As the title says, it makes me quite uncomfortable to not know how to do this, and I really mean, I tried.
My infrastructure hierarchy:
Windows server 2019
Docker ( hosting nginx and Nextcloud )
Pfsense
No-ip ( ip to 4byssal.ddns.net)
Domainhotelli ( 4byssal.ddns.net to Domain abyss.fi )
I want to setup my Nextcloud, I could try to find the config file(cant find it) to disable https, but tbh , unsecured file and pw transfer in 2021 is like jumping into magma.
Can you help me out ?
(I really would like to stop having Domainhotelli and No-ip, if anyone has tips)
Hereās your problem. Try something based on Linux or BSD instead.
You need to obtain a SSL certificate. There are āfreeā options (they rarely are free though!) but your ISP should be able to help you out. Install that in the root of your webserver (again, lots of info online, google it) then ensure the webpages are served from the secure side of the website. On most webservers, thereās a HTTPS folder to store stuff in. Again, google is your friend here.
just what the Dutch_Master said. Try using a Linux distro for a server. If you must use windows 2019 for learning or other reasons. You will need a SSL Cert and use IIS to help you specify the SSL and the webpage
Get another nginx and use it as a https reverse proxy. You point the reverse proxy server to other instances of nginx web servers and to nextcloud (or anything that works on http). Then, you add the certificates in the config and finally, you make another vhost listening to port 80 and redirect to 443.
If you switch to Nginx proxy manager is way easier to setup. Itās all done through a web GUI. For Nextcloud you need to put the https domain in the trusted domains and this line 'overwriteprotocol' => 'https', before the end of the config file.
The config file is in the base directory in which the container is installed + datafiles/config/config.php.
This way you wonāt be able to access your Nextloud istance through your local network, but you wonāt have issues with https not working anymore.
I just notice that I have not completely failed. SSL works on https://4byssal.ddns.net
So would need to redirect the signal from iis to whatever page am looking forā¦
Letsencrypt very much is free. Not rarely but since years.
Certbot is what you usually use to renew those automatically. Letāsencrypt certs have a very short lifetime for certs so automatic renewal is basically required.
You can ofc also manually create a cert (which is the other free option). With the only catch being that you are not an authorized certificate provider that browsers etc. trust by default (and wonāt become one). So youāll always have āinsecure siteā warning that you need to trust explicitly even though itās technically very much more secure than sites that do not use SSL.
What exact containers are you using? Also Windows containers or Linux containers (Windows can run both)? Can you share the container setup youāve gone threw? I do not think the standard nginx container has letsencrypt stuff included.
Iām running Linux containers so I donāt have to translate all the docker compose files.
I have nginx to drive my main page 4byssal.ddns.net
And nextcloud on port 90/9090
IĀ“ve never done this specific thing with docker. But IĀ“ve used some of the linuxserver.io images for other things and they where pretty solid, so I would recommend you try this one linuxserver/swag. IĀ“ve also setup a bunch of nginx as a reverse proxy and for SSL before, but never with docker (I just installed nginx on those systems and configured SSL there). Though, looking at this there is actually much less to do as everything is pre-configured. You donĀ“t have to bother creating and renewing the SSL cert. You just have to add what you want it to do.
I just tried this out locally to see if the docker-compose file was valid that i was creating, though I donĀ“t have a domain pointing to my desktop so not 100% sure it works.
There is a lot more configuration that you can do in there look up their documentation for more details. But i think those are the most essential to get it working at all.
Remove all the ports from all other containers that you defined in that file. If you create your nextcloud container in that same file docker-compose will create a dns alias with your container name. So in your case your current nginx container would have been reachable by https://abyssnginx from other containers defined in the same file, there is no need to forwards the port.
You can also remove the nginx container (or keep it your choice), itĀ“s not strictly speaking necessarly (since the other one includes nginx too), but if you want to segregate tasks/configuration in some way you can also keep it and reverse proxy only and have other containers that each host some site you have. I.e. one for the website, one for nextcloud and whatever else you want.
The linuxserver container should immidiately give you a default https site available on port 443 (test if that works). You shoudl also then have a file in /path/to/config/nginx/site-confs/default where you can edit what you want to proxy to do. Either you plonk in your currentl nginx configuration in the block with listen 443 or you proxy to https://abyssnginx.
YouĀ“ll have to add this container under trusted_proxies in an config file. So assuming you named your container the same as in the example compose file I posed youĀ“d add http://reverseproxy to trusted_proxies.
Once you have multiple services on the same server itĀ“s really the only sane way imo to have a single thing terminate all SSL traffic (since you cannot exactly have multiple programs listen to port 443). Your only other option is to use many different ports (other than 443) for SSL and have your SSL configuration scattered around whatever might be included with various programs.
Just clicked on the nextcloud link you posted for the docker-compose nextcloud configuration.
You are not using either of the containers in your post for ssl, but staticfloat/nginx-certbot which yeah does indeed have certbot included judging by the name of it. The official nginx container does not.
All this time I assumed certbot was included in your nextcloud instance and you needed another way to do itā¦ But staticfloat/nginx-certbot should be able to accomplish the same as the linuxserver container.
Well, anways I hope this is helpful nevertheless.
Trying to compose this with 80 and 443 errors even in admin PS
PS C:\Users\Administrator> cd G:\servers\nginx-swag
PS G:\servers\nginx-swag> docker-compose up -d
Starting reverseproxy ā¦ error
ERROR: for reverseproxy Cannot start service reverseproxy: Ports are not available: listen tcp 0.0.0.0:443: bind: An attempt was made to access a socket in a way forbidden by its access permissions.
ERROR: for reverseproxy Cannot start service reverseproxy: Ports are not available: listen tcp 0.0.0.0:443: bind: An attempt was made to access a socket in a way forbidden by its access permissions.
ERROR: Encountered errors while bringing up the project.
PS G:\servers\nginx-swag>
I even went in netstat -ano | findstr :80 and 443
To kill the tasks but didnāt help.
And this happened:
TCP [::]:443 [::]:0 LISTENING 4
C:\Users\Administrator>taskkill /pid 4 /F
ERROR: The process with PID 4 could not be terminated.
Reason: Access is denied.
System is using 443
I went around this by using 9090:443 and pointing 443 to 9090 on my router. But i just get unexpectedly closed connection outside and connection was reset on the inside.
Regarding having Letsencrypt on Nextcloud container and swag. I could also just switch back to the basic nextcloud container. It worked atleast.
So magic, i guess.
I went through the DNS settings in the cpanel. I have no idea, there was some random ip as A record for cc, zd and abyss. I added the server IP and then went and turned on https redirect and now. 4byssal.ddns.net works on 443 but not abyss.fi, for some reason it redirects to 70ā¦
Well anyways, cc.abyss.fi actually shows the page. Now question is how I get a nextcloud page on cc.abyss.fi
Itās expected, at least for me. When you enable HTTPS any other mean to access the resource is thrown out the window, for security reasons I suppose.