SSL Problems Behind HAproxy

Hi there, really enjoying nextcloud so far. I’m having some trouble getting it working behind my HAproxy. My setup currently is HAproxy running on an OPNsense appliance, pointing at the nextcloud server running on LAN. I’m trying to have HAproxy do the SSL offload.

If I disable my proxy and forward port 80 directly to the nextcloud box, I’m able to access it via http. When the proxy is enabled, it redirects me to https (as it should) but browsers return an SSL error. in chrome, it’s “ERR_SSL_PROTOCOL_ERROR” and firefox is “SSL_ERROR_RX_RECORD_TOO_LONG”. The logs on my firewall indicate that the traffic is being allowed to pass to the nextcloud box, as far as I can tell.

I haven’t set up any ssl or certificate on the nextcloud box itself. Can anyone tell me if I’m doing anything obviously wrong?
Thank you!

Here is my config.php:

<?php
$CONFIG = array (
  'instanceid' => 'id',
  'passwordsalt' => 'salt',
  'secret' => 'secret',
  'trusted_domains' => 
  array (
    0 => 'mydomain',
    1 => '192.168.42.22',
  ),
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'mysql',
  'overwritehost' => '192.168.42.1'
  'version' => '22.0.0.11',
  'overwriteprotocol' => 'https'
  'overwrite.cli.url' => 'https://mydomain',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'dbpassword,
  'installed' => true,
  'memcache.local' => '\OC\Memcache\APCu',
  'default_phone_region' => 'US',
);

I am not that expert for webengeenering but here are my guesses.
SSL-Error are definitly ov because the the checksum of the certs beeing applied to the browser indicates that the traffic was missroutet and your browser sees this as man in the middle attack. Or so I guess.

In your place I would try to rout the http traffic and generate the cert on the NC machine with letsencrypt. SSL can be enforced on the Cert install with certbot. Pls don’t forget to forward port 80 aswell as 443 (for the ssl traffic).

Hi @anal0g

Unfortunately, I have no experience with HAproxy and OPNsense and do not run my Nextcloud behind a reverse proxy myself. But I don’t see the the trusted_proxies parameter in your config.php. Please set the trusted proxies and overwrite parameters accordingly, like described here… https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html#defining-trusted-proxies

If it still doesn’t work, you could maybe search for HAproxy here in the forums or also in the OPNsense forums. From what I’ve seen, the topic has already been discussed serval times in both places…

@anal0g are you sure it’s not a haproxy misconfiguration?
did you try to google: “SSL_ERROR_RX_RECORD_TOO_LONG haproxy”

Thank you all for your replies! @bb77 was correct, trusted_proxies was missing. I had also forgotten a comma after the overwriteprotocol flag.

Thanks again!