Trusted_domain error behind nginx proxy on different host

ℹ️ Support
, , ,
1

Hello everyone,

I have the following setup. I am running nextcloud:27.1.2-apache in a docker compose setup on a virtual machine in azure. This machine is referenced as server 2 in the following. I can reach the nextcloud instance via the public ip of the server on port 8080 as desired. Everything works.

The nextcloud instance is to be part of a service offering that is reachable via an ssl-encrypted domain, which points to a different server (server 1) that also hosts a docker compose setup, including NGINX as reverse proxy. All SSL-traffic is routed to the NGINX instance.

The goal is to make the nextcloud instance available under https://subdomain.domain.com/path/path2. Therefore, I have created a location entry with a proxy_pass to the IP and Port of my nextcloud instance, to forward all traffic from the above url to the nextcloud docker container.

nextcloud_problem
nextcloud_problem1453×827 18.8 KB

The forwarding rule generally seems to work, as I do not get an SSL error and reach the netcloud instance. However, nextcloud complains that I am trying to access the instance via an untrusted domain and the formatting of the page is missing.

nextcloud_problem2
nextcloud_problem21246×260 13.4 KB

In the Nextcloud config.php, I included:

'trusted_domains' => 
	array (
		0 => 'localhost',
		1 => 'public-ip-server2',
		2 => 'subdomain.domain.com',
		3 => 'public-ip-server1',
		4 => 'vnet-private-ip-server1',
),
'trusted_proxies' => 
	array (
		0 => 'public-ip-server1',
		1 => 'vnet-private-ip-server1',
		2 => 'subdomain.domain.com',
),
...
'overwrite.cli.url' => 'https://subdomain.domain.com/path/path2',
...

Some of the array entries might not be necessary, however I simply added all variations of the IPs and domains in trusted_domains and trusted_proxies during debugging.

The relevant part of the NGINX config looks like this:

server {
    listen 443 ssl;
    sendfile on;
    default_type application/octet-stream;
    server_name subdomain.domain.com;

    root /usr/share/nginx/html;

    ssl_certificate /etc/nginx/ssl/live/subdomain.domain.com/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/subdomain.domain.com/privkey.pem;


    location /path/path2 {
      proxy_pass http://vnet-private-ip-server2:8080;
    }
}

What am I missing in any of the configurations, such that Nextcloud recognizes this to be a valid trusted domain and proxy? Do I need to add additional configuration in NGINX for this to work properly?

Any help would be highly appreciated.

Thanks and best regards
Jens

2

After a lot of back and forth I managed to get everything running with the following configuration:

NGINX

server {
    listen 443 ssl;
    sendfile on;
    default_type application/octet-stream;
    server_name subdomain.domain.com;

    root /usr/share/nginx/html;

    ssl_certificate /etc/nginx/ssl/live/subdomain.domain.com/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/subdomain.domain.com/privkey.pem;

    location /path/path2/ { #note that the trailing / is important
      rewrite ^/path/path2(.*) $1 break; #this is important for webdav/caldav forwarding
      proxy_pass http://10.2.0.6:8080; #no trailing / here, with this setup above
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_redirect off;
      proxy_buffering off;
    }
}

Nextcloud config.php

'trusted_domains' => 
	array (
		0 => 'localhost',
		1 => 'public-ip-server2',
		2 => 'subdomain.domain.com',
		3 => 'public-ip-server1',
		4 => 'vnet-private-ip-server1',
),
'trusted_proxies' => 
	array (
		0 => 'public-ip-server1',
		1 => 'vnet-private-ip-server1',
		2 => 'subdomain.domain.com',
),
...
'overwritehost' => 'subdomain.domain.com',
'overwriteprotocol' => 'https',
'overwritecliurl' => 'https://subdomain.domain.com/path/path2',
'overwritewebroot' => 'path/path2',
...