docker icon indicating copy to clipboard operation
docker copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

Redirect loop behind nginx reverse proxy

Open DoctorDrunk opened this issue 4 years ago • 2 comments

I want to run nextcloud on a path behind an nginx reverse proxy. The nginx reverse proxy is already configured and works fine for other services. This is my nextcloud specific location:

        location /nextcloud-demo {
                client_max_body_size 10G;
                proxy_request_buffering off;

                # HTTP 1.1 support
                proxy_http_version 1.1;
                proxy_buffering off;
                proxy_set_header Host $http_host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $http_upgrade;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
                proxy_set_header X-Forwarded-Ssl $scheme;
                proxy_set_header X-Forwarded-Port $http_x_forwarded_port;

                # Mitigate httpoxy attack (see README for details)
                proxy_set_header Proxy "";

                proxy_pass http://127.0.0.1:8082;
        }

And this is how i start the nextcloud container:

pi@piserver01:~/nextcloud-demo $ docker run -d --restart always --name nextcloud-demo -p 8082:80 -e NEXTCLOUD_TRUSTED_DOMAINS=example.com -e OVERWRITEWEBROOT=/nextcloud-demo -e NEXTCLOUD_ADMIN_USER=nextcloud-demo-admin -e NEXTCLOUD_ADMIN_PASSWORD=xxx -e SQLITE_DATABASE=db nextcloud:19-apache
3d753b5252b8bc51a29608bd9a63cd10374a94d9aa61bcbca5f588fe3671689b
pi@piserver01:~/nextcloud-demo $ docker logs -f nextcloud-demo
Initializing nextcloud 19.0.2.2 ...
Initializing finished
New nextcloud instance
Installing with SQLite database
starting nextcloud installation
Nextcloud was successfully installed
setting trusted domains…
System config value trusted_domains => 1 set to string example.com
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message
[Sat Aug 29 19:41:50.649446 2020] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.38 (Debian) PHP/7.4.9 configured -- resuming normal operations
[Sat Aug 29 19:41:50.649655 2020] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
172.17.0.1 - - [29/Aug/2020:19:42:39 +0000] "GET /nextcloud-demo HTTP/1.1" 302 417 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"
172.17.0.1 - - [29/Aug/2020:19:42:39 +0000] "GET /nextcloud-demo/ HTTP/1.1" 302 1014 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"
172.17.0.1 - - [29/Aug/2020:19:42:41 +0000] "GET /nextcloud-demo/login HTTP/1.1" 302 909 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"
172.17.0.1 - - [29/Aug/2020:19:42:41 +0000] "GET /nextcloud-demo/login HTTP/1.1" 302 909 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"
172.17.0.1 - - [29/Aug/2020:19:42:41 +0000] "GET /nextcloud-demo/login HTTP/1.1" 302 909 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"
172.17.0.1 - - [29/Aug/2020:19:42:41 +0000] "GET /nextcloud-demo/login HTTP/1.1" 302 909 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"
...

This setup results in a redirect loop (HTTP 301 and 302) when opening https://example.com/nextcloud-demo.

Do you see any problems with my configuration? I'm not entirely sure how the other OVERWRITE* env vars come into play here.

DoctorDrunk avatar Aug 29 '20 19:08 DoctorDrunk

The overwrites are a bit confusing. I've written an init script for setting configs and once it's polished I'd hope to contribute it.

  • overwrite.cli.url is only for the output from any system commands run in the image, such as a cronjob.
  • overwriteprotocol, overwritehost, and overwritewebroot are used to refer to the URL of the installation. The host can include a port in its string. Valid protocols are http and https naturally. Be careful with reverse proxies and any leading slash in the webroot (that becomes trailing when entering the URL in a browser, if this might effect your e.g. nginx location directives)
  • trusteddomains is only a security feature. Trying to access from outwith a trusted domain throws an error, but any links included or redirections will use the canonical domain combining the overwriteprotocol, overwritehost and overwritewebroot variables. Note that when an invalid domain is used for access, Nextcloud returns a 400 Bad Request. I can't remember if I filed a bug in the end, this is an unusual error code, and depending on your proxy configuration it might be masked to a different (general) error page. If you get a 400 error from your nextcloud server upstream, try disabling any proxy error intercepting to view nextcloud's error page and verify if it's a domains issue.
  • I haven't used overwritecondaddr so I'd advise checking the docs below rather than my second guessing what anyone reading this could.

I'm not using Apache at all so wouldn;t want to comment too much on your setup. In theory nextcloud can extract the URL fro mthe proxy trequests but I have had so many headaches I set everything explicitly in the occ config.

I also had a 301-302 dance one time, note that this can be a result of incorrect protocol somewhere down the line. My gateway would upgrade all requests to TLS (302), only to have something else along the line redirect ot the front page using HTTP as the explicit protocol (301).

Documentation

stellarpower avatar Nov 18 '20 20:11 stellarpower

The final paragraph of https://github.com/nextcloud-snap/nextcloud-snap/wiki/Putting-the-snap-behind-a-reverse-proxy#nginx-optional-custom-path-location-for-reverse-proxy has very helpful info.

Essentially, it boils down to this: in your Nginx sites-available/yourdomain.tld.conf config, the location directive looks like

    location /nextcloud {
       rewrite ^/nextcloud(.*) $1 break;
       proxy_pass https://127.0.0.1:8443;
    }

and in the Nextcloud config.php, you want to overwrite host and webroot:

  'overwritewebroot' => '/nextcloud',
  'overwritehost' => 'yourdomain.tld',

You've probably moved on to another solution @DoctorDrunk, but jut in case, this made it work for me with nginx as reverse proxy on Debian + Nextcloud in a container (from linuxserver.io).

axelsimon avatar Apr 12 '22 16:04 axelsimon

Note: I don't want to enable https through nextcloud.enable as I have a tunnel in cloudflare that points to my nextcloud instance at localhot:81

edsonsbj avatar Jan 23 '23 18:01 edsonsbj

Duplicate of https://github.com/nextcloud/docker/issues/1234

J0WI avatar Apr 04 '23 18:04 J0WI