module>
	AssignUserId nextcloud nextcloud
	</IfModule>
	<FilesMatch \.php$>
	 SetHandler "proxy:unix:/run/nextcloud/nextcloud.sock|fcgi://localhost"
	</FilesMatch>
	
	SetEnv HOME /usr/share/webapps/nextcloud
	SetEnv HTTP_HOME /usr/share/webapps/nextcloud
</VirtualHost>

vhost on server as reverse proxy

 cat /etc/httpd/conf/vhosts/cloud.conf 
<VirtualHost *:443>
  ServerName cloud.joelmueller.ch
  ProxyPreserveHost On
  DocumentRoot /usr/share/webapps/nextcloud/
  ProxyPass /.well-known !
  ProxyPass / http://192.168.1.118
  ProxyPassReverse / http://192.168.1.118
  Include /etc/letsencrypt/options-ssl-apache.conf

  RewriteEngine On
  RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
  RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]

  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  </IfModule>
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log combined
SSLCertificateFile /etc/letsencrypt/live/cloud.joelmueller.ch/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.joelmueller.ch/privkey.pem
</VirtualHost>
<VirtualHost *:80>
  DocumentRoot /usr/share/webapps/nextcloud/
  ServerName cloud.joelmueller.ch

  ## Redirigir HTTP -> HTTPS
 RewriteEngine On
RewriteCond %{SERVER_NAME} =cloud.joelmueller.ch
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Now I get the error

Ihr Datenverzeichnis ist ungültig. Stellen Sie sicher, dass eine Datei “.ocdata” im Wurzelverzeichnis des Datenverzeichnisses existiert. Your data directory is not writable Berechtigungen können zumeist korrigiert werden indem dem Web-Server Schreibzugriff auf das Wurzel-Verzeichnis eingeräumt wird. Siehe auch https://docs.nextcloud.com/server/23/go.php?to=admin-dir_permissions.

root@nas nextcloud]# ls -la
total 24
drwxrwx---  5 http  http  4096 Jan 28 22:24 .
drwsrwsrwt  7 morta wheel 4096 Jan 31 20:20 ..
drwxrws---  5 http  http  4096 Jan 28 22:47 admin
drwxrwx--- 10 http  http  4096 Jan 28 22:07 appdata_ockrg9az0dnk
-rwxrwx---  1 http  http   542 Jan 28 21:04 .htaccess
-rwxrwx---  1 http  http     0 Jan 28 21:04 index.html
drwxrwx---  2 http  http  4096 Jan 28 22:24 Morta
-rwxrwx---  1 http  http     0 Jan 28 21:04 .ocdata

but .ocdata exist. I can not understand why php-fpm need 0777 to read the socket of nextcloud and even can’t read the folder without 0777
If I do 0777 to /home/data/nextcloud does coming a waring that I have to change to 0770 chmod

So I’m really fucked up!

I could fix the error with given chown to user and group nextcloud but now I got following errors

On Proxy side

Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request

Reason: DNS lookup failure for: 192.168.1.118index.php

Additionally, a 502 Bad Gateway error was encountered while trying to use an ErrorDocument to handle the request.

In the apache systemctl status is follwing error

Jan 31 22:56:31 5erver httpd[121573]: AH00112: Warning: DocumentRoot [/usr/share/webapps/nextcloud/] does not exist
Jan 31 22:56:31 5erver httpd[121573]: AH00112: Warning: DocumentRoot [/usr/share/webapps/nextcloud/] does not exist

What is wrong?

Hi @Morta ,

I still have trouble understanding your network.

are these two physical servers?
What is a “nextcloud instance”? A Server a vhost config in apache on a server where something else is running probably the reverse proxy?

If you have two server one as reverse proxy (Server A) and one for webpages (Server B) (eg nextcloud, …) you need to define ports where you reveres proxy from server A to server B(DN 1 proxy to Server B on port x and DN 2 proxy to Server B on port y). In Server B apache listins on the ports x and y.

But this is fictional since I do not understand your bare setup as of now.

Edit:
Does it work in LAN (without the proxy and without lets encrypt certificate like “untrusted site”)?

Hi
@florom

Yes they are two physical server with a Apache and vhost configuration.
One is a NAS with nextcloud on ArchLinux and nextcloud was running before I set it up for a proxy. In the same network as the server and also behind the Router

The other machine is a Server with ArchLinux and Apache behind a OPNsense Router/Firewall.

I coudn’t understand the error of DNS which I receive and coudn’t find the the miss configuration of DocumentRoot.

Why the Proxy can’t running on Port 80? How I have to define the Ports?

I call it server Server A. So you deleted nextcloud and the NAS Stuff and set it up as reverse proxy server? Or it was a NAS (link a QNAP) and you installed ArchLinux on it with nextcloud and then deleted both so you can use the server for reverse proxy?

Server B.

Server B. Apache means that there is webstuff on it.

Server C? Why are not using this as reverse proxy? It would naturally come to my mind since it is the entry point in your network.

cat /etc/httpd/conf/vhosts/cloud.conf 

  **DocumentRoot /usr/share/webapps/nextcloud/**

I do not understand why you need a document root in a reverse proxy setup since document root is not on this server.

I interpret is as reverse Proxy. But it seems you have a normal proxy too. Is that right?

That was my setup and i thought this is the only way. I just read through and it should work on the same machine with same port but different server Addresses too. If this is the case in your setup like

Internet → Firewall → Server A with Nextcloud (Site 1) and Stuff (Site2).
I do not understand why you need a reverse proxy.
Furthermore I only see “cloud.joelmueller.ch” is the only DN in your setup. I began to use a reverse proxy as soon there were at least 2 DN on 2 different servers.

Server A is the NAs where is running Nextcloud and a Apache

Server B is the dedicated server with Apache as reverse proxy

Both are behind Server C which is the Router with Firewall.

I wasn’t able to get a working let’s encrypt Cert for Server A because all Websites are hosted on Server B.

So I thought the simplest way is to make a reserve proxy with server B and hosting there the cert.

So how I can handle this as simple as possible?

@florom

I would setup a reverse proxy on Server C. I am not familiar with OPNSense but judging from a quick search where I found this: [TUTORIAL] Nginx as simple reverse proxy with web application firewall and SSL
I think it is possible.

I do not think if you can/want to use a server both for hosting websites and reverse proxy to another server. At least I do know of such a setup.

So your setup know is like:

Internet → Server C (NAT 80 ->80; 443 → 443) → Server B: websites (with lets encrypt certificates) and reverse proxy (with lets encrypt certificates) → Server A (no lets encrypt certificates)

And it should be:
Internet → Server C Reverse proxy (all lets encrypt certificates) → Server A (not lets encryptcertificate) and Server B (no lets encrypt certifcate) (depends on DN)

@Morta

@florom
Ok, but that doesn’t fix my issue with the Server A. How I can improve that?

All tutorials for OPNsense are saying that I shouldn’t run too much services on Router even a other service who not is necessary.

If it’s possible I would like do without webserver on the Router and do with my Setup Router/Server A → NAT → Server B → Reverse Proxy → Server A

  • Why need nextcloud even I have only a IP a DNS resolution?
  • Why my reverse proxy Server B can’t find the DocumentRoot of Server A?
  • What is miss configured on Server A?

I appreciated your help, Thanks man…

@Morta

That would not be a webserver it would be a reverse proxy.

Router/Server C ??

Where is this configured. I guess Router (Server C). Thats ok und would work.

where is that? I guess Server B.

So the gateway from Server A would be Server B.
And the gateway from Server B would be Server C cause it acts as client and router at the same time. I can hardly imagine that this works.

From which server is this error message?

@florom
Sorry Yes Router Is Server C

No both Server A and B has Server C as Gateway

Or why you‘re thinking that Server B is Gateway from Server A?

The error message comes when you open https://cloud.joelmueller.ch

It‘s after the reverse proxy Server B

Server A shows nothing when I open a Browser with the IP adress of Server A

@Morta

Server B is the Reverse Proxy so every package which goes to Server A has to pass trough Server B sot it is defintely its gateway to the internet.
It would work with gateway gateway Server C too if you want Internet connection only for Server A but then you do not use the reverse proxy anymore.

On which server is the content located for this url? (After reverse proxy is not clear to me)

Server A are the content and nextcloud server

Server B Webserver and Reverse Proxy

Server C Router

My only interest is how I can make that the Let’s Encrypt Cert works properly with Server A

Solution equals every working solution is good for me simple as possible but I need on Server B also certs

@florom

@Morta

You cannot use the same lets encrypt certificate on the reverse proxy (Server B) and on Server A. Reverse Proxy breaks encryption. So any certificate on Serve A would be unencrypted on Server B (by reverse Proxy) . Anything behind Server B is backend and Server B should not be used for webserver content. Even if Server A has a direct connection to Server C which is imho a bad setup cause it would have to working gateways it is still backend.

@florom

Ok what solution you propose?

SSL passthrough. Use SNI and TCP proxying. On Apache I think it is called SSL_proxy or something…?
I use HAProxy and not apache, so I knows only about HAProxy. However with reverse proxies - both NGINX and HAProxy atleast - you can do SSL passthrough by supporting SNI, and then proxy the trafic as TCP and not HTTP based on the SNI header (forexample the requested hostname).
This will allow you to only terminate the HTTPS (decrypt) on server A, as Server A will then be the only server which handles the connection as HTTP hence requires you to decrypt.

Thats buzzwords.

@Morta

I encourage you to get a firewall which does allow to use reverse proxy there. First it is a firewall (router is not a firewall) and second it is the sole entry point to the LAN.

For now.
NAT all traffic (port 80 and 443) from Server C to Server B.
Server B is the reverse proxy. All lets encrypt certificates are handled here. There is no content proxy only. Unecrpyted or Self signed certifcate on Server A to connect to Server B. Nextcloud on Server B. My Advice Move the webpagestuff from Server B to a Server D. Reveres Proxy to this one like to Server A.
In LAN you will have a self signed certificate which is ok and from outside a lets encrypt certificate.