HOW-TO: Set up NGINX to reverse proxy your jails w/ Certbot

[ArgaWoW]

Do the restart to NGINX
And NextCloud's WebServer

I have restarded nginx in my proxy and the whole nextcloud jail

Here is my proxy for nextcloud:

Code:

	 location /nextcloud {
	 proxy_pass http://192.168.1.10;
	 proxy_set_header Host $host;
	 proxy_set_header X-Real-IP $remote_addr;
	 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	 proxy_set_header		X-Forwarded-Proto $scheme;
	 proxy_set_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
	 client_max_body_size 16400M;

Thank for you help

 

[Itay1778]

I have restarded nginx in my proxy and the whole nextcloud jail

Here is my proxy for nextcloud:

Code:

	 location /nextcloud {
	 proxy_pass http://192.168.1.10;
	 proxy_set_header Host $host;
	 proxy_set_header X-Real-IP $remote_addr;
	 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	 proxy_set_header		X-Forwarded-Proto $scheme;
	 proxy_set_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
	 client_max_body_size 16400M;

Thank for you help

Do you keep all sites / services in one file? Or each in a separate file?

 

[ArgaWoW]

Do you keep all sites / services in one file? Or each in a separate file?

All in one file.

Gesendet von meinem SM-N950F mit Tapatalk

 

[Itay1778]

All in one file.

Gesendet von meinem SM-N950F mit Tapatalk

Ok, try replacing what you set up in NextCloud's reverse proxy
In this:

Code:

location / {

	proxy_set_header		Host $host;
	proxy_set_header		X-Real-IP $remote_addr;
	proxy_set_header		X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header		X-Forwarded-Proto $scheme;
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
	client_max_body_size 16400M;

	proxy_pass		  https://Internal IP of NextCloud;
	proxy_read_timeout  90;

	proxy_redirect	  https://Internal IP of NextCloud https://Your domain;
}

Because to me it works great and I had the same problems ~ NextCloud, tells you right now.

 

[ZodiacUHD]

Hi,

I can successfully connect to my nextcloud via the reverse proxy. Thanks a lot for this guide :)
In the settings from nextcloud i get the following messages:

• Der „X-XSS-Protection“-HTTP-Header ist nicht so konfiguriert, dass er „1; mode=block“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
• Der „X-Content-Type-Options“-HTTP-Header ist nicht so konfiguriert, dass er „nosniff“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
• Der „X-Robots-Tag“-HTTP-Header ist nicht so konfiguriert, dass er „none“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
• Der „X-Frame-Options“-HTTP-Header ist nicht so konfiguriert, dass er „SAMEORIGIN“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
• Der „X-Download-Options“-HTTP-Header ist nicht so konfiguriert, dass er „noopen“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
• Der „X-Permitted-Cross-Domain-Policies“-HTTP-Header ist nicht so konfiguriert, dass er „none“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.

this problem has only existed since I installed the reverse proxy!

Can anybody guide me to fix this issues, please.

Thanks a lot


Arga

I had the same issue, turns out i had these headers set up in both my NC nginx.conf file and in my reverse proxy. Make sure the headers are in only ONE of the config files (try deleting them from the reverse proxy one). That fixed the issue for me. Restart your webservers when you're done.

 

[ArgaWoW]

I had the same issue, turns out i had these headers set up in both my NC nginx.conf file and in my reverse proxy. Make sure the headers are in only ONE of the config files (try deleting them from the reverse proxy one). That fixed the issue for me. Restart your webservers when you're done.

I have followed your advice. The only Headers I have added is now in my nc nginx.conf. Nothing in the proxy.conf and the nginx.conf of the proxy. But I have still this two issues:

Code:

Der „X-Content-Type-Options“-HTTP-Header ist nicht so konfiguriert, dass er „nosniff“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Frame-Options“-HTTP-Header ist nicht so konfiguriert, dass er „SAMEORIGIN“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.

When I do https://scan.nextcloud. com i get an A - Rating and this issues:


Headers

X-Frame-Options


X-Content-Type-Options


X-XSS-Protection


X-Download-Options


X-Permitted-Cross-Domain-Policies

__Host-Prefix



The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of 'normal' same-site cookies.



Anyone know about to eliminate this two points?

Thank you very much for your help

 

[Itay1778]

I have followed your advice. The only Headers I have added is now in my nc nginx.conf. Nothing in the proxy.conf and the nginx.conf of the proxy. But I have still this two issues:

Code:

Der „X-Content-Type-Options“-HTTP-Header ist nicht so konfiguriert, dass er „nosniff“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Der „X-Frame-Options“-HTTP-Header ist nicht so konfiguriert, dass er „SAMEORIGIN“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.

When I do https://scan.nextcloud. com i get an A - Rating and this issues:


Headers

X-Frame-Options


X-Content-Type-Options


X-XSS-Protection


X-Download-Options


X-Permitted-Cross-Domain-Policies

__Host-Prefix



The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of 'normal' same-site cookies.



Anyone know about to eliminate this two points?

Thank you very much for your help

Try adding them to NextCloud's reverse proxy

Code:

add_header Strict-Transport-Security "max-age=31536000; " always;
add_header X-Frame-Options $x_frame_options;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

It should solve most of the problems

 

[Emo]

Hi,

Thanks for the great guide on setting nginx as reverse proxy. I managed to implement it in my freenas setup. I want to use it for a couple of plugins or jails. Currently I have only Piwigo and Nexcloud.

I am seeing however a strange behavior and I think is something I missed or misunderstood regarding the different configs.

Issue is:

First time I open my https:/publicip.domain.org/nexcloud I get an error and the browser prompt changes to https:/publicip.domain.org:8081/nexcloud - the port the plugin is listening on. The if i remove it or manually write :443 it works. I added the option port_in_redirect off; however it doesn't help.

Here is my Nginx reverse proxy config for 1 of the plugins:
location /nextcloud {
proxy_pass http://192.168.1.91:8081;
proxy_redirect off;
port_in_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

The plugin is accessible from LAN network on http://192.168.1.91:8081

Thank you.

 

[seedz]

upon the configuration of certbot, i'd like to make a suggestion :
i don't really like the fact that certbot answers in place of the web server when it's trying to renew certs.

So, i've set it up like this :
- create a folder in my www dir named letsencrypt :

Code:

root@proxy:/usr/local/www # ls -la
total 51
drwxr-xr-x   5 root  wheel   6 Nov 24 20:44 .
drwxr-xr-x  15 root  wheel  15 Sep 11 10:38 ..
drwxr-xr-x   3 root  wheel   3 Sep 11 10:39 letsencrypt
lrwxr-xr-x   1 root  wheel  25 Sep 11 10:39 nginx -> /usr/local/www/nginx-dist
dr-xr-xr-x   3 root  wheel   6 Nov 11 00:01 nginx-dist

- create a letsencrypt.conf in /usr/local/etc/nginx

Code:

 # cat letsencrypt.conf
location ^~ /.well-known/acme-challenge {
		root /usr/local/www/letsencrypt/;
}

- paste a include to that file in EACH server configuration
example :

Code:

server {
				listen		  80;
				listen		  [::]:80;
				server_name	 foo.bar.pasta;

				include		 /usr/local/etc/nginx/letsencrypt.conf;
				location / {
						return 301 https://$Host/$URI;
				}
		}
server {
				listen		  443 ssl http2;
				listen		  [::]:443 ssl http2;
				server_name	 foo.bar.pasta;

				add_header			  Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
				ssl_certificate			/usr/local/etc/letsencrypt/live/foo.bar.pasta/fullchain.pem;  
				ssl_certificate_key	  /usr/local/etc/letsencrypt/live/foo.bar.pasta/privkey.pem;
				ssl_certificate			/usr/local/etc/nginx/certs_ecc/foo.bar.pasta/fullchain.pem; # these are acme.sh ECDHE keys
				ssl_certificate_key	 /usr/local/etc/nginx/certs_ecc/foo.bar.pasta/key.pem;		 # """""

				include		 /usr/local/etc/nginx/letsencrypt.conf;

				location / {
						proxy_pass					  http://10.0.0.1:80;
						include							/usr/local/etc/nginx/proxy-control.conf;

						proxy_ssl_certificate		   /usr/local/etc/letsencrypt/live/foo.bar.pasta/fullchain.pem;
						proxy_ssl_certificate_key	   /usr/local/etc/letsencrypt/live/foo.bar.pasta/privkey.pem;
				}

- set certbot with that command for each subdomain :
certbot certonly --webroot -w /usr/local/www/letsencrypt/ -d foo.bar.pasta -d other.foo.bar.pasta --rsa-key-size 4096


this should give you a renewal hook like this :

Code:

# cat /usr/local/etc/letsencrypt/renewal/foo.bar.pasta.conf
# renew_before_expiry = 30 days
version = 0.27.1
archive_dir = /usr/local/etc/letsencrypt/archive/foo.bar.pasta
cert = /usr/local/etc/letsencrypt/live/foo.bar.pasta/cert.pem
privkey = /usr/local/etc/letsencrypt/live/foo.bar.pasta/privkey.pem
chain = /usr/local/etc/letsencrypt/live/foo.bar.pasta/chain.pem
fullchain = /usr/local/etc/letsencrypt/live/foo.bar.pasta/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
rsa_key_size = 4096
account = RANDOMNUMBER
renew_hook = /root/letsencrypt.sh
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
foo.bar.pasta = /usr/local/www/letsencrypt
other.foo.bar.pasta = /usr/local/www/letsencrypt

This will happily use the same directory over and over for EACH of your domains / subdomains without disrupting your web server

 

[seedz]

Hi,

Thank you.

Hi, for reference, my NextCloud jail is configured as SSL on port 443, so i cannot replicate this without shutting my own server down.
But i have many other jails responding on a whole bunch of other ports without SSL and doing fine.

This is a proxy config file i use for all my location-using-proxy-pass parts :

Code:

proxy_connect_timeout   59s;
proxy_send_timeout	  600;
proxy_read_timeout	  36000s;
proxy_buffer_size	   64k;
proxy_buffers		   16 32k;
proxy_pass_header	   Set-Cookie;
proxy_hide_header	   Vary;

proxy_busy_buffers_size		 64k;
proxy_temp_file_write_size	  64k;

proxy_set_header		Accept-Encoding		 '';
proxy_ignore_headers	Cache-Control		   Expires;
proxy_set_header		Referer				 $http_referer;
proxy_set_header		Host					$host;
proxy_set_header		Cookie				  $http_cookie;
proxy_set_header		X-Real-IP			   $remote_addr;
proxy_set_header		X-Forwarded-Host		$host;
proxy_set_header		X-Forwarded-Server	  $host;
proxy_set_header		X-Forwarded-For		 $proxy_add_x_forwarded_for;
proxy_set_header		X-Forwarded-Port		'443';
proxy_set_header		X-Forwarded-Ssl		 on;
proxy_set_header		X-Forwarded-Proto	   https;
proxy_set_header		Authorization		   '';

proxy_buffering		 off;
proxy_redirect		  off;

## Required for Plex WebSockets
proxy_http_version	  1.1;
proxy_set_header		Upgrade				 $http_upgrade;
proxy_set_header		Connection			  "upgrade";

The ones i put in bold may be the answer to your troubles with nextcloud
- err, no bold in code, duh.
well, try all the proxy_set_header X-, those are the ones i wanted to highlight.
The others may be usefull too

it should appear like this in your configs :

Code:

 # HTTP server
		server {
				listen		  80;
				listen		  [::]:80;
				server_name	 nextcloud.foo.bar;

				include		 /usr/local/etc/nginx/letsencrypt.conf;
				location / {
						return 301 https://$Host/$URI;
				}
		}

		# HTTPS server
		server {
				listen		  443 ssl http2;
				listen		  [::]:443 ssl http2;
				server_name	 nextcloud.foo.bar;

"SNIP irrelevant stuff"

				location / {
						proxy_pass					  https://192.168.1.202:443;
						include							/usr/local/etc/nginx/proxy.conf;

						proxy_ssl_certificate			  /usr/local/etc/letsencrypt/live/nextcloud.foo.bar/fullchain.pem;
						proxy_ssl_certificate_key	   /usr/local/etc/letsencrypt/live/nextcloud.foo.bar/privkey.pem;
				}
		}

 

[555NASE]

Hallo,
i have the following config:


location / {
proxy_pass http://192.168.2.34:443;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location /player {
proxy_pass http://192.168.2.51;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}


The first location-config ist running and is going over the root-path to my NextCloud

The secound location-config with /player is not go to the right IP. is going to the Nextcloud path.

What did I wrong ?

 

[Emo]

Hi, for reference, my NextCloud jail is configured as SSL on port 443, so i cannot replicate this without shutting my own server down.
But i have many other jails responding on a whole bunch of other ports without SSL and doing fine.

Hi seedz,

Thank you for your suggestions.

A couple of questions though since my config files look a bit different.

1. My nextcloud was installed via plugin on Freenas 11.2. It has a /usr/local/etc/nginx/conf.d/nextcloud.conf file and /usr/local/etc/nginx/nginx.conf There I change only the listening port and the root path. Do I have to add somewhere that I am using reverse-proxy ?

2. The proxy.conf and nginx.conf/nextclud.conf you provided are from the nextcloud jail, right? Is https://192.168.1.202:443; the reverse proxy nginx server in your example ? My understanding for the issue is that after initial handshake the backend server is (i.e. nextcloud) is responding directly to the internet client and showing its listening port 8081. I do not have letsencrypt config on my nextcloud , only on the nginx reverse-proxy.

Cheers,
Emil

 

[seedz]

no... it's the config of the nginx proxy only.

i've kept Nextcloud config files pretty much vanilla, only telling it its IP and that it should answer with SSL with the certificate i gave it (i mounted the proxy directory where the certs are stored on a ZFS storage so as to be used by other jails)
192.168.1.202 is my NextCloud jail IP

but as i just checked again... i think i found the source of your problem.
in your reverse proxy, you've told nginx that it's in /nextcloud
so, the nextcloud jail is trying to access its own /nextcloud subdirectory, but it doesn't exist.
> you should remake the location in Apache and tell it it's /nexcloud (in nextcloud jail)


And same for 555NAE :
your other jail must have nothing answering on /player, so it's reverting back to /
but / is allocated to the first location, so it finally goes there.

 

[Emo]

I think I have the right folder configured. As I mentioned the issue is only with the port. It is returned 8081 after I change it manually content is ok.

 

[gb123]

Came across this tidbit when trying to firm up my Nginx security. To help protect against DOS attacks, implement the following code into the server block in your .conf file.

Code:

if ($args ~* "(.{1,})=(.{1,})" ){
        rewrite ^/$ /444_rewrite?;
}
location  /444_rewrite {
        return 444;
}

This will stop programs like HULK from dropping your Nginx server by bypassing cache and overwhelming system resources.

 

[jackosh]

Hi All - I followed this guide closely and have NGINX working well. Thanks a lot OP!

My one issue - I've been trying for the last day and I can't seem to figure out how to make this work with nextcloud. Can anyone offer any help? I'm running the latest FreeNAS 11.2 and installed the nextcloud plugin.

My proxy_setup.conf (NGINX Jail) file:

Code:

location /nextcloud {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
        client_max_body_size 16400M;
        proxy_read_timeout 90;
        proxy_pass http://LOCAL-IP-ADDRESS:80;
        proxy_redirect http://LOCAL-IP-ADDRESS:80 https://MYWEBSITE.com/nextcloud;
}

On my network, I can access nextcloud via LOCAL-IP-ADDRESS:80.

In my nginx.conf (NGINX Jail) file I added listen on 443 ssl and changed the server_name to the root of my website (just as shown in the guide).

I've been playing with the settings in the config.php file (Nextcloud jail: /usr/local/www/nextcloud/config/config.php), but I can't seem to get it right. I reverted everything in config.php for now, except I kept my domain as a trusted domain.

When attempting to connect today, I get a 404/Not Found. If I change the proxy_pass to LOCAL-IP-ADDRESS:8080, I get 502/Bad Gateway.

Any help or advice is much appreciated!

 

[TW1920]

@jackosh if your nextcloud is running on standard http port 80 you will get an error accessing to 8080 ;)
Some posts above there could be the solution - did you checked this?
https://forums.freenas.org/index.ph...-proxy-your-jails-w-certbot.49876/post-494611

 

[gb123]

Anyone got a solution to this? I'm in the same boat with Jackosh. I have NGINX working great with every other service on my network. Can't seem to crack the nextcloud problem.

 

[Viper717]

First of all, awesome guide, thanks a lot @ZodiacUHD !

@Maxobus I've had that problem too at some point, maybe my config below helps? I have two questions for you though, regarding Transmission. Are you able to use magnet torrents remote? I'm using the chrome extension Remote Torrent Adder, which works perfectly locally, but throws an error popup in Chrome when done remote:

Code:

Failure, Server didn't accept data:
200: <!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type"...

How do you handle it? And second question, are there any advantages to subdomains compared to mydomain.com/transmission (e.g)?

My main reason for posting here is I'm having trouble with Plex. Funny enough, remote access only works using the WebUI, but the server is not accessible in my Android app, or my brother's Samsung TV app. Locally, my Android app works fine. Google only found solutions for the opposite case when the WebUI is not working. My config was inspired by the last post here:
https://www.reddit.com/r/PleX/comments/3xz4ph/plex_behind_a_ssl_nginx_reverse_proxy/

Trying to connect with my android phone produces this error message in /var/log/nginx/error.log

Code:

2018/01/23 21:43:44 [error] 31721#101943: *765 open() "/usr/local/www/nginx/resources" failed (2: No such file or directory), client: xx.xx.xx.xx(<-- Android IP), server: my.server, request: "GET /resources?X-Plex-Token=jtz[...deleted...]PU HTTP/1.1", host: "my.server"

When connecting in local network, the same error message is produced, however the Plex app works normally.

Below are my configs:

Show : nginx.conf

Code:

load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;

#user  nobody;
worker_processes  6;

# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log  /var/log/nginx/error.log;
#

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    # Plex jail IP
    upstream plex {
        server xx.xx.xx.37:32400;
    }


    # listen on port 80 -> redirect to 443
    server {
     listen 80;
         return 301 https://$host$request_uri;
    }

    # listen on port 443 primarily
    server {
        listen 443 ssl;
        server_name my.server;
      
        include ssl_common.conf;
        include proxy_setup.conf;

      
        client_max_body_size 8196M;


        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   /usr/local/www/nginx;
            index  index.html index.htm;

            if ($args ~ (.*)X-Plex-Device(.*)) {
                proxy_pass http://plex;
            }

            if ($http_referer ~ (.*)plex(.*)) {
                proxy_pass http://plex;
            }
        }

        # redirect server error pages to the static page /50x.html
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/local/www/nginx-dist;
        }
    }
}

Show : proxy_setup.conf

Code:

location /nextcloud {
     proxy_pass http://xx.xx.xx.32;
#     proxy_redirect off;
     proxy_redirect http://xxx.xx.xx.32 https://my.server/nextcloud;

     proxy_headers_hash_max_size 512;
     proxy_headers_hash_bucket_size 64;

     proxy_set_header Host $host;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     add_header Front-End-Https on;
}


location /transmission {
     proxy_pass http://xx.xx.xx.35:9091;
     proxy_redirect off;
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     add_header   Front-End-Https   on;
}



# plex IP defined in nginx.conf (upstream plex {...}
location ~ ^/(\?(?:.*)(X-Plex-Device=)|web|video|photo|library|web|status|system|updater|clients|:|playQueues)(.*){
    proxy_pass http://plex;
    proxy_redirect  http://plex /;
    # set some headers and proxy stuff.
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_redirect off;

    # include Host header
    proxy_set_header Host $host;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_read_timeout 36000s;
    proxy_pass_request_headers on;
}

location /plex {
    error_log /var/log/nginx/plex.error.log debug;
    rewrite_log on;
    rewrite ^/plex(.*)$ /web$1 break;
    proxy_pass http://plex;
    proxy_headers_hash_max_size 51200;
    proxy_headers_hash_bucket_size 6400;
    proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_read_timeout 36000s;
    proxy_pass_request_headers on;
}

I'm no pro, just a big fan of the forum ; ) Any help or comments in general for that matter are appreciated.

@weingeist Did you get this figured out? I'm trying to do the same thing as you here and your modified code works great from my PC.

+EDIT+
Everything seems to be working correctly for me, my local sources pick up the Plex Server as local and the remote sources pick it up with the address...If anyone needs them I can post my configs.

 

[dnilgreb]

Hey there,

I followed the guide, and it seems to work pretty well. Kind of. Almost.
I am trying to access my Nextcloud server, and I get the NC UI, the certificate seems ok, but no shares.
Could you try and help me figuring out what´s wrong?

First, on my nginx proxy, here´s some config:
nginx.conf:

Code:

#user  nobody;
worker_processes  1;

# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log  /var/log/nginx/error.log;
#

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   /usr/local/www/nginx;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/local/www/nginx-dist;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  proxy.domain.com;
        include ssl_common.conf;
        include proxy_setup.conf;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    }

}

proxy_setup.conf

Code:

location /cloud {
        proxy_pass https://192.168.1.235:443/; #(192.168.1.235 being LAN ip of NC server)
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

ssl_common.conf

Code:

# Thanks to https://cipherli.st/ for providing a great reference! Please check out their site
# to make sure your SSL Configuration is up to date with current standards! Be aware that in this
# example we use a slightly liberal cipherlist to allow for older browsers on older devices, Eg.
# IE8, android 2.4, etc
# Enable Perfect Forward Secrecy (PFS)
ssl_prefer_server_ciphers on;
ssl_certificate /usr/local/etc/letsencrypt/live/proxy.domain.com/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/proxy.domain.com/privkey.pem;
# Disable SSLv2 and SSLv3 (BEAST and POODLE attacks)
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Enable our strong DH Key
ssl_dhparam /usr/local/etc/ssl/dhparams.pem;
# Cipher-list for PFS.
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-G$
ssl_ecdh_curve secp384r1;
# Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Requires nginx >= 1.5.9
ssl_stapling on;
# Requires nginx >= 1.3.7
ssl_stapling_verify on;
# Requires nginx => 1.3.7
resolver 8.8.8.8 4.4.4.4 valid=300s;
resolver_timeout 5s;
# HSTS Support
add_header Strict-Transport-Security "max-age=63072000;includeSubdomains; preload";
# These headers can break applications, be careful!
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

Then in config.php on Nextcloud I added:

Code:

'overwrite.cli.url' => 'https://proxy.domain.com/cloud/',
'overwritewebroot' => '/cloud',

and proxy.domain.com as trusted domain.