Using cloudflare tunnel to bring Nextcloud online

fishe · Dec 30, 2022

Hello!
I have installed the nextcloud plugin, and from inside the jail it creates I am trying to make it accessible via the internet through cloudflare's argo tunnel.
When running `cloudflared tunnel run --token [token]` there is no concerning output, but trying to access the domain connected to the tunnel loads infinitely before timing out. The tunnel is set to redirect `localhost:80` to the domain from inside the jail.
`curl localhost` shows that it redirects, and so I run `curl -L localhost` which returns `Failed to connect to localhost port 8283 after 0 ms: Couldn't connect`
Given that this is the same error shown when curling any inactive port, it seems that the jail can't access the port, meaning that cloudflared can't either?
What should I do about this?

victort · Dec 30, 2022

Have you read through this?

[Guide] Push the jail to the internet without public IP with Cloudflare tunnel (TrueNAS core / No VM)

I just switched from the cloud to the NAS, especially TrueNAS core, and Really love it. However, I tried to google the method to push a file to the public using Cloudflare tunnel on FreeBSD (Especially TrueNAS), and I found a lot of people struggle with the same problem as me, such as [This]...

www.truenas.com

fishe · Dec 30, 2022

victor1597 said:
Have you read through this?

[Guide] Push the jail to the internet without public IP with Cloudflare tunnel (TrueNAS core / No VM)

I just switched from the cloud to the NAS, especially TrueNAS core, and Really love it. However, I tried to google the method to push a file to the public using Cloudflare tunnel on FreeBSD (Especially TrueNAS), and I found a lot of people struggle with the same problem as me, such as [This]...

www.truenas.com

I have. The tunnel state is "Healthy" on the zero trust tunnel dashboard and I've followed the guide but still cannot get it to work since the jail can't access port 8283. The only thing I didn't quite understand was mounting the dataset to the jail, but since the jail is the nextcloud jail itself I'd assume that it would already be okay?

victort · Dec 30, 2022

fishe said:
I have. The tunnel state is "Healthy" on the zero trust tunnel dashboard and I've followed the guide but still cannot get it to work since the jail can't access port 8283. The only thing I didn't quite understand was mounting the dataset to the jail, but since the jail is the nextcloud jail itself I'd assume that it would already be okay?

Don’t use plugins. If you want to use Nextcloud, follow this guide.

Scripted installation of Nextcloud 28 in iocage jail

Status: This script will run with TrueNAS CORE 13. It's possible, but untested, that it will work with FreeNAS 12. Earlier versions are not supported. There are a number of guides on the forum to install Nextcloud, but they all rely on a lot of...

www.truenas.com

A jail is similar to a VM. If you follow that guide, the jail data is mounted outside the jail, so even if the jail is destroyed, the data is safe.

I’m not sure what you mean by “the jail can’t access port 8283”

victort · Dec 30, 2022

victor1597 said:
Don’t use plugins. If you want to use Nextcloud, follow this guide.

Scripted installation of Nextcloud 28 in iocage jail

Status: This script will run with TrueNAS CORE 13. It's possible, but untested, that it will work with FreeNAS 12. Earlier versions are not supported. There are a number of guides on the forum to install Nextcloud, but they all rely on a lot of...

www.truenas.com

A jail is similar to a VM. If you follow that guide, the jail data is mounted outside the jail, so even if the jail is destroyed, the data is safe.

I’m not sure what you mean by “the jail can’t access port 8283”

If you follow the guide to install Nextcloud, then you can start at step 2 of the tunnel guide.

And you can start at step 2 if you install plug-in version as well.

fishe · Dec 30, 2022

victort said:
If you follow the guide to install Nextcloud, then you can start at step 2 of the tunnel guide.

And you can start at step 2 if you install plug-in version as well.

I ran the script and it at least seems that nextcloud has been installed, I then went ahead and setup cloudflared in the jail that the script created, yet when I try to access the domain it just returns "This page isn't redirecting properly"

fishe · Jan 8, 2023

victort said:
If you follow the guide to install Nextcloud, then you can start at step 2 of the tunnel guide.

And you can start at step 2 if you install plug-in version as well.

Been busy with other things but finally got some more time to work on this. Messed with it some more but I'm no closer to getting it figured out

victort · Jan 8, 2023

I’ll get it set up here and see if I can get it working, then update you.

confusedtruenoob · Jan 8, 2023

Watching this space! Also trying to set up something similar, albeit with the plugin. I don't want to hijack this thread, so I'll make a separate thread for myself.

victort · Jan 9, 2023

I was able to get it working.

1 Installed clouflared in jail.
2 Ran the command with my new token.
3 Restarted jail.

What are your clouflare settings looking like.?
Do you have the SSL mode on full?
Do you have and edge certificate configured?

victort · Jan 9, 2023

@fishe
Make sure your cloudflare settings are right.

I had to set my SSL to Full (strict) and make sure I had a managed edge certificate.

fishe · Jan 9, 2023

victort said:
I was able to get it working.

1 Installed clouflared in jail.
2 Ran the command with my new token.
3 Restarted jail.

What are your clouflare settings looking like.?
Do you have the SSL mode on full?
Do you have and edge certificate configured?

I have SSL set to full and there is an edge certificate set to managed. I have done the same steps, cloudflared is running and the tunnel points my domain to http://localhost:80 where caddy is. It should redirect to nextcloud but instead i get "This page isn't redirecting properly."

My Caddyfile is this:

Code:

{
        # debug
        #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
        email [redacted]@gmail.com
        # default_sni yourhostnamehere
}

https://[redacted] {
        root * /usr/local/www/nextcloud
        file_server
        log {
                output file /var/log/nextcloud.log
        }

        php_fastcgi 127.0.0.1:9000 {
                env front_controller_active true
        }

        tls {
                dns cloudflare [redacted]
       }

        header {
                # enable HSTS
                # Strict-Transport-Security max-age=31536000;
        }

        # client support (e.g. os x calendar / contacts)
        redir /.well-known/carddav /remote.php/dav 301
        redir /.well-known/caldav /remote.php/dav 301
        redir /.well-known/webfinger /index.php/.well-known/webfinger 301
        redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301

        # .htaccess / data / config / ... shouldn't be accessible from outside
        @forbidden {
                path /.htaccess
                path /data/*
                path /config/*
                path /db_structure
                path /.xml
        }
        respond @forbidden 404
}

victort · Jan 9, 2023

So apparently because of the Caddyfile, it wont let you connect using localhost or the IP since the Caddyfile has only your domain configured.
You can change the Caddyfile to say

Code:

:443

instead of

Code:

https://[redacted]

This way it will accept connections on port 443 https when you tunnel is configured for HTTPS://localhost with No TLS Verify.

The alternative is to use NO_CERT when setting it up, and the Caddyfile will automatically enter :80 in the domain field.

This is currently working for me.

fishe · Jan 9, 2023

victort said:
So apparently because of the Caddyfile, it wont let you connect using localhost or the IP since the Caddyfile has only your domain configured.
You can change the Caddyfile to say

Code:
:443
instead of
Code:
https://[redacted]

This way it will accept connections on port 443 https when you tunnel is configured for HTTPS://localhost with No TLS Verify.

The alternative is to use NO_CERT when setting it up, and the Caddyfile will automatically enter :80 in the domain field.

This is currently working for me.

This was the solution, thank you so much!

victort · Jan 9, 2023

Just keep in mind the the self-signed cert will expire eventually. I think the default is 10 years...
But if you would change that to :80 and configure your tunnel to use HTTP, then that isn't a problem.

Glad to see you got it working.

fishe · Jan 9, 2023

victort said:
Just keep in mind the the self-signed cert will expire eventually. I think the default is 10 years...
But if you would change that to :80 and configure your tunnel to use HTTP, then that isn't a problem.

Glad to see you got it working.

I changed it to :80 off the bat since going with :443 and having the tunnel try to access through port 443 makes the site return "Bad Gateway"
Means I won't be able to get rid of the HSTS warning but things work fine on :80 anyway

A little unrelated, but nextcloud seems to only be using a lot of one CPU thread when uploading a lot of files, which seems to make the upload speed cap at around ~2.5mb/s, is there a way to have it use more than one thread?

victort · Jan 10, 2023

That I don’t know. Jails are supposed to work similar to containers where they share resources with the host. What I do in all my Nextcloud setups is change the

Code:

pm.max_children

or something from 10 to 100.

This file can be found here.

/usr/local/etc/php-fpm.d/www.conf

Scroll until you find it. Then after changing it

Code:

service php-fpm restart

Important Announcement for the TrueNAS Community.

Using cloudflare tunnel to bring Nextcloud online

Dabbler

Guru

Dabbler

Guru

Guru

Dabbler

Dabbler

Guru

Cadet

Guru

Guru

Dabbler

Guru

Dabbler

Guru

Dabbler

Guru

Similar threads