Reverse-Proxy Konfiguration + Nextcloud

[Anonymous User]

Moin Leute,

ich habe eine VM mit Nextcloud selfhosted limp (mit Nginx) am Laufen.

Zudem habe ich in einer weiteren VM einen Standardnotes-Server im Betrieb.

Nun habe ich noch eine dritte VM mit Nginx installiert, dieser soll als Reverse-Proxy für die anderen Server fungieren.

Dazu habe ich mir eine Domain gekauft und entsprechende Subdomains als DNS-Einträge eingetragen.

Jetzt ist Nextcloud jedoch nur über die IP Adresse zu erreichen.
Wie kriege ich es hin, dass ich meine Nextcloud über den Domainnamen erreiche?

Spoiler: /etc/nginx/sites-available/reverse-proxy.conf

server {
server_name cloud.sample.de;
listen 443 default_server;
listen [::]:443 default_server;

location ^~ /nextcloud {
client_max_body_size 1024M;
proxy_buffering off;
proxy_connect_timeout 3600;
proxy_max_temp_file_size 1024M;
proxy_pass https://cloud.sample.de:443;
proxy_redirect off;
proxy_request_buffering off;
proxy_read_timeout 3600;
proxy_send_timeout 3600;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
send_timeout 3600;
}
}

Spoiler: /var/www/nextcloud/config/config.php

<?php
$CONFIG = array (
'instanceid' => 'xxx',
'passwordsalt' => 'xxx',
'secret' => 'xxx',
'trusted_domains' =>
array (
0 => 'localhost',
1 => 'cloud.sample.de',
),
'trusted_proxies' =>
array(
0 => 'xxx.xxx.x.xxx'
),
'datadirectory' => '/var/nc_data',
'dbtype' => 'mysql',
'version' => '23.0.3.2',
'overwrite.cli.url' => 'https://cloud.sample.de',
'dbname' => 'nextcloud',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'user',
'dbpassword' => 'xxx',
'installed' => true,
'activity_expire_days' => 14,
'allow_local_remote_servers' => true,
'auth.bruteforce.protection.enabled' => true,
'blacklisted_files' =>
array (
0 => '.htaccess',
1 => 'Thumbs.db',
2 => 'thumbs.db',
),
'cron_log' => true,
'default_phone_region' => 'DE',
'defaultapp' => 'files,dashboard',
'enable_previews' => true,
'enabledPreviewProviders' =>
array (
0 => 'OC\Preview\PNG',
1 => 'OC\Preview\JPEG',
2 => 'OC\Preview\GIF',
3 => 'OC\Preview\BMP',
4 => 'OC\Preview\XBitmap',
5 => 'OC\Preview\Movie',
6 => 'OC\Preview\PDF',
7 => 'OC\Preview\MP3',
8 => 'OC\Preview\TXT',
9 => 'OC\Preview\MarkDown',
),
'filesystem_check_changes' => 0,
'filelocking.enabled' => 'true',
'htaccess.RewriteBase' => '/',
'integrity.check.disabled' => false,
'knowledgebaseenabled' => false,
'logfile' => '/var/log/nextcloud/nextcloud.log',
'loglevel' => 2,
'logtimezone' => 'Europe/Berlin',
'log_rotate_size' => '104857600',
'maintenance' => false,
'memcache.local' => '\OC\Memcache\APCu',
'memcache.locking' => '\OC\Memcache\Redis',
'overwriteprotocol' => 'https',
'preview_max_x' => 1024,
'preview_max_y' => 768,
'preview_max_scale_factor' => 1,
'redis' =>
array (
'host' => '/var/run/redis/redis-server.sock',
'port' => 0,
'timeout' => 0.5,
'dbindex' => 1,
),
'quota_include_external_storage' => false,
'share_folder' => '/Freigaben',
'skeletondirectory' => '',
'theme' => '',
'trashbin_retention_obligation' => 'auto, 7',
'updater.release.channel' => 'stable',
);

 

[playerthreeone]

Wo hast du die VMs laufen? Bei dir zuhause?

 

[madmax2010]

proxy_pass https://cloud.sample.de:443;

ist die nextcloud extern?

habs auf fpm laufen:

        location ~ \.php(?:$|/) {
                rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
                fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                set $path_info $fastcgi_path_info;
                try_files $fastcgi_script_name =404;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $path_info;
                fastcgi_param HTTPS on;
                fastcgi_param modHeadersAvailable true;
                fastcgi_param front_controller_active true;
                fastcgi_pass unix:/run/php/php7.4-fpm.sock;
                fastcgi_intercept_errors on;
                fastcgi_request_buffering off;
                fastcgi_read_timeout 3600;
                fastcgi_send_timeout 3600;
                fastcgi_connect_timeout 3600;
        }

komplette config fuer nextcloud mit online office und sosntigen annehmlichkeiten:

server {
    listen 443      ssl http2;
    listen [::]:443 ssl http2;
    server_name xxx.xxx.xxx;
    ssl_certificate /etc/letsencrypt/live/xxx.xxx.xxx/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/xxx.xxx.xxx/privkey.pem; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
    ssl_ecdh_curve X448:secp521r1:secp384r1;
    ssl_prefer_server_ciphers on;
    ssl_stapling on;
    ssl_stapling_verify on;
    client_max_body_size 10G;
    client_body_timeout 3600s;
    fastcgi_buffers 64 4K;
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
    add_header Strict-Transport-Security            "max-age=15768000; includeSubDomains; preload;" always;
    add_header Permissions-Policy                   "interest-cohort=()";
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;
    fastcgi_hide_header X-Powered-By;
    
    root /usr/share/nginx/nextcloud/;
    index index.php index.html /index.php$request_uri;
    
    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }
    
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    
    location ^~ /apps/rainloop/app/data {
        deny all;
    }
    
    location ^~ /.well-known {
        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }
        location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation { try_files $uri $uri/ =404; }
        return 301 /index.php$request_uri;
    }

    location ^~ /browser {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    location ~ ^/cool/(.*)/ws$ {
        proxy_pass https://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    location ~ ^/(c|l)ool {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    location ^~ /cool/adminws {
        proxy_pass https://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }
    
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
    
    location ~ \.php(?:$|/) {
        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
        fastcgi_read_timeout 3600;
        fastcgi_send_timeout 3600;
        fastcgi_connect_timeout 3600;
    }
    
    location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite)$ {
        try_files $uri /index.php$request_uri;
        expires 6M;
        access_log off;
        location ~ \.wasm$ {
            default_type application/wasm;
        }
    }
    
    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;
        access_log off;
    }
    
    location /remote {
        return 301 /remote.php$request_uri;
    }
    
    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }
}



server {
    if ($host = xxx.xxx.xxx) {
        return 301 https://$host$request_uri;
    }
    server_name xxx.xxx.xxx;
    listen 80;
    listen [::]:80;
    return 404;
}

 

[Anonymous User]

@playerthreeone, Ja alle VMs laufen bei mir daheim auf qemu kvm.

 

[Rickmer]

Ich habe meinen nginx reverse Proxy in Docker laufen, dashier ist die Konfiguration:

server {
  set $forward_scheme http;
  set $server         "192.168.12.198";
  set $port           80;

  listen 80;
listen [::]:80;

listen 443 ssl http2;
listen [::]:443 ssl http2;

  server_name nc.domain.net;
  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-18/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-18/privkey.pem;

  # Block Exploits
  include conf.d/include/block-exploits.conf;

  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000; preload" always;

    # Force SSL
    include conf.d/include/force-ssl.conf;

  access_log /data/logs/proxy-host-3_access.log proxy;
  error_log /data/logs/proxy-host-3_error.log warn;

  location /.well-known/carddav {
    set              $upstream http://192.168.12.198:80/remote.php/dav;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP          $remote_addr;
    proxy_pass       $upstream;

  # Block Exploits
  include conf.d/include/block-exploits.conf;

    # Force SSL
    include conf.d/include/force-ssl.conf;

  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000; preload" always;
  }
  location /.well-known/caldav {
    set              $upstream http://192.168.12.198:80/remote.php/dav;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP          $remote_addr;
    proxy_pass       $upstream;

# Block Exploits
  include conf.d/include/block-exploits.conf;
 
    # Force SSL
    include conf.d/include/force-ssl.conf;
   
  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000; preload" always;
  }
 
  location / {
  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000; preload" always;
 
    # Proxy!
    include conf.d/include/proxy.conf;
  }
  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

Das läuft soweit ich sehe gut und durch die well-known Einträge funktioniert auch Sync vom Kalender und Kontakten mit dem Smartphone.

Für meinen Teil habe ich das alles über UI eingetickert. Für mehr fehlt mir hier die Erfahrung.

 

[Anonymous User]

ist die nextcloud extern?

Also die Nextcloud läuft in einer eigenen VM in meinem lokalen Netzwerk.

Ich habe jetzt eure Codes getestet und bei mir klappts einfach nicht. Ich habe sogar exakt die gleiche Nextcloud Config wie du @madmax2010. Vermutlich von Carsten Rieger .

Vielleicht habe ich mich missverständlich ausgedrückt. Ich möchte, dass meine Cloud sowie andere Server extern, also außerhalb des lokalen Netzwerks erreichbar sind mit nur einer öffentlichen IP.

Ich habe die Erreichbarkeit meiner Cloud über den Domainnamen getestet, funktioniert ohne Proxy. Wenn ich jetzt die Portfreigaben auf den Proxy zeige und versuche die Cloud über den Proxy zu erreichen, ist der Verbindungsaufbau entweder komplett gescheitert oder die Fehlermerldung 502 Bad Gateway ist erschienen.

Ebenso habe ich festgestellt, dass mein Proxy bisher noch gar nicht funktioniert hat, auch nicht über IP.

 

[Anonymous User]

Ich habe den Reverse Proxy nun mit Nginx Proxy Manager zum Laufen gebracht. Bin soweit sehr zufrieden.

Nur weiß ich noch nicht, wie ich das hier:

location ^~ /.well-known {
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
return 301 /index.php$request_uri;
}

im NPM einfügen kann.