Weird Nextcloud Behavior with Proxy

reallydoesntmatter · March 19, 2020, 11:16am

Hi,

i’m running into some weird problems with a fresh Nextcloud install behind a local Proxy.

So far I have encountered two symptoms which may or may not result from the same problem:

In the contacts menu on the top right, pictures, names and the “Nextcloud Talk” icons only show up if i visit the Nextcloud via the local IP. If i use the public domain (cloud.example.com) I only see a list of usernames that can’t be interacted with.

problem983×503 37.4 KB
Connecting to the Nextcloud using the app is only possible through the local IP, when I try to log in via the public domain nothing happens after pressing the “Grant Access Button”.

The Setup is the following:

A public domain with subdomain (cloud.example.com) with a DNS redirect (Type A) to our static IP.
All traffic that arrives on Port 80 & 443 is redirected to proxy server (192.168.0.109) running Ubuntu Server
That Proxy Server (109) has a apache2 config file that redirects to the nextcloud server (192.168.0.112) also running Ubuntu Server:

nextcloud.conf on 192.168.0.109

<VirtualHost *:80>
        ServerName cloud.example.com
        Redirect permanent / https://cloud.example.com
</VirtualHost>

<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

<VirtualHost *:443>
        ServerName cloud.example.com
                ProxyPreserveHost On
                ProxyRequests Off
                ProxyPass / http://192.168.0.112/
                ProxyPassReverse / http://192.168.0.112/
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/cloud.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.example.com/privkey.pem
<IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
</VirtualHost>

The Nextcloud Server (112) has a standard apache2 config file for the nextcloud installation:

nextcloud.conf on 192.168.0.112

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/nextcloud

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

#Nextcloud Konfiguration
<Directory /var/www/html/nextcloud/>
Options +FollowSymlinks
AllowOverride All

<IfModule mod_dav.c>
Dav off
</IfModule>

SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
</Directory>

</VirtualHost>

My Nextcloud System Info:

Nextcloud version: 18.0.2
Operating system and version: Ubuntu Server 19.10
Apache or nginx version: Apache 2.4.41
PHP version: 7.3

In my Nexcloud Log I get a couple of Errors:

imagecreatefromstring(): Data is not in a recognized format at /var/www/html/nextcloud/lib/private/legacy/image.php#621

Swift_TransportException: Connection could not be established with host 127.0.0.1 :stream_socket_client(): unable to connect to 127.0.0.1:25 (Connection refused)

Cannot declare class OCA\Talk\Migration\Version2000Date20170707093535, because the name is already in use at /var/www/html/nextcloud/apps/spreed/lib/Migration/Version2000Date20170707093535.php#127

My Nextcloud config.php file:

<?php
$CONFIG = array (
  'instanceid' => 'xxx',
  'passwordsalt' => 'xxx',
  'secret' => 'xxx',
  'trusted_domains' =>
  array (
    0 => 'cloud.example.com',
    1 => '192.168.0.112',
    2 => 'localhost',
  ),
  'trusted_proxies' =>
  array (
    0 => '192.168.0.109',
  ),
  'datadirectory' => '/var/www/html/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '18.0.2.2',
  'overwrite.cli.url' => 'https://cloud.example.com',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'password',
  'installed' => true,
);

I’ll be happy for any advice on what might be wrong here and how to set up the reverse Proxy properly.

Thanks in advance!
Jasper

devnull · March 19, 2020, 11:36am

Use right click on picture to see the url.

https://server.domain.tld/remote.php/dav/addressbooks/system/system/system/Database:admin.vcf?photo&size=32
(not admin but user in above url)

Is there “https” or “http” at the beginning of the url?

If http test the access of the url with:
a.) http://192.168.0.112/…
b.) https://192.168.0.112/…
c.) http://cloud.example.com/…
d.) https://cloud.example.com/…

reallydoesntmatter · March 19, 2020, 11:45am

So when i right click on the picture using the local adress i get:

http://192.168.0.112/remote.php/dav/addressbooks/system/system/system/Database:practice.vcf?photo&size=32

And if i then test the different options:

a) local http: works
b) local https: Firefox gives me an SSL Error (makes sense, https isnt enabled for the Nextcloud Server as its done by the Proxy Server
c) public http: works (it’s automatically redirected to https)
d) public https: works

devnull · March 19, 2020, 11:50am

Perhaps you can use in Firefox the developer-option (F12) and then network. Can you find the corresponding urls? Perhaps there is an difference or an error.

reallydoesntmatter · March 19, 2020, 11:54am

So the URL is greyed out. It’s a http URL and not a https URL, which i guess its wrong? When going to that URL manually I am able to download the file though…

devnull · March 19, 2020, 11:56am

Perhaps the rewrite from http to https is not correct.

Test at the beginning of /var/www/html/nextcloud/.htaccess
Error in this file can break your nextcloud. Delete the lines on errors.

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{ENV:HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

reallydoesntmatter · March 19, 2020, 12:01pm

Sorry, I’m not quite sure what you want me to do. I have the .htaccess file open now. Should i add these lines somewhere?

devnull · March 19, 2020, 12:05pm

At the beginning of the file.

so all http-requests are redirected to https.
Perhaps there is a problem in nextcloud with redirecting from http to https.

reallydoesntmatter · March 19, 2020, 12:17pm

I’ve attached the file below. Shouldn’t the rewrite happen on the Proxy Server already? In the Apache nextcloud.conf file on the Proxy Server (109) i’ve added your rewrite routine instead of the

Redirect permanent / https://cloud.example.com

which i’ve had before. Unfortunately, that doesn’t solve the issue.

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header always set Referrer-Policy "no-referrer"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Download-Options "noopen"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Permitted-Cross-Domain-Policies "none"
    Header always set X-Robots-Tag "none"
    Header always set X-XSS-Protection "1; mode=block"
    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>
<IfModule mod_php7.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
  RewriteRule ^\.well-known/nodeinfo /public.php?service=nodeinfo [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 //
ErrorDocument 404 //

devnull · March 19, 2020, 12:26pm

Sorry. No further idea.

reallydoesntmatter · March 19, 2020, 12:28pm

No worries, thank you for your time!

reallydoesntmatter · March 19, 2020, 3:51pm

Ok, I solved it.

’overwriteprotocol’ => ‘https’, was missing from my nextcloud config.php file.