/munetakaJupyterHub/Computer/2024/NextCloud/ReverseProxy/NextcloudBehindNginx.md

§2024-05-05

Running Nextcloud behind NGINX reverse proxy

¶NGINX configuration

server {
    server_name nc.example.com;
    location / {
    proxy_set_header  Host $host;
    proxy_set_header  X-Real-IP $remote_addr;
    proxy_set_header  X-Forwarded-Proto https;
    proxy_set_header  X-Forwarded-Host $remote_addr;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://10.10.10.178:80;
    proxy_buffers 16 4k;
    proxy_buffer_size 2k;
    }

    location /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }

    location /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/nc.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nc.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}

server {
    if ($host = nc.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name nc.example.com;
    listen [::]:80;
    listen 80;
    return 404; # managed by Certbot
}

sites/availabe/upstream-43103

upstream nextCloud-01 {
       server hc4Nas02.yushei.net:43101 weight=1;
       # other server with different weight
}

server {
     server_name  hc4nas02.yushei.net;
     charset utf-8;

     location / {
         proxy_pass http://nextCloud-01;
         # additional proxy headers...
     }

    listen 43103; # no SSL here, SSL is terminated at NGINX
    ssl_certificate /etc/letsencrypt/live/munetaka.me/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/munetaka.me/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

¶Apache2 inside LXC container

/etc/apache2/conf-enabled/remoteip.conf

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 10.10.10.1

¶Nextcloud config.php

Relevant parts only

  'trusted_domains' => 
  array (
    0 => 'nc.example.com',
  ),
  'trusted_proxies' => 
  array (
    0 => '10.10.10.1',
  ),
  'overwrite.cli.url' => 'https://nc.example.com',
  'overwriteprotocol' => 'https',
  'forwarded_for_headers' => ['HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'],