Return to Level1Techs.com

Nginx-reverseproxy and nextcloud issue

Hello world,

As the title says, it makes me quite uncomfortable to not know how to do this, and I really mean, I tried.

My infrastructure hierarchy:
Windows server 2019
Docker ( hosting nginx and Nextcloud )
Pfsense
No-ip ( ip to 4byssal.ddns.net)
Domainhotelli ( 4byssal.ddns.net to Domain abyss.fi )

I want to setup my Nextcloud, I could try to find the config file(cant find it) to disable https, but tbh , unsecured file and pw transfer in 2021 is like jumping into magma.

Can you help me out ?

(I really would like to stop having Domainhotelli and No-ip, if anyone has tips)

Sure:

Here’s your problem. Try something based on Linux or BSD instead.

You need to obtain a SSL certificate. There are “free” options (they rarely are free though!) but your ISP should be able to help you out. Install that in the root of your webserver (again, lots of info online, google it) then ensure the webpages are served from the secure side of the website. On most webservers, there’s a HTTPS folder to store stuff in. Again, google is your friend here.

1 Like

I have generated one 4096bit for filezilla.
Also one 2048 bit for rdp
And one I recently created with iis

1 Like

just what the Dutch_Master said. Try using a Linux distro for a server. If you must use windows 2019 for learning or other reasons. You will need a SSL Cert and use IIS to help you specify the SSL and the webpage

instructions: https://www.server-world.info/en/note?os=Windows_Server_2019&p=iis&f=5

1 Like

Get another nginx and use it as a https reverse proxy. You point the reverse proxy server to other instances of nginx web servers and to nextcloud (or anything that works on http). Then, you add the certificates in the config and finally, you make another vhost listening to port 80 and redirect to 443.

1 Like

If you switch to Nginx proxy manager is way easier to setup. It’s all done through a web GUI. For Nextcloud you need to put the https domain in the trusted domains and this line 'overwriteprotocol' => 'https', before the end of the config file.
The config file is in the base directory in which the container is installed + datafiles/config/config.php.

This way you won’t be able to access your Nextloud istance through your local network, but you won’t have issues with https not working anymore.

1 Like

I just notice that I have not completely failed. SSL works on https://4byssal.ddns.net
So would need to redirect the signal from iis to whatever page am looking for…

1 Like

See my port configuration is a little messy:
Router
90:90
9090:9090
80:70
443:443
8080:8080
8000:8000

Server(docker)
90:80 nextcloud
9090:443 nextcloud
70:80 nginx page
443:443 iis page

Looking into the docker console, nextcloud complains about proper A records, what should I enter on Domainhotelli for it to be right?

1 Like

I followed this tutorial and it seems to have worked pretty well, except I can not open the page on localhost:90 nor localhost:9090
https://www.51sec.org/2021/01/23/install-nextcloud-docker-and-integrate-with-nginx-and-letsencrypt-ssl-certificate/#:~:text=For%20Dock%20Compose%20file%2C%20there%20are%20two%20options,a%20new%20nextcloud%20docker-compose%20file%20without%20DB%202.

Domainhotelli has Cpanel where I can change dns settings, redirects and https redirects.

I used to have cc.abyss.fi as redirect to 4byssal.ddns.net:9090

1 Like

Letsencrypt very much is free. Not rarely but since years.

Certbot is what you usually use to renew those automatically. Let’sencrypt certs have a very short lifetime for certs so automatic renewal is basically required.

You can ofc also manually create a cert (which is the other free option). With the only catch being that you are not an authorized certificate provider that browsers etc. trust by default (and won’t become one). So you’ll always have ‘insecure site’ warning that you need to trust explicitly even though it’s technically very much more secure than sites that do not use SSL.

2 Likes

Seems to be used on this nextcloud container

Seems also to be in the container

1 Like

What exact containers are you using? Also Windows containers or Linux containers (Windows can run both)? Can you share the container setup you’ve gone threw? I do not think the standard nginx container has letsencrypt stuff included.

1 Like

I’m running Linux containers so I don’t have to translate all the docker compose files.
I have nginx to drive my main page 4byssal.ddns.net
And nextcloud on port 90/9090

`version: ‘3.3’
services:
web:
image: nginx:latest
container_name: abyssnginx
volumes:

  • ./src:/usr/share/nginx/html:ro
    ports:
  • 70:80`

The docker compose for the nextcloud is in the link

With the PWs changed and FQDN set to cc.abyss.fi
And ports
90:80
9090:443

1 Like

I´ve never done this specific thing with docker. But I´ve used some of the linuxserver.io images for other things and they where pretty solid, so I would recommend you try this one linuxserver/swag. I´ve also setup a bunch of nginx as a reverse proxy and for SSL before, but never with docker (I just installed nginx on those systems and configured SSL there). Though, looking at this there is actually much less to do as everything is pre-configured. You don´t have to bother creating and renewing the SSL cert. You just have to add what you want it to do.

I just tried this out locally to see if the docker-compose file was valid that i was creating, though I don´t have a domain pointing to my desktop so not 100% sure it works.

  1. Add a service like this to your compose file.
version: '3.3'
services:
  reverseproxy:
    image: linuxserver/swag
    container_name: reverseproxy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    environment:
      - VALIDATION=http
      - URL=yourdomain.url
      - PUID=1000
      - PGID=1000
      - TZ=Europe/London
      # - SUBDOMAINS=www, <- optional list for sub-domains
    volumes:
      - /path/to/config:/config:rw

There is a lot more configuration that you can do in there look up their documentation for more details. But i think those are the most essential to get it working at all.

  1. Remove all the ports from all other containers that you defined in that file. If you create your nextcloud container in that same file docker-compose will create a dns alias with your container name. So in your case your current nginx container would have been reachable by https://abyssnginx from other containers defined in the same file, there is no need to forwards the port.
    You can also remove the nginx container (or keep it your choice), it´s not strictly speaking necessarly (since the other one includes nginx too), but if you want to segregate tasks/configuration in some way you can also keep it and reverse proxy only and have other containers that each host some site you have. I.e. one for the website, one for nextcloud and whatever else you want.

  2. The linuxserver container should immidiately give you a default https site available on port 443 (test if that works). You shoudl also then have a file in /path/to/config/nginx/site-confs/default where you can edit what you want to proxy to do. Either you plonk in your currentl nginx configuration in the block with listen 443 or you proxy to https://abyssnginx.

2 Likes

Probably if SSL is handled by something else, actually you will disable it for nextcloud.

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html

You´ll have to add this container under trusted_proxies in an config file. So assuming you named your container the same as in the example compose file I posed you´d add http://reverseproxy to trusted_proxies.


Once you have multiple services on the same server it´s really the only sane way imo to have a single thing terminate all SSL traffic (since you cannot exactly have multiple programs listen to port 443). Your only other option is to use many different ports (other than 443) for SSL and have your SSL configuration scattered around whatever might be included with various programs.

2 Likes

Just clicked on the nextcloud link you posted for the docker-compose nextcloud configuration.

You are not using either of the containers in your post for ssl, but staticfloat/nginx-certbot which yeah does indeed have certbot included judging by the name of it. The official nginx container does not.

All this time I assumed certbot was included in your nextcloud instance and you needed another way to do it… But staticfloat/nginx-certbot should be able to accomplish the same as the linuxserver container.
Well, anways I hope this is helpful nevertheless.

2 Likes

So I should stop my IIS, nginx web container and Nextcloud? 80 and 443 are occupied by iis.

Here is what I got now:
version: ‘3.3’
services:
reverseproxy:
image: linuxserver/swag
container_name: reverseproxy
restart: unless-stopped
ports:
- “90:80”
- “9090:443”
environment:
- VALIDATION=http
- URL=abyss.fi
- PUID=1000
- PGID=1000
- TZ=Europe/London
- SUBDOMAINS=www,cc,zd
volumes:
- /path/to/config:/config:rw

I guess, if you want me to listen to 80 and 443 I should stop iis?

I’ll stick to what you said earlier. See what I can do. I would also be up for a discord call or teamviewer.

1 Like

Trying to compose this with 80 and 443 errors even in admin PS

PS C:\Users\Administrator> cd G:\servers\nginx-swag
PS G:\servers\nginx-swag> docker-compose up -d
Starting reverseproxy … error

ERROR: for reverseproxy Cannot start service reverseproxy: Ports are not available: listen tcp 0.0.0.0:443: bind: An attempt was made to access a socket in a way forbidden by its access permissions.

ERROR: for reverseproxy Cannot start service reverseproxy: Ports are not available: listen tcp 0.0.0.0:443: bind: An attempt was made to access a socket in a way forbidden by its access permissions.
ERROR: Encountered errors while bringing up the project.
PS G:\servers\nginx-swag>

I even went in netstat -ano | findstr :80 and 443
To kill the tasks but didn’t help.

And this happened:
TCP [::]:443 [::]:0 LISTENING 4

C:\Users\Administrator>taskkill /pid 4 /F
ERROR: The process with PID 4 could not be terminated.
Reason: Access is denied.

System is using 443

I went around this by using 9090:443 and pointing 443 to 9090 on my router. But i just get unexpectedly closed connection outside and connection was reset on the inside.

Regarding having Letsencrypt on Nextcloud container and swag. I could also just switch back to the basic nextcloud container. It worked atleast.

So magic, i guess.
I went through the DNS settings in the cpanel. I have no idea, there was some random ip as A record for cc, zd and abyss. I added the server IP and then went and turned on https redirect and now. 4byssal.ddns.net works on 443 but not abyss.fi, for some reason it redirects to 70…

Well anyways, cc.abyss.fi actually shows the page. Now question is how I get a nextcloud page on cc.abyss.fi

1 Like

It’s expected, at least for me. When you enable HTTPS any other mean to access the resource is thrown out the window, for security reasons I suppose.

Forgot this part in the yml for the swag container.

cap_add:
      - NET_ADMIN
      - CAP_NET_BIND

It mentions needing NET_ADMIN cap. Had overlooked that. CAP_NET_BIND should allow you to bind to ports < 1000.