[manual] Nextcloud alternate webserver reverse-proxy

[xPMo]

The documentation for Nexcloud under "Using an alternative webserver as reverse-proxy (e.g. httpd)" [source] [online] is insufficient if extra apps are installed from the store or from nix.

I figured out a solution for Caddy, but I don't know Apache httpd well enough to contribute the needed config. I've included mine here as reference. The three lines I indicate need to be adapted to httpd for inclusion in the manual. The first one is trivial, the other two probably are too for someone who knows Apache.

  services.nginx.enable = false;
  services.phpfpm.pools.nextcloud.settings = {
    "listen.owner" = config.services.caddy.user;
    "listen.group" = config.services.caddy.group;
  };
  # Needed to read /var/lib/nextcloud
  users.groups.nextcloud.members = [ "nextcloud" config.services.caddy.user ];  # <<< this line

  # Caddy
  services.caddy = {
    enable = true;
    extraConfig = 
      ''
      example.tld {

        root * ${config.services.nextcloud.package}
        root /store-apps/* ${config.services.nextcloud.home}  # <<< these two lines
        root /nix-apps/* ${config.services.nextcloud.home}    # <<< these two lines
        encode zstd gzip

        php_fastcgi unix//${config.services.phpfpm.pools.nextcloud.socket}
        file_server

        header {
          Strict-Transport-Security max-age=31536000;
        }

        redir /.well-known/carddav /remote.php/dav 301
        redir /.well-known/caldav /remote.php/dav 301
      }
      '';
  };

[vs49688]

There's a bit more to the Caddy solution, I spent a few solid hours last night trying to get something working.
This is mostly based off the existing nginx config and https://docs.nextcloud.com/server/27/admin_manual/configuration_server/reverse_proxy_configuration.html

I still need to deal with caching headers, etc.

  services.caddy.virtualHosts."mynextcloud.example.com".extraConfig = ''

    header {
        Strict-Transport-Security max-age=31536000;
    }


    redir /.well-known/carddav   /remote.php/dav 301
    redir /.well-known/caldav    /remote.php/dav 301
    redir /.well-known/webfinger /index.php/.well-known/webfinger
    redir /.well-known/nodeinfo  /index.php/.well-known/nodeinfo

    @store_apps path_regexp ^/store-apps
    root @store_apps ${cfg.home}

    @nix_apps path_regexp ^/nix-apps
    root @nix_apps ${cfg.home}

    root * ${cfg.package}


    @davClnt {
      header_regexp User-Agent ^DavClnt
      path /
    }

    redir @davClnt /remote.php/webdev{uri} 302


    @sensitive {
      # ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)
      path /build     /build/*
      path /tests     /tests/*
      path /config    /config/*
      path /lib       /lib/*
      path /3rdparty  /3rdparty/*
      path /templates /templates/*
      path /data      /data/*

      # ^/(?:\.|autotest|occ|issue|indie|db_|console)
      path /.*
      path /autotest*
      path /occ*
      path /issue*
      path /indie*
      path /db_*
      path /console*
    }
    respond @sensitive 404

    php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
      env front_controller_active true
    }
    file_server
  '';

[onny]

Is someone still interested in using Caddy as a webserver, I added a practical configuration example to the NixOS wiki https://nixos.wiki/wiki/Nextcloud#Use_Caddy_as_webserver

[n8henrie]

+1 I would also appreciate more documentation on this, as nginx seems unable to fetch TLS certificates for a tailscale (whereas caddy can do so and keep them up to date indefinitely).

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nginx-with-tailscale-cert-automatic-renewal/47007/1