Zuckerbude

not your average tech/non-tech blog - since 2007

Running Nextcloud behind NGINX reverse proxy

September 27, 2022 Technical Ben Zucker

tl;dr: Was bored and setup a Nextcloud instance behind a NGINX proxy and since I had some trouble to get it running properly I simply share my configs here. Maybe this helps somebody else.

My two main goals were forwarding client real IP addresses to Nextcloud and getting rid of NC’s warnings about running behind reverse proxy.

Nextcloud itself runs on a LAMP stack inside Ubuntu 22.04 LXC container. The reverse proxy is provided by NGINX running on the host machine which is also powered by Ubuntu 22.04.

NGINX configuration

server {
    server_name nc.example.com;
    location / {
    proxy_set_header  Host $host;
    proxy_set_header  X-Real-IP $remote_addr;
    proxy_set_header  X-Forwarded-Proto https;
    proxy_set_header  X-Forwarded-Host $remote_addr;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass https://10.10.10.178:80;
    proxy_buffers 16 4k;
    proxy_buffer_size 2k;
    }

    location /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }

    location /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/nc.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nc.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}

server {
    if ($host = nc.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name nc.example.com;
    listen [::]:80;
    listen 80;
    return 404; # managed by Certbot
}

Apache2 inside LXC container

a2enmod remoteip

/etc/apache2/conf-enabled/remoteip.conf

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 10.10.10.1

Nextcloud config.php

Relevant parts only

  'trusted_domains' => 
  array (
    0 => 'nc.example.com',
  ),
  'trusted_proxies' => 
  array (
    0 => '10.10.10.1',
  ),
  'overwrite.cli.url' => 'https://nc.example.com',
  'overwriteprotocol' => 'https',
  'forwarded_for_headers' => ['HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'],