Nextcloud with nginx reverse proxy
|
Posts: 23
Threads: 4
Joined: Jan 2017
Reputation:
2
[Not Solved]
May 22, 2017, 08:31 AM
Hi all,
Looking for some advice before I break my functioning setup!
I've been thinking it would be nice to stick Nextcloud on my Ubuntu Mate box.
I'm currently running the LTS release (16.04?) and I've followed quite a few of the guides on this site to set up other functionality - Deluge, Sickrage and Couchpotato are all on it, and I'm running a split tunnel setup with an Nginx-based reverse proxy secured with LetsEncrypt.
I've found this guide to installing Nextcloud on Ubuntu 16.04 with nginx and before I dive in, I wanted to seek advice from some more competent users - is there anything in there that's likely to pose problems given my current setup?
I suppose the bit I'm particularly thinking of is messing around with Nginx and making a second config file - presumably that's possible and it'll play nicely with the reverse proxy config?
Actually, looking at the the reverse proxy nginx config I think I'm remembering wrong - I thought there was already a commented-out block in it for Owncloud that could presumably be adapted to Nextcloud easily enough. Presumably the config for Owncloud wouldn't be too hard?
Hope this makes sense. Incidentally, I'm sure the mods on this site have plenty to do already maintaining the current guides, but please do consider this a +1 for a guide if you're looking for suggestions.
Thanks all!
Posts: 215
Threads: 25
Joined: Aug 2015
Reputation:
26
[Not Solved]
May 23, 2017, 06:53 AM
Have you took a look at this guide ? It's a guide on this website to install owncloud and configure it with nginx but it works just as well with nextcloud
That McNugget sauce. I want that Mulan McNugget sauce, Morty. That's my series arc, Morty! If it takes nine seasons!
Posts: 23
Threads: 4
Joined: Jan 2017
Reputation:
2
[Not Solved]
May 23, 2017, 07:47 AM
Oh neat! Thanks. I did do a search for owncloud/nextcloud, but it didn't show up - thinking of it I probably searched for ubuntu alongside it. Doh!
That's useful to see, thanks - looking down the guide though it doesn't mention how this works (or indeed if it does) when the reverse proxy setup is in play. That's the bit I'm mainly cautious about. I suppose I can just back up my current nginx config etc. but it'd be could to know it at least works *in theory* before I try
Posts: 215
Threads: 25
Joined: Aug 2015
Reputation:
26
[Not Solved]
May 23, 2017, 12:23 PM
I think I understand what you mean
The way my nginx owncloud file looks is like this with just a random port (in my case 1989):
Code:
server {
listen 89;
server_name website.com www.website.com 192.168.1.40;
return 301 https://$server_name$request_uri; # enforce https
}
server {
listen 1989 ssl;
server_name website.com www.website.com 192.168.1.40;
access_log /var/log/nginx/sitename.access.log;
error_log /var/log/nginx/sitename.error.log;
ssl_certificate /etc/nginx/ssl/pem.pem;
ssl_certificate_key /etc/nginx/ssl/key.key;
port_in_redirect off;
# Path to the root of your installation
root /var/www;
client_max_body_size 10G; # set max upload size
fastcgi_buffers 64 4K;
# Some rewrite rules, more to come later
rewrite ^/owncloud/caldav((/|$).*)$ /owncloud/remote.php/caldav$1 last;
rewrite ^/owncloud/carddav((/|$).*)$ /owncloud/remote.php/carddav$1 last;
rewrite ^/owncloud/webdav((/|$).*)$ /owncloud/remote.php/webdav$1 last;
# Protecting sensitive files from the evil outside world
location ~ ^/owncloud/(data|config|\.ht|db_structure.xml|README) {
deny all;
}
# Configure the root location with proper rewrite rules
location /owncloud/ {
rewrite ^/owncloud/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/owncloud/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/owncloud/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/owncloud/.well-known/caldav /remote.php/caldav/ redirect;
rewrite ^/owncloud/apps/calendar/caldav.php /remote.php/caldav/ last;
rewrite ^/owncloud/apps/contacts/carddav.php /remote.php/carddav/ last;
rewrite ^/owncloud/apps/([^/]*)/(.*\.(css|php))$ /index.php?app=$1&getfile=$2 last;
rewrite ^(/owncloud/core/doc[^\/]+/)$ $1/index.html;
try_files $uri $uri/ index.php;
}
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_read_timeout 120;
}
# Optional: set long EXPIRES header on static assets
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
expires 30d;
# Optional: Don't log access to assets
access_log off;
}
}
And then in your nginx reserve proxy file you add this with port you used in the owncloud file:
Code:
location /owncloud {
proxy_pass https://127.0.0.1:1989;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Also have the php part in my reverse proxy file:
Code:
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_read_timeout 120;
}
I know it all still says owncloud but I also use nextcloud and this works fine for me.
I don't know if there are a lot of mistakes in it but that how I got it to work.
That McNugget sauce. I want that Mulan McNugget sauce, Morty. That's my series arc, Morty! If it takes nine seasons!
Posts: 23
Threads: 4
Joined: Jan 2017
Reputation:
2
[Not Solved]
May 24, 2017, 12:44 PM
Oh fantastic! Brilliant, glad to know it's all working well for you with a similar setup. Perhaps I'll have a go at the weekend then. Cheers for the config details, that's a huge help
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Not Solved]
May 28, 2017, 01:35 PM
I strongly recommend to use owncloud/nextcloud as a subdomain, like owncloud.yourdns.com
Then you can have a separate nginx config file for owncloud/nextcoud. I can post you my config file if you think?
Doing this way, it is easier to manage nginx and owncloud, you have more control.
Of course, you will need to register the subdomain and get the LE certificates for the new subdomain too.
I will post a guide for this, but this is a more advanced and complex guide, and I'm very short on time atm.
Posts: 23
Threads: 4
Joined: Jan 2017
Reputation:
2
[Not Solved]
May 30, 2017, 10:28 PM
(May 28, 2017, 01:35 PM)drake Wrote: I strongly recommend to use owncloud/nextcloud as a subdomain, like owncloud.yourdns.com
Then you can have a separate nginx config file for owncloud/nextcoud. I can post you my config file if you think?
Doing this way, it is easier to manage nginx and owncloud, you have more control.
Of course, you will need to register the subdomain and get the LE certificates for the new subdomain too.
I will post a guide for this, but this is a more advanced and complex guide, and I'm very short on time atm.
Hi drake,
That'd be awesome! I had a go at this at the weekend, but had to give up - I got nextcloud working at the basic level, but I just couldn't get the reverse proxy sorted. The best I could get was a very basic text only config screen through the reverse proxy (I've seen something like it before when I was trying to get Sickrage working - think it's down to HTTP/HTTPS issues) and if I tried to get past that to the login screen it'd just fail because the reverse proxy didn't know where to look for /login etc.
I figured it needed to be a subdomain really after a bit of reading around in the Owncloud/Nextcloud forums, but I simply ran out of time to stumble around further.
Your configs / a guide would be brilliant, but I appreciate you've got loads of other things to do - and it's really nothing I need with any urgency, just a final bit of the ultimate setup puzzle I thought would be a nice-to-have
Posts: 215
Threads: 25
Joined: Aug 2015
Reputation:
26
[Not Solved]
Jun 05, 2017, 12:11 PM
@Pyrhic strange it doesn't work for you, it's probably full of mistakes but it should work.
@Drake very interested in your config file as well. I have been trying setting it up but I keep running in a 403 error
That McNugget sauce. I want that Mulan McNugget sauce, Morty. That's my series arc, Morty! If it takes nine seasons!
Posts: 215
Threads: 25
Joined: Aug 2015
Reputation:
26
[Not Solved]
Jun 05, 2017, 07:01 PM
Ok, so I got it to work. @Pyrhic hopefully it will work for you as well. @Drake if there are any mistakes or faults in it don't hesitate to correct them.
So if you followed the owncloud guide from this website there actually only 2 differences the nginxs file which looks like this:
So in /etc/nginx/sites-available/owncloud add:
Code:
upstream php-handler {
server 127.0.0.1:9000;
#server unix:/var/run/php5-fpm.sock;
}
server {
listen 80;
server_name cloud.example.com;
# enforce https
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name cloud.example.com;
ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
# fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
}
Don't forget to change it to your own url, add the correct ssl configuration and point to the right owncloud folder.
Now you only have to change one thing in:
/etc/php5/fpm/pool.d/www.conf
Code:
Look for:
listen = /var/run/php5-fpm.sock
and change it to:
listen = 127.0.0.1:9000
Now restart nginx and php5-fpm
Code:
sudo service nginx restart
sudo service php5-fpm restart
And cloud.mywebsite.com should give you your next/owncloud configuration page.
That McNugget sauce. I want that Mulan McNugget sauce, Morty. That's my series arc, Morty! If it takes nine seasons!
Posts: 23
Threads: 4
Joined: Jan 2017
Reputation:
2
[Not Solved]
Jun 06, 2017, 09:45 AM
@Yveske that's fantastic! Thanks so much - will definitely give this another crack when I have an hour or two. Cheers!
|
|
|