Hi, so i need help correctly setting up my network.
I have reverse proxy on trueNAS jail, which should redirect all traffic from 443 port to either mail server [other device] or nextcloud [other jail on trueNAS].
I want mail server to have its own certificates,
and nextcloud jail to have its own certificates.
My current config for reverse proxy/nginx is:
###########################################################
upstream nextcloud {
server <local_IP_nextcloud>:443;
}
server {
listen 80;
server_name www.nextcloud.ekspertyzy-szkolenia.pl nextcloud.ekspertyzy-szkolenia.pl;
return 301 https://nextcloud.ekspertyzy-szkolenia.pl$request_uri;
}
server {
listen 443;
server_name www.nextcloud.ekspertyzy-szkolenia.pl nextcloud.ekspertyzy-szkolenia.pl;
location / {
proxy_pass http://nextcloud;
proxy_ssl_server_name on;
proxy_ssl_name ekspertyzy-szkolenia.pl;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
###########################################################
And my current config on nextcloud jail nginx is:
###########################################################
upstream php-handler {
server unix:/var/run/nextcloud-php-fpm.sock;
}
# Redirect to HTTPS
server {
if ($host = www.nextcloud.ekspertyzy-szkolenia.pl) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = nextcloud.ekspertyzy-szkolenia.pl) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name nextcloud.ekspertyzy-szkolenia.pl www.nextcloud.ekspertyzy-szkolenia.pl;
listen 80 default_server;
location ^~ /.well-known/acme-challenge {
# Path to the root of your installation
root /usr/local/www/nextcloud/;
try_files $uri $uri/ =404;
}
location / {
return 301 https://$host:443$request_uri;
}
}
server {
listen 443 ssl http2;
server_name nextcloud.ekspertyzy-szkolenia.pl www.nextcloud.ekspertyzy-szkolenia.pl;
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;"always;
include conf.d/nextcloud.inc;
ssl_certificate /usr/local/etc/letsencrypt/live/nextcloud.ekspertyzy-szkolenia.pl/fullchain.pem; # managed by Certbot
ssl_certificate_key /usr/local/etc/letsencrypt/live/nextcloud.ekspertyzy-szkolenia.pl/privkey.pem; # managed by Certbot
ssl_stapling on;
ssl_stapling_verify on;
}
Even though i was able to obtain certificates using certbot --nginx for my domains, i still cannot access nextcloud.ekspertyzy-szkolenia.pl from outside local network.
I suspected my understanding of upstreams is botched, and i need to fix that, but i do not get how should my config look like on reverse proxy, since i suspect there lies my issue.
Mail server is not yet included in this config, i want nextcloud to start working first since i am introducing it to already working mail server.