Greetings,
NCP 24.0.5.1
I would like to use Nginx proxy manager to protect my self hosted applications. One of them is NCP.
At the moment, NCP is running on a Raspberry pi 4. No docker.
My Nextcloud is configure to use a DDNS: duckdns.
All works perfectly fine like that.
Now I need/want to use Nginx P.M.
The quest I face:
NCP has a configuration for letsencrypt and of course for the duckdns.org
When using Nginx, i will have to use a docker to tell duckdns where to point the dns. That will end up to my nginx PM.
In turn, Nginx will than rerout the requests to NCP.
But Nginx also needs to create certificate with letsencrypt and at a poiunt, I will have NCP with duckdns configured and again duckdns configured for Nginx.
MY Question:
do I have to stop the NCP Networking option of DuckDNS and Letsencrypt in favor of the same for Nginx?
Or its sufficient if I keep NCP configuration as is and simply adding the nc-truster-proxies to the Networking NCP configuration?
And still configuring Nginx …
I guess I am a bit lost and confused with all that.
PS
any implication when using DAVx5 (I use it for google calendar and contacts sync)
A clear help I would appreciate.
Thank you
As far as I know it should work just fine to move ncp to docker, set some different ports on the outside of the container and as you said, add the nginx proxy as a trusted proxy, then setup nginx to forward the request to the docker container with the proper headers.
It should work as normal once everything is setup correctly with the DDNS for the proxy, that now needs to handle the certificates instead of ncp, any requests for a new certificate should be made from your proxy.
This is how I’ve used it with caddy as a reverse proxy where caddy handle the certificates instead of ncp.
It should be possible to configure it so the proxy doesn’t handle the certificates but I haven’t done it that way, so I don’t know how to do that properly.
Also, if you can’t make the reverse proxy ignore the TLS verification you’ll need to turn off the http → https redirect in ncp (you can do this in the config.php or admin web interface at :4443)
Here is another topic about this you can read with a bit more info from various people that also using nginx
And here is the documentation for Nextcloud with a reverse proxy
Thanks ZendaiOwl.
In the link to the doc, I dont see any change that must be done in the actual NCP installation beside adding the info for the trusted_proxies. Also, it does not mention the fact to disable any service like letsencrypt or DDNS configuration (in this case duckdns).
Would the reason be the fact adding the trusted_proxies NCP would understand the new setup and sort of ignore some of the local configuration and pass it to the reverse proxy?
An other thing that I am not sure completely is a possible conflict between the DDNS ncp configuration (so duckdns pointing to the NCP installation) and the Nginx that also will have to have the same DDNS name pointing at it!
That is confusing to me.
If you have any insight on that… welcome!
Hi,
May be little off topic, but below are my personal view. I am no expert on this, I am just sharing my personal running experience of a similar setup like you.
I have a NextCloud instance, running out of my home server (Repurposed Dell Workstation). I have few more instances (VMs) along with NextCloud which needs to reached from outside my home network.
So I have Nginx Proxy Manager running (as a VM) in front of all of them.
Here is the layout,
VM 1 → Ubuntu LTS 22 + NPM (Static LAN IP .100)
VM 2 → Ubuntu LTS 22 + NC (Static LAN IP .101)
VM N → other stuff (Static LAN IP .N+1 and so on)
My router forwards 80/443 to VM1 with NPM. All I need to do is create the entries at NPM GUI & point to the respective VM IPs to auto generate and manage the reverse proxy configurations.
Either I can install NoIP client on that VM1 for Dynamic DNS IP update or in my case, my router supports NoIP DNS client so it autometically updates the IP at NoIP end.
All my domain / sub domains have an “CNAME” record pointing towards my NoIP given URL.
I don’t need to do any Dynamic DNS on SSL on these individual VMs and running instances, NPM does everything, including SSL termination. NC can run on port 80 of it’s respective VM, without any SSL.
Thanks.
Thanks NaXal. Interesting.
Did you desabled the nc-httponly manually? and therefore running NC internally only on port 80 till the reverse proxy, correct?
What about the DDNS of NC? did you disabled? and you let do the IP update from your router. Correct?
My case is a little more complex but I think what you showed can do the tric.
In my case, my router Openwrt, does opnvpn for all the internal network. Anything goes out with a commercial VPN IP.
I install VPNBYPASS and I can exclude some IPs. Notably I excluded NC or it would not work out.
So, what I get from your suggestion is:
I am going to add a raspberry pi with Nginx on it.
I will exclude the Nginx PM from VPN so that can be exposed on the internet.
Have the same raspberry pi do the IP update that now NC is doing.
Forward the traffic request for my cloud to the internal IP behind Nginx. (previously created also the certificates.
Sounds correct, right?
PS
But I think I have to disable the NC DDNS duckdns IP Update… or I will have some issues… I dont think I can have that update in 2 location
Hello,
There are two things,
First, I don’t understand, why would you need to keep your own personal network in another separate OpenVPN network? Your home LAN is a personal network in anyway.
If you mean you are using OpenVPN as getway for your entire network, in that case it won’t matter with NC since it needs incoming connection. What ever way it is reaching out to the internet won’t matter to the incoming connections.
As far as I am aware, OpenWRT supports vLAN. You can create 2 sperate virtual subnets (vLANs). vLAN one as your OpenVPN getway and the vLAN two will have direct connection out via your ISP getway IP. Keep your servers (like NC) on that direct out vLAN.
I am using Snap installation of NC, there, by default SSL is turned off.
Snap installation doesn’t have any DDNS built in, not sure about the Pi image.
Unless you are updating two different IPs, it won’t matter. Since router and any other client will update the same Public Getway IP.
Thanks.
That is what I mean. Openvpn is at router level . Connecting to PIA.
Thats true. But I am having issues with it… I use a main router and 2 dumb APs. But the router and one dumb ap still uses switch’ when a 3rd dont and uses DSA (newer model and better openwrt supported).
Somehow I am having troubhle configure the 2 type … I need to wait to migrate all to DSA.
Well… everything behind the VPN has an IP, when I bypass the VPN, I have an other IP.
PS
I was never able to have incoming connection from users from the outside my LAN. For as much I understand your point, in real life (for me) did not work if I did not excluded that IP from my VPN.
Hi,
UPDATE
I finally made my raspberry pi 3 B+ my Nginx server. And it seems to work.
What is odd is that I did NOT have to add the nc-trusted-proxies.
I forgot to do that but my surprise, my cloud IS accessible from the outside world. I also created a new letsencrypt certification in the Nginx PM.
Now I am puzzled about what is really necessary with this setup!
I think I will still add the trusted proxy in NC just because I believe is the right thing to do (even if it seems not needed now).
If anyone know why it works anyway, I would be happy to know.
I dont want to fall in some security issues in a later stage.
Thanks
UPDATE 2
After adding the trusted proxy to NC, the cloud was no longer reachable.
I took the trusted domain out of the NC configuration and now is reachable again
I am totally in the dark for the reason why adding a trusted proxy in NC config gives opposite expected result!
Any idea?
UPDATE 3
So, I assume not many know why adding the trusted proxi gives an opposite solution. One would imagine it is the best solution. Yet, without it (so far) best in my configuration.
SAFARI AND IPHONE ISSUE Solved:
in this setup, turned out that all iphone could not access Nextcloud. That was not limited to Safari but as well Firefox in iphone.
It did not take long to find out that many had that issue.
The solution is to add the following line to Nginx Proxy Manager Host Advanced custom configuration:
proxy_hide_header Upgrade;
that instantly solved the issue.
I figure this might help some of you too.
Here is the HOW TO…
So,
the above is not a complete solution (unfortunately).
I try to express my issue and I will make a new POST for this problem as I think is going to deviate to this post.
All above is true and works perfect. HOWEVER, webdav is not working!
My Nextcloud Desktop stopped working.
I read all over it got to do with a few configurations between Nextcloud and Nginx… but there is not a clear solution.
The nextcloud DOC has some hints but I cant figure out how to really make it to work.
I will report and edit this post when finished the new post.