Using Nextcloud AIO via Cloudflare Argo tunnel

pnunn · June 28, 2022, 5:12am

Hi folks,

I’m trying to set up AIO to allow access via an Argo tunnel.

This was working on an older version of Nextcloud, but I can’t for the life of me get the installer to recognize the domain name from the setup page on the AIO machine.

I am installing from the ova image running on xcp-ng and have the tunnel installed and running OK it seems, but the installer refuses to see it.

I have tried pointing nextcloud.mydomain.com to localhost:80, localhost:443, localhost:8080 and localhost:8443 but none of these seem to be recognized by installer.

Any ideas what port I should be pointing to? I think that’s the problem.

Ta
Peter.

If I point the tunnel to <IP_OF_HOST>:8080 I get
Jun 28 05:24:46 nextcloud cloudflared[31201]: 2022-06-28T05:24:46Z ERR error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: cannot validate certificate for 192.168.44.137 because it doesn’t contain any IP SANs” cfRay=7223ff7ceb4b5ab8-MEL ingressRule=0 originService=https://192.168.44.137:8080
Jun 28 05:24:46 nextcloud cloudflared[31201]: 2022-06-28T05:24:46Z ERR Request failed error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: cannot validate certificate for 192.168.44.137 because it doesn’t contain any IP SANs” connIndex=1 dest=https://nextcloud.mydomain.com.au/index.php/apps/photos/service-worker.js type=http

So I must be close

szaimen · June 28, 2022, 5:54am

So you already managed to run AIO behind your cloudflare tunnel or only a simple Nextcloud instance?

pnunn · June 28, 2022, 6:02am

It was just a simple instance, installed from the web.

szaimen · June 28, 2022, 7:01am

I see. However AIO is different and sorry to say but I remember some reports that people weren’t able to get it running behind a cloudflare tunnel…

szaimen · June 28, 2022, 7:09am

However I’ll try to give you some guidance.

First of all the OVA is very limited in its options. It is probably not possible to run it behind a cloudflare tunnel at all. (or you need to remove the container and recreate it using the correct command).

Second, you need to install AIO by following the reverse proxy documentation because a cloudflare tunnel works like a reverse proxy: all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub

You then need to point your cloudflare tunnel at the chosen apache_port so e.g. http://<IP_OF_HOST>:11000.

Then you should access the aio interface at https://<IP_OF_HOST>:8080, type in the domain that you configured in cloudflare that points at http://<IP_OF_HOST>:11000 and hope that it accepts the domain.

If not, there should hopefully be some debug logs in AIO that may help you figure out what the problem is.

pnunn · June 28, 2022, 7:19am

Fantastic @szaimen, thanks for the pointers. I did wonder about the image, I thought it might be easier. I’ll blow it all away and start again I think. Not too much of a loss there.

I did get the tunnel connected OK (had to install packages and took a while to get the network sorted out with out vi being installed), but no major loss.

I’ll let you know how I go tomorrow.

pnunn · June 29, 2022, 3:55am

OK, for those following along at home.

I did a fresh install with caddy as a reverse proxy.

Then the magic seems to be to point the argo tunnel to http://localhost:11000 (note http NOT https).

Containers are now installing.

I’ll have to see what ports I can close now (I suspect all of them) on the firewall.

P.

szaimen · June 29, 2022, 9:19am

So you were not able to make it work with the cloudflare tunnel only?

pnunn · June 29, 2022, 9:53am

No. I gave up on that. The tunnel pointing to the proxy seems to do the trick.

szaimen · June 29, 2022, 10:09am

I see. What I do not understand is, did you use caddy to get it working and now you are removing it again and only use the argo tunnel?

If yes, we probably should introduce a way to disable the domain validation for use cases like this… WDYT?

pnunn · June 29, 2022, 10:27am

No. I couldn’t get it working without the proxy at all. So I’m pointing the argo tunnel to http://localhost:11000 and that did the trick.

szaimen · June 29, 2022, 10:36am

okay, so do I understand correctly that you used caddy to get it running and now point the argo tunnel at http://localhost:11000 which works for you?

pnunn · June 29, 2022, 11:34am

That’s correct. I couldn’t get the connection to work directly.

szaimen · June 30, 2022, 1:02pm

All right! I just added an option to skip the domain validation and added some documentation how to get it running behind cloudflare: allow to skip the domain verification and add documentation for cloud… by szaimen · Pull Request #873 · nextcloud/all-in-one · GitHub
Feedback is appreciated!

pnunn · June 30, 2022, 10:35pm

No problems. Glad to help in some tiny way. It’s working really well this way and I’m going to spin up a few more for clients.

Epicurean · November 1, 2022, 8:06am

sorry, I am a little confused. So can I choose NOT to use Nginx proxy manager, NOT to open any ports on my router, and yet install nextcloud AIO and use Cloudflare tunnel to access it outside my network?

szaimen · November 1, 2022, 8:35am

Yes
However your Nextcloud will be publicly reachable then.

szaimen · November 20, 2022, 9:02am

This is completely unrelated to this thread. Please open a new thread for this!