Reverse proxy configuration with SSL certs on upstream servers
January 17, 2023 11:45AM
Hi, so i need help correctly setting up my network.
I have reverse proxy on trueNAS jail, which should redirect all traffic from 443 port to either mail server [other device] or nextcloud [other jail on trueNAS].
I want mail server to have its own certificates,
and nextcloud jail to have its own certificates.
My current config for reverse proxy/nginx is:
###########################################################
upstream nextcloud {
server <local_IP_nextcloud>:443;
}

server {
listen 80;
server_name www.nextcloud.ekspertyzy-szkolenia.pl nextcloud.ekspertyzy-szkolenia.pl;
return 301 https://nextcloud.ekspertyzy-szkolenia.pl$request_uri;
}

server {
listen 443;
server_name www.nextcloud.ekspertyzy-szkolenia.pl nextcloud.ekspertyzy-szkolenia.pl;
location / {
proxy_pass http://nextcloud;
proxy_ssl_server_name on;
proxy_ssl_name ekspertyzy-szkolenia.pl;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
###########################################################
And my current config on nextcloud jail nginx is:
###########################################################
upstream php-handler {
server unix:/var/run/nextcloud-php-fpm.sock;
}

# Redirect to HTTPS
server {
if ($host = www.nextcloud.ekspertyzy-szkolenia.pl) {
return 301 https://$host$request_uri;
} # managed by Certbot

if ($host = nextcloud.ekspertyzy-szkolenia.pl) {
return 301 https://$host$request_uri;
} # managed by Certbot

server_name nextcloud.ekspertyzy-szkolenia.pl www.nextcloud.ekspertyzy-szkolenia.pl;
listen 80 default_server;

location ^~ /.well-known/acme-challenge {
# Path to the root of your installation
root /usr/local/www/nextcloud/;
try_files $uri $uri/ =404;
}

location / {
return 301 https://$host:443$request_uri;
}
}

server {
listen 443 ssl http2;
server_name nextcloud.ekspertyzy-szkolenia.pl www.nextcloud.ekspertyzy-szkolenia.pl;

# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;"always;

include conf.d/nextcloud.inc;
ssl_certificate /usr/local/etc/letsencrypt/live/nextcloud.ekspertyzy-szkolenia.pl/fullchain.pem; # managed by Certbot
ssl_certificate_key /usr/local/etc/letsencrypt/live/nextcloud.ekspertyzy-szkolenia.pl/privkey.pem; # managed by Certbot
ssl_stapling on;
ssl_stapling_verify on;
}
Even though i was able to obtain certificates using certbot --nginx for my domains, i still cannot access nextcloud.ekspertyzy-szkolenia.pl from outside local network.
I suspected my understanding of upstreams is botched, and i need to fix that, but i do not get how should my config look like on reverse proxy, since i suspect there lies my issue.
Mail server is not yet included in this config, i want nextcloud to start working first since i am introducing it to already working mail server.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 132
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready