Trusted proxy on unix domain socket

Is this a valid config ?
Internet <->|Nginx front-end|<->|UDS|<->|Nginx back-end|<->|php UDS|<->|PHP Nextcloud|
If so, how to configure config.php accordingly ?

The idea is to have no network at all on back-end and php servers.
Just to improve security (paranoia) and speed by eliminating ip overhead between front-end and back-end servers.

Why don’t you start with the pieces at the back and work your way forward? Do so incrementally and testing along the way.

The answers will depend on more details about your setup. I assume these are all on the same host? Are you using Docker or no?

I use UNIX sockets up to the web-app server in most of my single host deployments.

In any case - assuming same host:

Db ↔ NC/app server (PHP FPM in your case)
App server ↔ Web server (NGINX in your case)

I do both of the above via UNIX sockets routinely.

As for the reverse proxy ↔ web server I guess it’s theoretically possible but I’ve never done it:

Maybe give it a try and report back? Hah

Your assuming is correct, same host but using FreeBSD jails instead of Docker.
Problem seems that configuring Nextcloud trusted proxy is only possible with an IP address.

That’s a fair point.

Oh, I also use a UNIX sockets for the Redis containers. I meant to include that on my “what I do” list.

You’re probably asking for a bit much to do it towards the proxy. :slight_smile: Plus - even if you pull it off - you’d just end up with a nonstandard architecture that may have unintended consequences with likely minimal to no real-world benefit.

But I’d never discourage pushing and trying new things it one does it with their eyes wide open!

Finally got this uds stack working:

# Nginx Frontend
server {
        listen                  [::]:443 ssl http2;
        server_name   ;
        ssl_certificate_key     /usr/local/etc/letsencrypt/live/;
        ssl_certificate         /usr/local/etc/letsencrypt/live/;
        location /             {
                proxy_pass      http://unix:/var/run/nginx/nextcloud.sock;

The magic directive is set_real_ip_from.

# Nginx Backend
server {
        listen          unix:/var/run/nginx/nextcloud.sock;
        set_real_ip_from  unix:;
        root /usr/local/www/nextcloud;
        location ~ [^/]\.php(/|$) {
                fastcgi_pass unix:/var/run/php/php-fpm.sock;

Configuration of trusted_proxies in config/config.php not needed.
Nginx alone does it all.

1 Like