HA behind nginx reverse proxy - Nextcloud setup failed

Hi,

as the title says, I have a problem with my Nextcloud integration. And IIRC it occurred after I changed my network structure.
My structure is relatively easy:

  • one router connected to the internet
    • port forwarding of port 80 and 443 to my reverse proxy
  • HA instance (separate local host)
  • Nextcloud instance (another separate local host)
  • one domain with subdomains
    • one subdomain for my HA instance
    • one subdomain for my Nextcloud instance
  • nginx reverse proxy with static ip
    • forwarding external requests to the corresponding local hosts
    • SSL certificate handling is done on reverse proxy with certbot for both subdomains

Basically “it works”. Which means that I can access both my HA instance and my Nextcloud instance from the internet through the corresponding subdomains.

But: HA seems not to be able to connect to my Nextcloud instance. This must (potentially?) be related to my reverse proxy, because it worked before inserting it. But I can not find the error.
Any help is appreciated.

This is my nginx reverse proxy config:

server {
        server_name homeassistant.mydomain.de;
        location / {
                proxy_pass      http://local.ip.homeassistant.instance:8123;
                proxy_set_header Host $host;
		proxy_redirect http:// https://;

                proxy_http_version 1.1;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/homeassistant.mydomain.de/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/homeassistant.mydomain.de/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
        server_name nextcloud.mydomain.de;
        location / {
                proxy_pass      http://local.ip.nextcloud.instance:80;
                proxy_set_header Host $host;
		proxy_pass_header   Server; 

		proxy_http_version 1.1;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
        }
	client_max_body_size 0;

        rewrite ^/\.well-known/carddav https://nextcloud.mydomain.de/remote.php/dav/ redirect;
        rewrite ^/\.well-known/caldav https://nextcloud.mydomain.de/remote.php/dav/ redirect;


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/nextcloud.mydomain.de/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.mydomain.de/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


server {
    if ($host = nextcloud.mydomain.de) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        server_name nextcloud.mydomain.de;
    listen 80;
    return 404; # managed by Certbot


}


server {
    if ($host = homeassistant.mydomain.de) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        server_name homeassistant.mydomain.de;
    listen 80;
    return 404; # managed by Certbot


}

The HA config part looks like this:

http:
   use_x_forwarded_for: true
   trusted_proxies: !secret reverse_proxy_ip


nextcloud:
  url: https://nextcloud.mydomain.de
  username: !secret nextcloud_username
  password: !secret nextcloud_password

Also my HA updater component is not working anymore. Although this is another thing it might be caused by the same issue…

Thanks a lot in advance!

Greetings,
Jojo

Why not avoid headaches and use http://local.ip.nextcloud.instance:80 in HA?

1 Like

Thank you for the reply!
You mean in the nextcloud config under “url:”? Good point. I will try and report back.

On the other hand: this is more a workaround but a solution for the root cause… :thinking:

Greetings

Well, using an external address for internal to internal implies a number of network configurations being done properly, and it brings you nothing as your nextxloud is http…

So it’s more common sense than a workaround :wink:

1 Like

Okay, understood :sweat_smile:. Taking the local IP works. Thanks!

Could you please take a look at my reverse-proxy config if it makes sense so far? I must confess that I am not a network stuff specialist…

Thank you!

Well, I guess the nginx config is working as long as you come from internet, doesn’t it, so it would be a network issue rather than a nginx.
Does the nextcloud external address work from an internal browser?

Chris, highly appreciating that you look into this!

Well, I would say “yes”, it works - most of the time.
Means, that internally the access to both my Nextcloud instance as well as to my HA instance works with the external address. But sometimes I get an error from my router which says something about “DNS rebind protection” or so. I can not reproduce this reliably because it does not happen always, but only sometimes. In that case I help myself by just taking the internal IP address.
But I think this issue is caused somehow in my router.
As said, this network stuff is really a myth to me. Thats the reason why I am quite happy to have it running so far at all with things like subdomains, reverse proxy and SSL certs and so on. Had to take a steep learning curve… But I confess that most reverse-proxy stuff is copy-paste from the docs and tutorials… :see_no_evil:

Why do you ask so specifically? Is there anything in the config that has a “bad smell” to you?

Greetings

No, it was just to confirm it was a networking issue and not a nginx one.

OK :slight_smile: .
One last thing (while already off-topic):
Can’t I make some of the reverse-proxy config “global” for both servers and not individual for each server? And does that make sense at all? Maybe just to avoid “bad practice”?
Like this:

proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_pass_header   Server; 

server {
        server_name homeassistant.mydomain.de;
        location / {
                proxy_pass      http://local.ip.homeassistant.instance:8123;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/homeassistant.mydomain.de/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/homeassistant.mydomain.de/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
        server_name nextcloud.mydomain.de;
        location / {
                proxy_pass      http://local.ip.nextcloud.instance:80;
        }
	client_max_body_size 0;

        rewrite ^/\.well-known/carddav https://nextcloud.mydomain.de/remote.php/dav/ redirect;
        rewrite ^/\.well-known/caldav https://nextcloud.mydomain.de/remote.php/dav/ redirect;


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/nextcloud.mydomain.de/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.mydomain.de/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

This looks more tidy to me. But I don’t want to sacrifice functionality to style :sweat_smile:…

Greetings