ornias
Wizard
- Joined
- Mar 6, 2020
- Messages
- 1,458
This is a threat about Danb35's (quite amazing) custom install script for nextcloud.
Considering you are using apache, you are not using his script, so this is not the right topic to ask support.
-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Resource icon
- Thread starter danb35
- Start date
This is a threat about Danb35's (quite amazing) custom install script for nextcloud.
Considering you are using apache, you are not using his script, so this is not the right topic to ask support.
ornias
Wizard
- Joined
- Mar 6, 2020
- Messages
- 1,458
I'm running your script behind a NGINX reverse proxy/application firewall combo and thats working perfectly fine.
So I can 100% confirm it's possible to run your script behind such a setup without major modification.
listhor
Contributor
- Joined
- Mar 2, 2020
- Messages
- 133
I'm sorry for bumping it up so early but for the last 2 days I've been pulling my hair out and can't find reason/solution to not working integration with ONLYOFFICE document server. Can't sleep because of that :) . Do you guys know something about this kind of problem?
ornias
Wizard
- Joined
- Mar 6, 2020
- Messages
- 1,458
I haven't read all your info about it, but here is some info that is relevant for including external sites, systems and plugins in general into nextcloud:
- Both Nextcloud AND the other (web)servers need correct certificates
- Nextcloud may need to include the other domain in its list of trusted domains.
- If there is any forwarding involved (reverse proxy or otherwise) you might need to enable default SNI in the Nextcloud Caddy webserver (some don't work wel with SNI)
- External sites and includes might need to allow being iframed into nextcloud
listhor
Contributor
- Joined
- Mar 2, 2020
- Messages
- 133
Everything is within ESXi - FreeNAS running in VM (with AHCI passthrough
) and document server in other VM - Alpine in docker container. There's no forwarding involved.Nextcloud uses LE cert. and document server self signed one. Nextcloud config.php is updated for self signed cert and accepts settings in plugin. Just added to trusted domains IPs and self signed domains but it didn't help.
And like I said, when trying to open document for editing, Nextcloud displays information about document server not being available.
ornias
Wizard
- Joined
- Mar 6, 2020
- Messages
- 1,458
Everything is within ESXi - FreeNAS running in VM (with AHCI passthrough
View attachment 36393
Nextcloud uses LE cert. and document server self signed one. Nextcloud config.php is updated for self signed cert and accepts settings in plugin. Just added to trusted domains IPs and self signed domains but it didn't help.
And like I said, when trying to open document for editing, Nextcloud displays information about document server not being available.
Could you try adding a LE cert to a sub domain for the Document server? just to exclude cert issues?
Any entry in the log of either Nextcloud or the doc server?
Thank you for responding... The current one is below. The script used to run but fail at the end. Reading the entire thread I learned I had to change STANDALONE_CERT=1 to DNS_CERT=1 and then the script wouldn't even run....
JAIL_IP="XXX.XXX.XX.XX"
DEFAULT_GW_IP="XXX.XXX.XX.XX"
POOL_PATH="/mnt/SERVER"
TIME_ZONE="x"
HOST_NAME="Y"
DNS_CERT=1
CERT_EMAIL="EMAIL ADDRESS"
DNS_ENV="GODADDY_EMAIL=EMAIL ADDRESS GODADDY_API_KEY=blah"
Thanks
ornias
Wizard
- Joined
- Mar 6, 2020
- Messages
- 1,458
We still don't know what "fail at the end" and "the script wouldn't even run" means as of now, because you forgot to add the the console output. We can continue playing "guess the error" which is quite fun at times, but it might be more frutifull if you just tell us the errors with some surrounding console output (lets say 10 rows above and below the errors) ;)
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
I'm pretty sure this is the problem, though if you'd given the actual error messages it would be easier to be sure. For the GoDaddy plugin (see https://godoc.org/github.com/go-acme/lego/providers/dns/godaddy), the required credentials appear to be the API Key and the API Secret. The corresponding environment variables would presumably be GODADDY_API_KEY and GODADDY_API_SECRET.
Hi Dan, thanks for your reply. I followed your suggestion and installed a fresh new Nextcloud using your latest script and forwarded the 80 and 443 port directly to the nextcloud. That ugly timeout was gone!!!! Hence, 99.99 % the chance that the problem was with the HAProxy. However, I indeed do not want to connect the Nextcloud this way, but want to use HAProxy for all of my backends. How can I tweak that stuff now?
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
A good question, but as I've never used Nextcloud behind a reverse proxy, I don't think I'll be able to give you much information. I'd expect the answers would be the same irrespective of platform, though, so some web searching for various combinations of Nextcloud, HAProxy, and reverse proxy should be able to find something helpful.
listhor
Contributor
- Joined
- Mar 2, 2020
- Messages
- 133
Thanks, that was it! LE cert did the job. Now I need to figure it out how to get LE cert permanently in container...
ornias
Wizard
- Joined
- Mar 6, 2020
- Messages
- 1,458
A timeout from the loadbalancer doesn't need to be a timeout, you need to check the HAProxy logs to check what response the nextcloud server is giving the proxy. The message the proxy is giving the client is NOT always the same.
I found out the hardway with NGINX proxy :P
You could try and compare example configs for nextcloud and HAPRoxy...
And you know, while at it, maybe just drop a (redacted!) copy of your HAproxy config here... maybe we see something you don't :)
Thanks again for your time.. For more clarity I should add that I do have the line in the config for DNS_PLUGIN:"godaddy". And I have now added the secret. Whoever; It never gets that far. As soon as I start script the error happens. It never makes it past the checks to run. It never passes this if statement:
if [ $DNS_CERT -eq 1 ] && [ -z "${DNS_PLUGIN}" ] ; then
echo "DNS_PLUGIN must be set to a supported DNS provider."
echo "See https://caddyserver.com/docs under the heading of \"DNS Providers\" for list."
echo "Be sure to omit the prefix of \"tls.dns.\"."
exit 1
So the result is:
root@freenas:~/freenas-iocage-nextcloud # ./nextcloud-jail.sh
/root/freenas-iocage-nextcloud/nextcloud-config: DNS_PLUGIN:godaddy: not found
DNS_PLUGIN must be set to a supported DNS provider.
See https://caddyserver.com/docs under the heading of "DNS Providers" for list.
Be sure to omit the prefix of "tls.dns.".
Thanks!
Could you please let me know which/where HAproxy config file you want to look at?
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
It's hard to help when you don't give complete information. In your earlier post, you'd omitted this line entirely. But if this is really how it looks in your file:
Code:
DNS_PLUGIN:godaddy
...then there's your problem. When every other line of the file uses = to assign values, why did you think that this was special and should use a : ? It should be:
Code:
DNS_PLUGIN="godaddy"
ornias
Wizard
- Joined
- Mar 6, 2020
- Messages
- 1,458
Honestly I have NO IDEA, don't run HAPRoxy myself, but in general there should be some way to export config or make a readout...
I found ahaproxy config file at /var/etc/haproxy/haproxy.cfg.
Below is its content. Someone please give me a clue how to fix this?
# Automaticaly generated, dont edit manually.
# Generated on: 2020-03-09 21:56
global
maxconn 1000
stats socket /tmp/haproxy.socket level admin
gid 80
nbproc 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
server-state-file /tmp/haproxy_server_state
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000
frontend shared-frontend-merged
bind xxx.xxx.xxx.xxx:443 name xxx.xxx.xxx.xxx:443 no-sslv3 ssl crt-list /var/etc/haproxy/shared-frontend.crt_list
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl aclcrt_shared-frontend var(txn.txnhost) -m reg -i ^MYDOMAIN\.com(:([0-9]){1,5})?$
acl aclcrt_shared-frontend var(txn.txnhost) -m reg -i ^([^\.]*)\.MYDOMAIN\.com(:([0-9]){1,5})?$
acl ACME var(txn.txnpath) -m beg -i /.well-known/acme-challenge/
acl cloud var(txn.txnhost) -m str -i cloud.MYDOMAIN.com
acl www var(txn.txnhost) -m str -i www.MYDOMAIN.com
acl mail var(txn.txnhost) -m str -i mail.MYDOMAIN.com
acl non-www var(txn.txnhost) -m str -i MYDOMAIN.com
http-request set-var(txn.txnhost) hdr(host)
http-request set-var(txn.txnpath) path
use_backend ACME-MYDOMAIN-PROD_ipvANY if ACME
use_backend cloud.MYDOMAIN.com_ipv4 if cloud
use_backend www.MYDOMAIN.com_ipv4 if www
use_backend mail.MYDOMAIN.com_ipv4 if mail
use_backend www.MYDOMAIN.com_ipv4 if non-www
frontend http-to-https
bind xxx.xxx.xxx.xxx:80 name xxx.xxx.xxx.xxx:80
mode http
log global
option http-keep-alive
timeout client 30000
http-request redirect scheme https
backend ACME-MYDOMAIN-PROD_ipvANY
mode http
id 102
log global
timeout connect 30000
timeout server 30000
retries 3
server ACME-BACKEND 127.0.0.1:80 id 101
backend cloud.MYDOMAIN.com_ipv4
mode http
id 10100
log global
http-response set-header Strict-Transport-Security max-age=15552001;
timeout connect 30000
timeout server 30000
retries 3
source ipv4@ usesrc clientip
server cloud 172.16.20.71:80 id 10103 weight 20
backend www.MYDOMAIN.com_ipv4
mode http
id 10104
log global
http-response set-header Strict-Transport-Security max-age=15552001;
timeout connect 30000
timeout server 30000
retries 3
source ipv4@ usesrc clientip
server www 172.16.20.72:80 id 10103 weight 10
backend mail.MYDOMAIN.com_ipv4
mode http
id 10105
log global
http-response set-header Strict-Transport-Security max-age=15552001;
timeout connect 30000
timeout server 30000
retries 3
server mail 172.16.20.73:443 id 10103 ssl weight 10 verify none
Below is its content. Someone please give me a clue how to fix this?
# Automaticaly generated, dont edit manually.
# Generated on: 2020-03-09 21:56
global
maxconn 1000
stats socket /tmp/haproxy.socket level admin
gid 80
nbproc 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
server-state-file /tmp/haproxy_server_state
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000
frontend shared-frontend-merged
bind xxx.xxx.xxx.xxx:443 name xxx.xxx.xxx.xxx:443 no-sslv3 ssl crt-list /var/etc/haproxy/shared-frontend.crt_list
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl aclcrt_shared-frontend var(txn.txnhost) -m reg -i ^MYDOMAIN\.com(:([0-9]){1,5})?$
acl aclcrt_shared-frontend var(txn.txnhost) -m reg -i ^([^\.]*)\.MYDOMAIN\.com(:([0-9]){1,5})?$
acl ACME var(txn.txnpath) -m beg -i /.well-known/acme-challenge/
acl cloud var(txn.txnhost) -m str -i cloud.MYDOMAIN.com
acl www var(txn.txnhost) -m str -i www.MYDOMAIN.com
acl mail var(txn.txnhost) -m str -i mail.MYDOMAIN.com
acl non-www var(txn.txnhost) -m str -i MYDOMAIN.com
http-request set-var(txn.txnhost) hdr(host)
http-request set-var(txn.txnpath) path
use_backend ACME-MYDOMAIN-PROD_ipvANY if ACME
use_backend cloud.MYDOMAIN.com_ipv4 if cloud
use_backend www.MYDOMAIN.com_ipv4 if www
use_backend mail.MYDOMAIN.com_ipv4 if mail
use_backend www.MYDOMAIN.com_ipv4 if non-www
frontend http-to-https
bind xxx.xxx.xxx.xxx:80 name xxx.xxx.xxx.xxx:80
mode http
log global
option http-keep-alive
timeout client 30000
http-request redirect scheme https
backend ACME-MYDOMAIN-PROD_ipvANY
mode http
id 102
log global
timeout connect 30000
timeout server 30000
retries 3
server ACME-BACKEND 127.0.0.1:80 id 101
backend cloud.MYDOMAIN.com_ipv4
mode http
id 10100
log global
http-response set-header Strict-Transport-Security max-age=15552001;
timeout connect 30000
timeout server 30000
retries 3
source ipv4@ usesrc clientip
server cloud 172.16.20.71:80 id 10103 weight 20
backend www.MYDOMAIN.com_ipv4
mode http
id 10104
log global
http-response set-header Strict-Transport-Security max-age=15552001;
timeout connect 30000
timeout server 30000
retries 3
source ipv4@ usesrc clientip
server www 172.16.20.72:80 id 10103 weight 10
backend mail.MYDOMAIN.com_ipv4
mode http
id 10105
log global
http-response set-header Strict-Transport-Security max-age=15552001;
timeout connect 30000
timeout server 30000
retries 3
server mail 172.16.20.73:443 id 10103 ssl weight 10 verify none
Yes thanks for help. Sorry My writing wasn't clear. But that line is in config correctly. As it has been in since I wrote my first enquiry and why I am stumped. I will start from the begining and see if it works.
Bloody cloud, I solved it. It turns out that the timeout values used in by haproxy.cfg are in MILLISECONDS!!!!
I scrolled through all HAProxy menu and changed them all to 3600000. It works flawlessly now!
Thank you Ornias and Dan for giving me useful clues to fix this issue.
I scrolled through all HAProxy menu and changed them all to 3600000. It works flawlessly now!
Thank you Ornias and Dan for giving me useful clues to fix this issue.
