Running Nextcloud on HTTPS mode behind a Reverse Proxy

Apps and Virtualization
1

Guys,

I have installed Nextcloud on HTTPS port 9001 at the beginning with SSL and etc… Was facing all sorts of errors but managed to resolve them all.

But, then I realized that instead of accessing it on port 9001, maybe it’s a good idea to have it just on standard port like cloud.example.com.

Turns out that the Truenas Pod Container can’t listen to port 443, so I had to use reverse proxy to forward host 443 port to nextcloud container port 9001.

So my question is, mainly to those who installed reverse proxy, did you keep your nextcloud on SSL? Because in my case, I was unable to run nextcloud on HTTP port without having all sorts of errors. For example nextcloud was unable to fetch its configuration at the administrator settings, etc…

Because of this, now I’m running both reverse proxy and nextcloud in SSL mode, and it’s kinda double SSL handshake makes me think that it’s may somehow reduce performance, otherwise working great.

Interesting, what I missed configuring nextcloud to run in HTTP mode instead of HTTPS?

2

I run all my services in regular HTTP mode behind an HTTPS reverse proxy (Caddy). In fact, this is actually the default protocol used by Caddy for reverse proxies. Running it under Caddy also comes with the upside that I never have to worry about the certs. SSL certs on Caddy are all automatic set-and-forget, which is awesome.

I don’t think you’re missing anything out honestly.

3

So implementing this into Trunas - Nextcloud is just a matter of technique or I’m facing some known issue?

4

Managed to run Nextcloud in HTTP mode behind the reverse proxy.

Nextcloud config in Truenas:

Host: blank

Enviromental variables:

OVERWRITEHOST
cloud.example.com

OVERWRITECLIURL
http://cloud.example.com

Web Port:
9001

Certificate:
None

Nginx Proxy Config at host:

server {
    listen 80;
    listen [::]:80;
    server_name cloud.example.com;

    # Prevent nginx HTTP Server Detection
    server_tokens off;

    # Enforce HTTPS
    return 301 https://$server_name$request_uri;
}
server {
        server_name  cloud.example.com;
        listen                 0.0.0.0:443 default_server ssl http2;
        listen                 [::]:443 default_server ssl http2;

        ssl_certificate        "/etc/certificates/cert.crt";
        ssl_certificate_key    "/etc/certificates/cert.key";
        ssl_dhparam "/data/dhparam.pem";

        ssl_session_timeout    120m;
        ssl_session_cache      shared:ssl:16m;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384;

client_max_body_size 0;
underscores_in_headers on;

location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass_request_headers on;

        proxy_buffering off;
        proxy_redirect off;
        proxy_max_temp_file_size 0;

        add_header Strict-Transport-Security "max-age=31536000; 
        includeSubDomains; preload";

        access_log /var/log/nginx/nextcloud.access.log;
        error_log /var/log/nginx/nextcloud.error.log;

        proxy_pass http://192.168.1.11:9001;

}

Just in case anyone will be in the same situation…

Bad is that most likely Truenas future update will overwrite my nginx.conf file and I will have to rewrite it again. I have tried Nginx Proxy Manager but it didn’t listen to port 443 :confused: