Nextcloud in a FreeNAS jail served by NGINX behind a reverse proxy by IIS

Question

My environment

Windows 10 pro host pc at IP 192.168.2.11
FreeNAS running in VMWare Workstation on host pc at IP 192.168.2.13
Nextcloud instance in a FreeNAS jail at IP 192.168.2.37 (installed by following these instructions and removing the settings related to SSL). The back-end for Nextcloud uses NGINX and PGSQL.

What am I trying to achieve?

I created a Nextcloud instance within a FreeNAS jail, this Nextcloud instance works fine when approached via LAN over HTTP. I want to put it on WAN over HTTPS using IIS with a reverse proxy. The SSL certificate is controlled by IIS. The domain I'm trying to use to redirect to the Nextcloud server is nextcloud.MyRedactedDomain.com.

The result

Note 1: I used an incognito window to rule out bad caching of a previous redirect status result or anything of the like.

Note 2: I entered the url nextcloud.MyRedactedDomain.com and it redirected me to nextcloud.MyRedactedDomain.com/login so it seems that Nextcloud is doing something...

Note 3: There is no index.php present in the URL, this was present when I used the FreeNAS plugin. I only followed the instructions and it was not there from the beginning. It's also not there when I approach it on LAN (which works fine). Manually inserting it in the URL yields the same error.

What have I done so far?

All this worked before when I used the provided Nextcloud plugin for FreeNAS. However it stopped working when I tried to update the plugin. I've read that using the plugin is terrible for when you try to update Nextcloud, so now I'm trying to manually create a jail and install it (see the link at 'My environment').
I've tried messing about in NGINX's nginx.conf file: removing headers, adding headers, removing deny rules altogether, copying config from the old instance, adding some proxy headers that were present in the old config. All to no avail.
I've tried several reverse proxy settings in Nextcloud's config.php by following these instructions. I even tried using some settings that weren't needed in the working plugin instance: overwritewebroot, overwritecondaddr and trusted_proxies. I also switched around IP's in the proxy settings.

Settings

IIS' web.config rules that affect the Nextcloud server:

<rule name="HTTPS redirect" enabled="true" stopProcessing="true">
    <match url="(.*)" />
    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
        <add input="{HTTPS}" pattern="^OFF$" />
    </conditions>
    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" />
</rule>
<rule name="NextCloud reverse proxy" stopProcessing="true">
    <match url="(.*)" />
    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
        <add input="{HTTP_HOST}" pattern=nextcloud.MyRedactedDomain.com" />
    </conditions>
    <action type="Rewrite" url="http://192.168.2.37/{REQUEST_URI}" />
</rule>

Nextcloud's config.php as it is now:

<?php
$CONFIG = array (
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps',
      'url' => '/apps',
      'writable' => true,
    ),
    1 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps-pkg',
      'url' => '/apps-pkg',
      'writable' => false,
    ),
  ),
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'instanceid' => 'REDACTED',
  'passwordsalt' => 'REDACTED',
  'secret' => 'REDACTED',
  'trusted_domains' => 
  array (
    0 => '192.168.2.37',
  ),
  'trusted_proxies' => ['192.168.2.11'],
  'datadirectory' => '/usr/local/www/nextcloud/data',
  'dbtype' => 'pgsql',
  'version' => '19.0.1.1',
  'dbname' => 'REDACTED',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'REDACTED',
  'dbpassword' => 'REDACTED',
  'installed' => true,
  'overwrite.cli.url' => 'https://nextcloud.MyRedactedDomain.com',
  'overwritehost'     => 'nextcloud.MyRedactedDomain.com',
  'overwriteprotocol' => 'https',
  'overwritecondaddr' => '^192\.168\.2\.37$',
);

NGINX's nginx.conf as it is now:

user www;
worker_processes 4;
worker_rlimit_nofile 51200;
error_log /var/log/nginx/error.log;

events {
  worker_connections 1024;
}

http {
  include mime.types;
  default_type application/octet-stream;
  log_format main '$remote_addr - $remote_user [$time_local] "$request" ';
  access_log /var/log/nginx/access.log main;
  sendfile on;
  keepalive_timeout 65;

  upstream php-handler {
    server 127.0.0.1:9000;
  }

  server {
    listen 80;

    # HEADERS SECURITY RELATED
    add_header Referrer-Policy "no-referrer";

    # HEADERS
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header X-Frame-Options "SAMEORIGIN";

    # PATH TO THE ROOT OF YOUR INSTALLATION
    root /usr/local/www/nextcloud/;

    location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
    }

    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }

    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }

    # BUFFERS TIMEOUTS UPLOAD SIZES
    client_max_body_size 16400M;
    client_body_buffer_size 1048576k;
    send_timeout 3000;

    # ENABLE GZIP BUT DO NOT REMOVE ETag HEADERS
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
      rewrite ^ /index.php$request_uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
      deny all;
    }

    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
      deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
      fastcgi_split_path_info ^(.+\.php)(/.*)$;
      include fastcgi_params;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param PATH_INFO $fastcgi_path_info;
      fastcgi_param modHeadersAvailable true;
      fastcgi_param front_controller_active true;
      fastcgi_pass php-handler;
      fastcgi_intercept_errors on;
      fastcgi_request_buffering off;
      fastcgi_keep_conn off;
      fastcgi_buffers 16 256K;
      fastcgi_buffer_size 256k;
      fastcgi_busy_buffers_size 256k;
      fastcgi_temp_file_write_size 256k;
      fastcgi_send_timeout 3000s;
      fastcgi_read_timeout 3000s;
      fastcgi_connect_timeout 3000s;
    }

    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
      try_files $uri/ =404;
      index index.php;
    }

    # ADDING THE CACHE CONTROL HEADER FOR JS AND CSS FILES
    # MAKE SURE IT IS BELOW PHP BLOCK
    location ~ \.(?:css|js|woff2?|svg|gif)$ {
      try_files $uri /index.php$uri$is_args$args;
      add_header Cache-Control "public, max-age=15778463";
      # HEADERS
      add_header X-Content-Type-Options nosniff;
      add_header X-XSS-Protection "1; mode=block";
      add_header X-Robots-Tag none;
      add_header X-Download-Options noopen;
      add_header X-Permitted-Cross-Domain-Policies none;
      add_header X-Frame-Options "SAMEORIGIN";
      # OPTIONAL: DONT LOG ACCESS TO ASSETS
      access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
      try_files $uri /index.php$uri$is_args$args;
      # OPTIONAL: DONT LOG ACCESS TO OTHER ASSETS
      access_log off;
    }
  }
}

NGINX's error log (this is an accumilation of several attempts and adjustments to the config files):

2020/08/12 02:35:30 [error] 63641#101838: *50 access forbidden by rule, client: 192.168.2.11, server: _, request: "GET /data/.ocdata?t=1597224931108 HTTP/1.1", host: "192.168.2.37"
2020/08/12 02:41:12 [error] 64301#102558: *126 access forbidden by rule, client: 192.168.2.11, server: _, request: "GET /data/.ocdata?t=1597225273075 HTTP/1.1", host: "192.168.2.37"
2020/08/12 03:02:22 [error] 64302#101573: *542 access forbidden by rule, client: 192.168.2.11, server: _, request: "GET /data/.ocdata?t=1597226542349 HTTP/1.1", host: "192.168.2.37"
2020/08/12 05:46:30 [emerg] 7894#100667: unknown directive "includeSubDomains" in /usr/local/etc/nginx/nginx.conf:54
2020/08/12 05:54:49 [emerg] 8245#102122: unknown directive "proxy_cach_valid" in /usr/local/etc/nginx/nginx.conf:55
2020/08/12 05:55:16 [emerg] 8274#102086: invalid time value "lm" in /usr/local/etc/nginx/nginx.conf:55
2020/08/12 06:15:00 [error] 8986#102424: *1 rewrite or internal redirection cycle while processing "/index.php//", client: 192.168.2.11, server: , request: "GET // HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:15:05 [error] 8987#101058: *2 rewrite or internal redirection cycle while internally redirecting to "/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/favicon.ico", client: 192.168.2.11, server: , request: "GET //favicon.ico HTTP/1.1", host: "192.168.2.37", referrer: "https://nextcloud.MyRedactedDomain.com/"
2020/08/12 06:17:06 [error] 9060#101663: *1 rewrite or internal redirection cycle while processing "/index.php//", client: 192.168.2.11, server: , request: "GET // HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:17:11 [error] 9060#101663: *2 rewrite or internal redirection cycle while internally redirecting to "/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/favicon.ico", client: 192.168.2.11, server: , request: "GET //favicon.ico HTTP/1.1", host: "192.168.2.37", referrer: "https://nextcloud.MyRedactedDomain.com/"
2020/08/12 06:18:42 [error] 9113#102196: *1 rewrite or internal redirection cycle while processing "/index.php//", client: 192.168.2.11, server: , request: "GET // HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:18:46 [error] 9112#101641: *2 rewrite or internal redirection cycle while internally redirecting to "/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/favicon.ico", client: 192.168.2.11, server: , request: "GET //favicon.ico HTTP/1.1", host: "192.168.2.37", referrer: "https://nextcloud.MyRedactedDomain.com/"
2020/08/12 06:19:13 [error] 9112#101641: *3 rewrite or internal redirection cycle while processing "/index.php//index.php/204", client: 192.168.2.11, server: , request: "GET //index.php/204 HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:22:20 [crit] 9260#100919: *1 connect() to unix:/var/run/nextcloud-php-fpm.sock failed (2: No such file or directory) while connecting to upstream, client: 192.168.2.11, server: _, request: "GET // HTTP/1.1", upstream: "fastcgi://unix:/var/run/nextcloud-php-fpm.sock:", host: "192.168.2.37"
2020/08/12 06:22:25 [error] 9260#100919: *1 open() "/usr/local/www/nextcloud/favicon.ico" failed (2: No such file or directory), client: 192.168.2.11, server: _, request: "GET //favicon.ico HTTP/1.1", host: "192.168.2.37", referrer: "https://nextcloud.MyRedactedDomain.com/"
2020/08/12 06:22:25 [crit] 9260#100919: *1 connect() to unix:/var/run/nextcloud-php-fpm.sock failed (2: No such file or directory) while connecting to upstream, client: 192.168.2.11, server: _, request: "GET //favicon.ico HTTP/1.1", upstream: "fastcgi://unix:/var/run/nextcloud-php-fpm.sock:", host: "192.168.2.37", referrer: "https://nextcloud.MyRedactedDomain.com/"
2020/08/12 06:28:45 [error] 9489#100770: *7 access forbidden by rule, client: 192.168.2.11, server: , request: "GET /data/.ocdata?t=1597238925594 HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:31:00 [error] 9489#100770: *78 access forbidden by rule, client: 192.168.2.11, server: , request: "GET /data/.ocdata?t=1597239060928 HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:34:38 [error] 9489#100770: *109 access forbidden by rule, client: 192.168.2.11, server: , request: "GET /data/.ocdata?t=1597239279292 HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:36:20 [error] 9862#102189: *6 access forbidden by rule, client: 192.168.2.11, server: , request: "GET /data/.ocdata?t=1597239381044 HTTP/1.1", host: "192.168.2.37"

IIS' log snippet (errors only from the same settings as posted above):

2020-08-14 07:35:50 192.168.2.11 GET / X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=3f4ff15f-436f-4004-bb55-360f94826d4e&SERVER-STATUS=302 443 - cust-REDACTED-IP.dyn.as47377.net Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/84.0.4147.125+Safari/537.36 - 302 0 0 81
2020-08-14 07:35:50 192.168.2.11 GET /login X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=b0b256ce-9bb6-42b7-b098-c3ab117246f7&SERVER-STATUS=200 443 - cust-REDACTED-IP.dyn.as47377.net Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/84.0.4147.125+Safari/537.36 - 200 0 0 135
2020-08-14 07:35:50 192.168.2.11 GET /favicon.ico X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=1a8b782f-0381-4118-912e-5503406c0d84&SERVER-STATUS=302 443 - cust-REDACTED-IP.dyn.as47377.net Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/84.0.4147.125+Safari/537.36 https://nextcloud.MyRedactedDomain.com/login 302 0 0 81
2020-08-14 07:35:50 192.168.2.11 GET /login X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=a70275c4-a20e-4c50-b994-933afecb9f2f&SERVER-STATUS=200 443 - cust-REDACTED-IP.dyn.as47377.net Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/84.0.4147.125+Safari/537.36 - 200 0 0 130

It seems like the IIS proxy is adding an extra slash to URL. GET // should normally be GET /, and this may confuse redirections. Did you look into that? — Gerrit, Aug 17 '20 at 09:22
@Gerrit I'm not sure where it would be doing that as the only rule I have regarding redirection to the Nextcloud instance is the one I posted. which rewrites it to `http://192.168.2.37/{REQUEST_URI}`. — Neijwiert, Aug 17 '20 at 13:38
@Gerrit I've just inspected the `error.log` more closely and it seems that with the current settings it isn't even generating an error. I completely emptied out `error.log` and visited nextcloud.MyRedactedDomain.com multiple times to generate the 500 status error and the log file is still empty. Meanwhile the access.log does show the GET requests. But indeed with double forward slashes: `192.168.2.11 - - [17/Aug/2020:06:45:03 -0700] "GET //index.php/204 HTTP/1.1" ` — Neijwiert, Aug 17 '20 at 13:47
Did you inspect the Nextcloud log? The IIS rewrite rule could be changed to `http://ip{REQUEST_URI}` to get rid of the double slash. — Gerrit, Aug 17 '20 at 13:59
@Gerrit Hm I just inspected the Nextcloud log (sorry forgot about that in my post) and it doesn't seem to be generating any new entries at all. However changing the IIS rewrite rule did fix the double forward slash issue (however I think during my previous instance with the FreeNas plugin I had it with a slash), but I'm still getting a 500 internal server error. — Neijwiert, Aug 17 '20 at 14:12
@Gerrit I did a test and disabled the proxy stuff and tried it from LAN again. In the log it seems that there are single forward slashes (so yeah its definetely not NGINX doing that). However when I go to the login page I get more GET requests in my nginx's log, such as: `192.168.2.11 - - [17/Aug/2020:07:14:43 -0700] "GET /apps/theming/js/theming?v=0 HTTP/1.1" 192.168.2.11 - - [17/Aug/2020:07:14:43 -0700] "GET /apps/accessibility/js/accessibility?` (on WAN I only get requests to login, favicon, index.php and the root). Note that Nextcloud's log is still empty, but the login page loads fine. — Neijwiert, Aug 17 '20 at 14:18
So, it seems to be the IIS proxy. Can you get a better error with https://stackoverflow.com/a/2765795/2824577 ? — Gerrit, Aug 17 '20 at 14:46
@Gerrit Thanks for your help, I figured out what the problem was. I inspected the responses from the server using Fiddler and it seemed that IIS was returning `500 URL ReWrite Module Error`. I searched for that and I got to [this](https://stackoverflow.com/questions/47398792/500-url-rewrite-module-error-iis-8) stackoverflow answer. The first answer seemed to be the problem. I was using gzip in my NGINX instance. setting it to `gzip off` and removing the other `gzip` lines fixed it. You found out that it was something with IIS, so you can get the bountry if you give an answer. — Neijwiert, Aug 17 '20 at 14:53
That turns out to be a problem I had once also. The direction I took was outlined in this article: https://docs.microsoft.com/en-us/archive/blogs/friis/iis-with-url-rewrite-as-a-reverse-proxy-part-2-dealing-with-500-52-status-codes — Gerrit, Aug 17 '20 at 14:58
@Gerrit Ah yeah thanks. It's funny that I already have a similar rule like that in my IIS for my Plex jail.... I'll look into that if I can get it working with compression. If not, then I'll leave as is I guess... — Neijwiert, Aug 17 '20 at 15:49

Nextcloud in a FreeNAS jail served by NGINX behind a reverse proxy by IIS

0 Answers0