Updating nextcloud trough http proxy

Sorry to hear you’re facing problems :slightly_frowning_face:

It’s OK. We’ll get it done. That one is tricky.

It is my first post, so hi everyone.

I blocked outgoing http(s) traffic on my application VM, which includes Nextcloud instance. I’m using e2guardian as proxy http trought port 8080. It goes like this:
appserver → http(s) → e2guardian → internet → e2guardian with SSL termination → appserver

Now I have trouble with Nextcloud updates.

I can curl update server with no trouble:

sudo -u ncappuser curl -Is https://updates.nextcloud.com/
HTTP/1.1 200 Connection established

HTTP/1.1 200 OK
Date: Sun, 24 Mar 2024 12:27:59 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
Content-Security-Policy: default-src 'none'
Connection: close
Content-Type: text/html; charset=UTF-8

with e2guardian saying:

1711283279.344          -       ip.ip.ip.ip ip.ip.ip.ip https://updates.nextcloud.com   HEAD    200     0       text/html      --       69      -       602     *TRUSTED* Site match: updates.nextcloud.com     0       -       group1  1       -       8080:PM::def
1711283868.588          -       ip.ip.ip.ip ip.ip.ip.ip https://apps.nextcloud.com      HEAD    200     0       text/html      --       826     -       602     *TRUSTED* Site match: apps.nextcloud.com        0       -       group1  1       -       8080:PM::def

This is working, because I have http_proxy, https_proxy, HTTP_PROXY and HTTPS_PROXY in my profile and set

Defaults    env_keep += "http_proxy https_proxy ftp_proxy no_proxy HTTP_PROXY HTTPS_PROXY FTP_PROXY NO_PROXY"

in sudoers file.

I also added e2guardian root ca to /etc/ssl/certs/ca-bundle.crt file, so curl doesn’t complain about untrasted certificate.


Now Nextcloud:

sudo -u ncappuser /usr/bin/php /path/to/nextcloud/public_html/occ update:check
Everything up to date

but it’s not and e2guardian says:

1711283758.409          -       ip.ip.ip.ip ip.ip.ip.ip https://apps.nextcloud.com:443  CONNECT 403     0       -       -      -58      -       154     *DENIED* Failed to negotiate ssl connection to client   0       SSL SITE        group1  1       -       8080:PS::def

Nextcloud is logging failed update attempts:

{"reqId":"zZ9QRtIoz6x1Yl7kPPVl","level":2,"time":"2024-03-24T12:35:58+00:00","remoteAddr":"","user":"--","app":"appstoreFetcher","method":"","url":"--","message":"cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://apps.nextcloud.com/api/v1/apps.json","userAgent":"--","version":"28.0.3.2","exception":{"Exception":"GuzzleHttp\\Exception\\RequestException","Message":"cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://apps.nextcloud.com/api/v1/apps.json","Code":200,"Trace":[{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php","line":158,"function":"createRejection","class":"GuzzleHttp\\Handler\\CurlFactory","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php","line":110,"function":"finishError","class":"GuzzleHttp\\Handler\\CurlFactory","type":"::"},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlHandler.php","line":47,"function":"finish","class":"GuzzleHttp\\Handler\\CurlFactory","type":"::"},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":137,"function":"__invoke","class":"GuzzleHttp\\Handler\\CurlHandler","type":"->"},{"file":"/path/to/nextcloud/public_html/lib/private/Http/Client/DnsPinMiddleware.php","line":161,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php","line":35,"function":"OC\\Http\\Client\\{closure}","class":"OC\\Http\\Client\\DnsPinMiddleware","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":31,"function":"__invoke","class":"GuzzleHttp\\PrepareBodyMiddleware","type":"->"},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php","line":71,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":63,"function":"__invoke","class":"GuzzleHttp\\RedirectMiddleware","type":"->"},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/HandlerStack.php","line":75,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Client.php","line":331,"function":"__invoke","class":"GuzzleHttp\\HandlerStack","type":"->"},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Client.php","line":168,"function":"transfer","class":"GuzzleHttp\\Client","type":"->"},{"file":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Client.php","line":187,"function":"requestAsync","class":"GuzzleHttp\\Client","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/path/to/nextcloud/public_html/lib/private/Http/Client/Client.php","line":230,"function":"request","class":"GuzzleHttp\\Client","type":"->"},{"file":"/path/to/nextcloud/public_html/lib/private/App/AppStore/Fetcher/Fetcher.php","line":123,"function":"get","class":"OC\\Http\\Client\\Client","type":"->"},{"file":"/path/to/nextcloud/public_html/lib/private/App/AppStore/Fetcher/AppFetcher.php","line":86,"function":"fetch","class":"OC\\App\\AppStore\\Fetcher\\Fetcher","type":"->"},{"file":"/path/to/nextcloud/public_html/lib/private/App/AppStore/Fetcher/Fetcher.php","line":193,"function":"fetch","class":"OC\\App\\AppStore\\Fetcher\\AppFetcher","type":"->"},{"file":"/path/to/nextcloud/public_html/lib/private/App/AppStore/Fetcher/AppFetcher.php","line":187,"function":"get","class":"OC\\App\\AppStore\\Fetcher\\Fetcher","type":"->"},{"file":"/path/to/nextcloud/public_html/lib/private/Installer.php","line":423,"function":"get","class":"OC\\App\\AppStore\\Fetcher\\AppFetcher","type":"->"},{"file":"/path/to/nextcloud/public_html/apps/updatenotification/lib/Command/Check.php","line":83,"function":"isUpdateAvailable","class":"OC\\Installer","type":"->"},{"file":"/path/to/nextcloud/public_html/3rdparty/symfony/console/Command/Command.php","line":298,"function":"execute","class":"OCA\\UpdateNotification\\Command\\Check","type":"->"},{"file":"/path/to/nextcloud/public_html/3rdparty/symfony/console/Application.php","line":1040,"function":"run","class":"Symfony\\Component\\Console\\Command\\Command","type":"->"},{"file":"/path/to/nextcloud/public_html/3rdparty/symfony/console/Application.php","line":301,"function":"doRunCommand","class":"Symfony\\Component\\Console\\Application","type":"->"},{"file":"/path/to/nextcloud/public_html/3rdparty/symfony/console/Application.php","line":171,"function":"doRun","class":"Symfony\\Component\\Console\\Application","type":"->"},{"file":"/path/to/nextcloud/public_html/lib/private/Console/Application.php","line":213,"function":"run","class":"Symfony\\Component\\Console\\Application","type":"->"},{"file":"/path/to/nextcloud/public_html/console.php","line":100,"function":"run","class":"OC\\Console\\Application","type":"->"},{"file":"/path/to/nextcloud/public_html/occ","line":11,"args":["/path/to/nextcloud/public_html/console.php"],"function":"require_once"}],"File":"/path/to/nextcloud/public_html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php","Line":211,"message":"cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://apps.nextcloud.com/api/v1/apps.json","exception":{},"CustomMessage":"cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://apps.nextcloud.com/api/v1/apps.json"}}

and indeed complains about invalid SSL certificate.

This is my config.php

<?php
$CONFIG = array (
  'instanceid' => 'xxxxxxxxxxx',
  'passwordsalt' => xxxxxxxxx',
  'secret' => 'xxxxxxxxxxxx',
  'trusted_domains' => 
  array (
    0 => ''my.site.com
  ),
  'trusted_proxies' => 
  array (
    0 => 'ip.ip.ip.ip',
    1 => 'ip.ip.ip.ip',
  ),
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'my.database.server',
    'port' => 6379,
  ),
  'datadirectory' => '/path/to/nextcloud/public_html/data',
  'dbtype' => 'mysql',
  'version' => '28.0.3.2',
  'overwrite.cli.url' => 'https://my.site.com',
  'overwriteprotocol' => 'https',
  'dbname' => 'mysitecom',
  'dbhost' => 'my.database.server:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'mysitecom',
  'dbpassword' => 'xxxxxxxxx',
  'installed' => true,
  'trashbin_retention_obligation' => 'auto, 33',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'updater.release.channel' => 'stable',
  'proxy' => 'http://my.proxy.server:8080',
  'proxyexclude' => ['my.site.com'],
);

And additionaly. Is it really necessary to poke eff.org, startpage.com and edri.org by my.site.com/index.php/settings/admin/overview ? I wonder how many requests from nextcloud instances those guys have every hour.

Take care and have fun!

Possibly need to add to Nextcloud’s own CA Bundle: