TrueNAS Nextcloud-Jail behind a reverse proxy (other jail) - configuration problems

NCN00b · February 6, 2021, 8:49pm

ATTENTION:
There is a german topic for this as I understand german much better than english:

Nevertheless, I also ask here in the English area (using translator), as a larger number of potential helpers can certainly be reached here.

--------------------------------------------------
(Link dismantling had to be due to restriction for new members)
--------------------------------------------------

Hello everybody,

I am running a Nextcloud-Jail (NC version 20.0.6) on a TrueNAS system (192.168.2.205) with Apache web server.
Installed according to these instructions:
https: // www. samueldowling. com/2020/07/24/install-nextcloud-on-freenas-iocage-jail-with-hardened-security/

I also have a reverse proxy jail on the same TrueNAS system (192.168.2.206) with Nginx.
Installed according to these instructions:
https: // www. truenas. com/community/threads/how-to-set-up-nginx-to-reverse-proxy-your-jails-w-certbot.49876/

Both are relatively freshly installed, but I am new to this subject and would need help on the last few meters to reach my destination.

To the current status:
Nextcloud works great if you only use http and the IP of the internal network. However, I would like to access the Internet via https.
A free Selfhost account should be used for this - let’s just call the appropriate subdomain my-sub.selfhost.co (as there is actually a hyphen in the name).
Selfhost is a DynDNS provider and the IP update through my FritzBox also works fine.
The URL to the Nextcloud should be:
my-sub. selfhost. co/nextcloud

An SSL certificate has been created and apparently works. The problem seems to be the interaction between reverse proxy and NC in my opinion.
Either I get a 404 (depending on how I played in the config.php) but apparently from the Nginx of the reverse proxy (“Nginx” is on the 404 page) or the website tells me that the redirect went wrong is.

After several attempts (also with the help of the following website):
https: // docs. nextcloud. com/server/21/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=overwrite

I have to slowly give in to defeat and hope for your patience and willingness to help.

So the problem is summarized:
I don’t get the Nextcloud start page that I get offered with the appropriate configuration using simple http and network-internal IP (http: // 192. 168.2.205/).

My configuration files currently look like this:
Nextcloud - config.php

<?php
$CONFIG = array (
  'instanceid' => 'INSTANCEID',
  'passwordsalt' => 'SALT',
  'secret' => 'SECRET',
  'trusted_domains' =>
  array (
    0 => 'my-sub. selfhost. co',
    1 => '192. 168.2.205',
    2 => 'localhost',
  ),
  'trusted_proxies'   => ['192. 168.2.206'],
  #'overwritehost'     => 'my-sub. selfhost. co',
  'overwriteprotocol' => 'https',
  'overwritewebroot'  => '/',
  'overwritecondaddr' => '^192\.168\.2\.206',
  'config_is_read_only' => true,
  'default_language' => 'de',
  'default_locale' => 'de_DE',
  'datadirectory' => '/mnt/data',
  'dbtype' => 'mysql',
  'version' => '20.0.6.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/tmp/mysql.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'USERNAME',
  'dbpassword' => 'PASSWORD',
  'installed' => true,
  'redis' =>
  array (
    'host' => '/var/run/redis/redis.sock',
    'port' => 0,
  ),
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'app_install_overwrite' =>
  array (
    0 => 'occweb',
  ),
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'ssl',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'USERNAME-EMAIL',
  'mail_domain' => 'MAILSERVICE',
  'mail_smtpauth' => 1,
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtphost' => 'SMTP.MAILSERVICE.TLD',
  'mail_smtpport' => '465',
  'mail_smtpname' => 'MY-EMAIL',
  'mail_smtppassword' => 'MY-EMAIL-PASSWORD',
);

Reverse Proxy - nginx.conf

#user  nobody;
worker_processes  1;

# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
# error_log  /var/log/nginx/error.log;

#pid        logs/nginx.pid;


events {
worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       443 ssl;
        server_name  my-sub. selfhost. co;
        include ssl_common.conf;
        include proxy_setup.conf;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   /usr/local/www/nginx;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/local/www/nginx-dist;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #        listen       443 ssl;
    #        server_name  my-sub. selfhost. co;
    #        include ssl_common.conf;
    #        include proxy_setup.conf;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #}
#}

Reverse Proxy - ssl_common.conf

# Thanks to https://cipherli.st/ for providing a great reference! Please check out their site
# to make sure your SSL Configuration is up to date with current standards! Be aware that in this
# example we use a slightly liberal cipherlist to allow for older browsers on older devices, Eg.
# IE8, android 2.4, etc
# Enable Perfect Forward Secrecy (PFS)
ssl_prefer_server_ciphers on;
ssl_certificate /usr/local/etc/letsencrypt/live/my-sub.selfhost.co/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/my-sub.selfhost.co/privkey.pem;
# Disable SSLv2 and SSLv3 (BEAST and POODLE attacks)
ssl_protocols TLSv1.2;
# Enable our strong DH Key
ssl_dhparam /usr/local/etc/ssl/dhparams.pem;
# Cipher-list for PFS.
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES25>
ssl_ecdh_curve secp384r1;
# Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Requires nginx >= 1.5.9
ssl_stapling on;
# Requires nginx >= 1.3.7
ssl_stapling_verify on;
# Requires nginx => 1.3.7
resolver 8.8.8.8 4.4.4.4 valid=300s;
resolver_timeout 5s;
# HSTS Support
add_header Strict-Transport-Security "max-age=63072000;includeSubdomains; preload";
# These headers can break applications, be careful!
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

Reverse Proxy - proxy_setup.conf

location /nextcloud {
proxy_pass http: // 192. 168.2.205:80;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location /octopi {
proxy_pass http : // 192. 168.2.75:80;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location /plex {
proxy_pass http : // 192. 168.2.201:32400/web/index.html;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Cristobal_Ortiz-Orti · May 1, 2021, 12:37am

i get connection refused have similar i used ngix proxy forwarded incoming traffic request to the proxy server so if i send it directly to NC server works perfectly but i have never got a 404 error did you try the proxy_redicrect On instead of off its the only thing i see there … cheers write back if you found an answer i am kind of stuck here as well