Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[danb35]

Would it be simpler if I set up a local computer as a DNS server?

The real answer is to use a router that isn't brain-damaged. But failing that, Pi-Hole is probably the easiest thing to set up--either in a small VM, or on a Raspberry Pi--to have a DNS server that gives you some control over it, including host overrides.

 

[cdog89]

The real answer is to use a router that isn't brain-damaged. But failing that, Pi-Hole is probably the easiest thing to set up--either in a small VM, or on a Raspberry Pi--to have a DNS server that gives you some control over it, including host overrides.

Ok, I will buy a RPI and set that up. In the meantime, is there a way to set nextcloud up to function without going through a secure domain? I believe that I recall that I can set the config.php file 'trusted domains' to go directly to the internal IP?

Thanks to all for their support. Appreciate you.

 

[victort]

Ye

Ok, I will buy a RPI and set that up. In the meantime, is there a way to set nextcloud up to function without going through a secure domain? I believe that I recall that I can set the config.php file 'trusted domains' to go directly to the internal IP?

Thanks to all for their support. Appreciate you.

Yes. Refer to this
Post in thread 'Scripted installation of Nextcloud 28 in iocage jail'
https://www.truenas.com/community/t...nextcloud-28-in-iocage-jail.62485/post-811675

 

[danb35]

Another alternative might be AdGuard Home, which is available as a FreeBSD package, and therefore can be installed in a jail. I'm just not sure how well it handles host overrides.

 

[cdog89]

Ok, I've rebooted the server 3 times now, and the problem has gone away, hopefully for good. The issue, as implied by danb35 and victort, was the google router. I knew it was not good for anything beyond consumer/normal use, but it is a kinky product for sure. Here's what I had to do to fix it:

The basic issue with the router: Port forwarding cannot be assigned to any device that has a static IP set by the device. So the router has to have assigned the address itself.

Resolution:

- I had to set my nextcloud jail to DHCP, then reboot
- The router assigned some other address, but now I could assign an address (192.168.86.200) for the jail in the router by locating the MAC ID.
- Rebooted the jail. The jail is still set for DHCP, but now has the IP address of 192.168.86.200 which the router assigned.
- Now that the router thinks it assigned the IP address itself (and not the device), the device appeared in the port forwarding device list in the router. This is where I don't understand how it appeared the first time I set this up a couple of weeks ago, because the jail has had a static IP all along. But I digress. It's there now.
- I found the MAC ID/ IP address for the jail then forwarded ports 80 and 443 to it.
- Voila. I've rebooted the server 4 times now, and the secure access issue is gone.

Thanks to all for your help! I hope to return the favor some day.

 

[terrorbye]

will this effect the nextcloud Certificate? I am using a domain from cloudflare
May 15th, 2024: Cloudflare will stop issuing certificates from the cross-signed CA chain. In addition, Let’s Encrypt Custom Certificates uploaded after this date will be bundled with the ISRG X1 chain instead of the cross-signed chain

 

[danb35]

will this effect the nextcloud Certificate?

This script doesn't get the cert through Cloudflare, so no.

 

[Giuliani]

Did you restart caddy after adding these blocks? And clear you browser cache? Caddyfile looks good.

 

[jhax]

Good morning,

I dont know what it is with me and having issues after updating nextcloud. I ran the script again after deleting my jail with self signed = 1, I also ran the script to update caddy for my reverse proxy and retained my original CaddyFile. And now I am getting a NS_ERROR_REDIRECT_LOOP (308) http error in my Dev Tools. Do you think this would have something to do with the Go bugs I have been reading about? When I navigate to the URL for my plex instance which is plex.myurl.us, I am able to reach the site. THe result of a curl script to reach my nextcloud site is attached and shows everything seems fine. Maybe this is a cloudflare issue?

Code:

Code:
* Host mysite.us:443 was resolved.
* IPv6: (none)
* IPv4: caddy.jail.ip.address
*   Trying caddy.jail.ip.address:443...
* Connected to mysite.us (caddy.jail.ip.address) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=mysite.us
*  start date: Mar 16 23:56:31 2024 GMT
*  expire date: Jun 14 23:56:30 2024 GMT
*  subjectAltName: host "mysite.us" matched cert's "mysite.us"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://mysite.us/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: mysite.us]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.6.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: mysite.us
> User-Agent: curl/8.6.0
> Accept: */*
>
< HTTP/2 308
< alt-svc: h3=":443"; ma=2592000
< date: Sun, 17 Mar 2024 18:47:00 GMT
< location: https://mysite.us/
< server: Caddy
< server: Caddy
< content-length: 0
<
* Connection #0 to host mysite.us left intact

 

[victort]

Good morning,

I dont know what it is with me and having issues after updating nextcloud. I ran the script again after deleting my jail with self signed = 1, I also ran the script to update caddy for my reverse proxy and retained my original CaddyFile. And now I am getting a NS_ERROR_REDIRECT_LOOP (308) http error in my Dev Tools. Do you think this would have something to do with the Go bugs I have been reading about? When I navigate to the URL for my plex instance which is plex.myurl.us, I am able to reach the site. THe result of a curl script to reach my nextcloud site is attached and shows everything seems fine. Maybe this is a cloudflare issue?

Code:

Code:
* Host mysite.us:443 was resolved.
* IPv6: (none)
* IPv4: caddy.jail.ip.address
*   Trying caddy.jail.ip.address:443...
* Connected to mysite.us (caddy.jail.ip.address) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=mysite.us
*  start date: Mar 16 23:56:31 2024 GMT
*  expire date: Jun 14 23:56:30 2024 GMT
*  subjectAltName: host "mysite.us" matched cert's "mysite.us"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://mysite.us/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: mysite.us]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.6.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: mysite.us
> User-Agent: curl/8.6.0
> Accept: */*
>
< HTTP/2 308
< alt-svc: h3=":443"; ma=2592000
< date: Sun, 17 Mar 2024 18:47:00 GMT
< location: https://mysite.us/
< server: Caddy
< server: Caddy
< content-length: 0
<
* Connection #0 to host mysite.us left intact

Did you install the original installation with NO_CERT?
Are you accessing the nextcloud jail directly or through that caddy proxy?

If you installed the Nextcloud jail with a selfsigned cert this time, then it is probably because it’s listening on https instead of http. This will cause the “Too Many Redirects” error.

You should set your Nextcloud jail Caddyfile to only listen on port 80. There is no security benefit to having it on 443 if your are reverse proxying to it.

 

[cdog89]

@danb35 @victort - I’ve been reading all I can about ssl certs in order to understand why I can get caddy to work with nextcloud in Core but can’t get nginx to work right in Scale. In my Core setup, my fqdn has an ssl cert at my hosting provider. Caddyfile is setup with its normal nextcloud-specific code, while the config.php points to the fqdn in the trusted arrays, and using https. Caddy works great.

Even after configuring the proper port forwarding for Scale to nginx, and the config.php file for nextcloud, nginx won’t create a secure connection from the fqdn to the Scale nextcloud instance. The caddy file was already configured in @danb35 scripted installation. There’s not just a simple ‘reverse-proxy’ statement.

Why does caddy support my fqdn ssl cert so easily but nginx can’t figure it out? I’m wondering if nginx prefers the cert stored locally? I’ll admit, I don’t fully understand all the details of ssl certs.

Thank you gentlemen.

 

[victort]

@danb35 @victort - I’ve been reading all I can about ssl certs in order to understand why I can get caddy to work with nextcloud in Core but can’t get nginx to work right in Scale. In my Core setup, my fqdn has an ssl cert at my hosting provider. Caddyfile is setup with its normal nextcloud-specific code, while the config.php points to the fqdn in the trusted arrays, and using https. Caddy works great.

Even after configuring the proper port forwarding for Scale to nginx, and the config.php file for nextcloud, nginx won’t create a secure connection from the fqdn to the Scale nextcloud instance. The caddy file was already configured in @danb35 scripted installation. There’s not just a simple ‘reverse-proxy’ statement.

Why does caddy support my fqdn ssl cert so easily but nginx can’t figure it out? I’m wondering if nginx prefers the cert stored locally? I’ll admit, I don’t fully understand all the details of ssl certs.

Thank you gentlemen.

You aren’t using the Caddyfile with SCALE are you? That won’t work.

 

[cdog89]

You aren’t using the Caddyfile with SCALE are you? That won’t work.Nginx witg

You aren’t using the Caddyfile with SCALE are you? That won’t work.

Nginx with SCALE. I wish it was Caddy.

 

[victort]

Nginx with SCALE. I wish it was Caddy.

You might want to start another thread asking about this. I’m assuming it the Nginx Proxy Manager that come with SCALE?

I’ve never really used that to be honest.

 

[jhax]

Did you install the original installation with NO_CERT?
Are you accessing the nextcloud jail directly or through that caddy proxy?

If you installed the Nextcloud jail with a selfsigned cert this time, then it is probably because it’s listening on https instead of http. This will cause the “Too Many Redirects” error.

You should set your Nextcloud jail Caddyfile to only listen on port 80. There is no security benefit to having it on 443 if your are reverse proxying to it.

Thank you, I'll take a look see!

 

[jhax]

Did you install the original installation with NO_CERT?
Are you accessing the nextcloud jail directly or through that caddy proxy?

If you installed the Nextcloud jail with a selfsigned cert this time, then it is probably because it’s listening on https instead of http. This will cause the “Too Many Redirects” error.

You should set your Nextcloud jail Caddyfile to only listen on port 80. There is no security benefit to having it on 443 if your are reverse proxying to it.

Victor,

Looking at my config file I actually selected STANDALONE_CERT=1 should I reinstall with NO_CERT=1 instead?

 

[victort]

Victor,

Looking at my config file I actually selected STANDALONE_CERT=1 should I reinstall with NO_CERT=1 instead?

Not necessarily. Editing the domain section of your Caddyfile to read “:80” or “192.168.c.d:80” should take care of it.

 

[golfox2]

Hi there,
I used danb35 script to install nextcloud on my TrueNAS Core - TrueNAS-13.0-U6.1.
I did everything in the preconfiguration steps, I went for the 1 Dataset named nextcloud Under which you create 4 other datasets : files, config, themes, db
I opened the required ports too.
My main pool (the root) is called "Nextcloud", and within it I created the "nextcloud" dataset with the 4 subs.

However, in the config text bloc i mistakenly wrote this :

Code:

POOL_PATH="/mnt/Nextcloud/nextcloud/db"

I should have done :

Code:

POOL_PATH="/mnt/Nextcloud"

I ran the script, everything seems to work fine, i can access the nextcloud config page via my domain name, however, the datasets now look like this : nextcloud/db/nextcloud/db, and in that i have the mariadb

I want to start the installation over so I can properly set the datasets, can I just delete the jail and the folders and re-run the script ?
Or will it mess up something else behind ? (ports, ip addresses, lets encrypt certificates, etc) ?
Thanks !

in this db dataset, there's another "nextcloud/db/"

 

[victort]

Hi there,
I used danb35 script to install nextcloud on my TrueNAS Core - TrueNAS-13.0-U6.1.
I did everything in the preconfiguration steps, I went for the 1 Dataset named nextcloud Under which you create 4 other datasets : files, config, themes, db
I opened the required ports too.
My main pool (the root) is called "Nextcloud", and within it I created the "nextcloud" dataset with the 4 subs.

However, in the config text bloc i mistakenly wrote this :

Code:

POOL_PATH="/mnt/Nextcloud/nextcloud/db"

I should have done :

Code:

POOL_PATH="/mnt/Nextcloud"

I ran the script, everything seems to work fine, i can access the nextcloud config page via my domain name, however, the datasets now look like this : nextcloud/db/nextcloud/db, and in that i have the mariadb

I want to start the installation over so I can properly set the datasets, can I just delete the jail and the folders and re-run the script ?
Or will it mess up something else behind ? (ports, ip addresses, lets encrypt certificates, etc) ?
Thanks !

in this db dataset, there's another "nextcloud/db/"
View attachment 77060

Unfortunately because you did that, the folders were created instead of the datasets. I would just redo the installation if of course you just did it in the last day or so.

@winnielinnie Is there a way to create a dataset overtop of an existing folder?

 

[winnielinnie]

Is there a way to create a dataset overtop of an existing folder?

I would not. It's the equivalent of mounting a filesystem atop an existing folder. (You'll end up with ghost files/folders hidden by the mounted filesystem.) Your best bet is to (1) copy the entire directory to a temporary safe location, (2) remove the (now) empty directory, (3) create the new dataset, and then (4) copy the files/folders back into this new (and mounted) dataset.

I would just redo the installation if of course you just did it in the last day or so.

Or just do that after removing the entire directory. (Assuming there's nothing important already saved.)