NGINX proxy manager

Reverse proxy with termination

Let NGINX proxy manager handle encryption and certificate management for Nextcloud snap. This setup will assume that SSL termination and certificate management is handled by NGINX proxy manager.

The Nextcloud snap encryption and certificate renewal services may be disabled.

• Stop and disable encryption:

sudo nextcloud.disable-https lets-encrypt

• Stop and disable certificate renewal service:

sudo snap stop --disable nextcloud.renew-certs

---

NGINX proxy manager settings

• Proxy Host

• Cache Assets (optional) --> recommend disabled

Tip: caching assets may be required in some cases, disabling caching assets is recommended for most

• Websockets Support (optional)
• Block Common Exploits (optional)

---

• SSL configuration

• HSTS Subdomains (optional)

---

• Advanced settings for Nextcloud snap

Setting required!! prior to NC29

copy & paste into advanced settings

location = /.well-known/carddav {return 301 $scheme://$host:$server_port/remote.php/dav;}
location = /.well-known/caldav {return 301 $scheme://$host:$server_port/remote.php/dav;}

Setting required!! from NC29

Ref: upstream issue

copy & paste into advanced settings

location /.well-known/carddav {return 301 $scheme://$host/remote.php/dav/;}
location /.well-known/caldav {return 301 $scheme://$host/remote.php/dav/;}

optional setting from NC29

Tip: recommend only if recurring errors appear in logs

• resolve webfinger error in logs
• resolve nodeinfo error in logs

location /.well-known/webfinger {return 301 $scheme://$host/index.php/.well-known/webfinger;}
location /.well-known/nodeinfo {return 301 $scheme://$host/index.php/.well-known/nodeinfo;}

Configure Nextcloud snap for reverse proxy

Trusted proxies in Nextcloud snap

• Set trusted proxies in config-php if your Nextcloud snap instance is behind a reverse proxy.

  'trusted_proxies' => 
  array (
    0 => 'your.reverse.proxy.ip',
    1 => 'your.other.proxy.ip',
   ),

or issue command on host (iterating values 0, 1, 2...):

sudo nextcloud.occ config:system:set trusted_proxies 0 --value="your.reverse.proxy.ip"

FQDN for Nextcloud snap instance, vm or container behind reverse proxy with termination

Setting FQDN (fully qualified domain name) is best practice and is optional on self-hosted Nextcloud snap instances running on vm or container behind reverse proxy with termination and may improve site response.

• Discover hostname:
  • issue command

 hostnamectl

or

 hostname

• Set or change hostname:
  • issue command

hostnamectl set-hostname NEW-HOSTNAME

• Set FQDN on instance behind reverse proxy with termination:
  • edit /etc/hosts in vm or container using your favourite editor as root $ sudo nano /etc/hosts and add second line replacing <your.reverse.proxy.ip> <your.domain.xyz> and <hostname> with your own domain name and hostname:

127.0.0.1       localhost
<your.reverse.proxy.ip>   <your.domain.xyz>   <hostname>

## The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

---

Proxy options

• Putting Nextcloud snap behind a reverse proxy
• Hosts and FQDN