Nextcloud 13 behind HA Proxy with letsencrypt – all in Docker containers

I want to have an Nextcloud server for my family and friends and I want to have it behind a reversed proxy so that I’ll get SSL termination and the reversed proxy can in addition serve other http-based services that I later want to expose externally or only internally.

Tasks:

  1. Setup bradjonesllc/docker-haproxy-letsencrypt docker container
  2. Setup Nextcloud 13 docker container
  3. Configure HA Proxy and Nextcloud

1. Setup the HA Proxy container

I’m already using the duckdns.org service for dynamically updating my IP-address to a domain name and I want a frontend reverse proxy for SSL traffic to Nextcloud. I.e. for routing https://mydomain.duckdns.org/nextcloud/ to the Nexcloud 13 container that I will install and to have a valid SSL certificate that is generated by the Letsencrypt service.

First I’ve setup a routing in my switch (Ubiquiti EdgeRouter X) of port 80 and 443 to the ports that I plan to expose from the reverse proxy docker container:

  • External port 80 maps to port 9980 of the HA proxy container
  • External port 443 (SSL) maps to port 9981 of the HA proxy container

Next is to create a couple of external folders, to the container, where I want to keep the haproxy.cfg configuration file and the certificates that are being generated.

  • /volume1/docker/letsencrypt/
  • /volyme1/docker/haproxy/

To work the configuration file for HA Proxy I’m copying the haproxy.cfg file from the repo: https://github.com/BradJonesLLC/docker-haproxy-letsencrypt (I could have created a copy from the container but then I don’t have to start up one in order to do so).

Copy the haproxy.cfg file to the /volume1/docker/haproxy/ folder.

Now it is time to start the container…

docker run -t -e CERTS=mydomain.duckdns.org -e EMAIL=my@mail.com -v /volume1/docker/letsencrypt/:/etc/letsencrypt -v /volume1/docker/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg -p 9980:80 -p 9981:443 --name haproxy bradjonesllc/docker-haproxy-letsencrypt

If everything is starting up fine – certificates are created as they should – let’s move on to the next step of setting up Nextcloud. Please note that you must have

2. Setup the Nextcloud 13 container

I’ll be using a separate MySQL db and will link that to the Nextcloud container to avoid using SQLlite that comes with.

docker run --name nextcloud-mysql -e MYSQL_ROOT_PASSWORD=my-secret-pw -d mysql:latest

Again, create the necessary folders to keep the most important data out of the container when it is time to upgrade.

  • /volume1/docker/nextcloud/apps
  • /volume1/docker/nextcloud/config
  • /volume1/docker/nextcloud/data

Start the docker container and wait until you can reach the logon page on port 8102. E.g. http://192.168.2.10:8102

docker run -d -v /volume1/docker/nextcloud/apps/:/var/www/html/custom_apps/ -v /volume1/docker/nextcloud/config/:/var/www/html/config/ -v /volume1/docker/nextcloud/data/:/var/www/html/data/ -p 8102:80 --link nextcloud-mysql:mysql --name mynextcloud nextcloud:latest

When you can reach the webpage, follow the wizard and use MySQL as a datasource with hostname “mysql” as shown below.

Screen Shot 2018-05-03 at 11.25.00

Finish the setup wizard.

3. Final touches

Now we need to fix so that HA Proxy and Nextcloud works together and Nextcloud is accessible externally with a proper SSL certificate.

Open /volyme1/docker/haproxy/haproxy.cfg and below is my configuration file that will redirect to SSL, include SSL termination to backend services and forward any requests from /nextcloud/ to http://192.168.2.10:8102 – my Nextcloud docker container.

global
 maxconn 256
 lua-load /usr/local/etc/haproxy/acme-http01-webroot.lua
 chroot /jail
 ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
 ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
 tune.ssl.default-dh-param 4096

defaults
 mode http
 timeout connect 5000ms
 timeout client 50000ms
 timeout server 50000ms
 option forwardfor
 option http-server-close

frontend http
 bind *:80
 mode http
 acl url_acme_http01 path_beg /.well-known/acme-challenge/
 http-request use-service lua.acme-http01 if METH_GET url_acme_http01
 redirect scheme https code 301 if !{ ssl_fc }

 default_backend www-backend

frontend ft_ssl_vip
 bind *:443 ssl crt /usr/local/etc/haproxy/certs/ no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11
 rspadd Strict-Transport-Security:\ max-age=15768000

#Adjust paths
 acl missing_nc_path path /nextcloud
 http-request redirect location /nextcloud/ if missing_nc_path

# App definitions
acl is_nc path_beg /nextcloud
 use_backend nextcloud if is_nc

backend www-backend
 redirect scheme https code 301 if !{ ssl_fc }

backend nextcloud
 reqrep ^([^\ :]*)\ /nc/(.*) \1\ /\2
 reqadd X-Script-Name:\ /nextcloud
 option httpclose
 option forwardfor
 server node1 192.168.2.10:8102

Restart the HA Proxy container.

Last but not least, we need to update the config.php file of Nextcloud.

Open /docker/nextcloud/config/config.php file in an editor and add/replace the following values:

 'trusted_domains'=>
array (
 0 => '192.168.2.10:8102',
 1 => 'mydomain.duckdns.org',
 ),
 'trusted_proxies' =>
 array (
 0 => '192.168.2.10',
 ),
 'overwrite.cli.url' => 'https://mydomain.duckdns.org/nextcloud',
 'overwriteprotocol' => 'https',
 'overwritehost' => 'mydomain.duckdns.org',
 'overwritewebroot' => '/nextcloud',

I hope that I have covered it all in my translation of the process into this blog entry..  The server should now be accessible on https://mydomain.duckdns.org/nextcloud/

EDIT: Incorrect cipher setting in haproxy.cfg

Post my installation I tested with the Nextcloud app to reach my server and I received an SSL Initialization error. After googling the error this appears to be a common issue but after validating with the Mozilla SSL Configuration Generator I now have a working configuration and I’ve updated the haproxy.cfg file above.

Advertisements

Run Nextcloud through a reverse proxy – HAProxy – with a different webroot

I wanted to setup HAProxy as an reverse proxy towards my nextCloud 12 server and I really struggled to find proper information on how to do that. As I have a number of backend services I needed a different webroot to define the request and I finally succeeded and I want to share my configuration settings.

Nextcloud is now accessable from https://myserver.se/nc/

/etc/haproxy/haproxy.cfg

global
        maxconn 4096
        user haproxy
        group haproxy
        daemon
        log 127.0.0.1 local0 debug

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        retries 3
        option  redispatch
        option  http-server-close
        option  forwardfor
        timeout connect 5000
        timeout client  50000
        timeout server  50000

frontend www-http
        bind *:80
        mode http
        reqadd X-Forwarded-Proto:\ http

        default_backend www-backend

backend www-backend
        #All requests should be in SSL-mode. SSL is terminated in HAProxy
        #and uses HTTP in backend requests
        redirect scheme https code 301 if !{ ssl_fc }

frontend www-https
        #My server certificate
        #Here's a great instruction on how to setup
        # LetsEncrypt with HAProxy https://skarlso.github.io/2017/02/15/how-to-https-with-hugo-letsencrypt-haproxy/
        bind *:443 ssl crt /etc/haproxy/certs/myserver.pem
        mode http
        option forwardfor
        option http-server-close
        option http-pretend-keepalive

        #Only allow some services to be available internally
        acl network_allowed src 192.168.2.0/24
        acl restricted_page path_beg /internal
        block if restricted_page !network_allowed

        # App definitions
        acl is_nc path_beg /nc
        use_backend nextcloud if is_nc

backend nextcloud
        reqrep ^([^\ :]*)\ /nc/(.*)  \1\ /\2
        reqadd X-Script-Name:\ /nc
        option httpclose
        option forwardfor
        server node1 192.168.2.212:80

And for nextCloud I updated the PHP configuration settings with my domain name “myserver.se” and the HA Proxy IP address “192.168.2.196” as explained here https://docs.nextcloud.com/server/12/admin_manual/configuration_server/reverse_proxy_configuration.html

 

/var/www/nextcloud/config/config.php:

  ...
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => '192.168.2.212',
    2 => '192.168.2.196',
    3 => 'myserver.se',
  ),
  'trusted_proxies' => ['192.168.2.196'],
  'overwritehost' => 'myserver.se',
  'overwritewebroot' => '/nc',
  'overwritecondaddr' => '^192\.168\.2\.196$',