Configuring NextCloud with https Reverse Proxy in Pantavisor

In the previous blog post, I showed you how to setup Nextcloud on a Pantavisor device. The setup was fairly straight forward, but to use Nextcloud, it needs to be hosted over https for it to connect to Nextcloud server. Unfortunately, the default Docker image of Nextcloud doesn’t have a HTTPS setup and therefor doesn’t work directly with the Nextcloud app.

Note: Check out the new Slack community and website for Pantavisor Linux at pantavisor.io. You’ll find new tutorials as well as an introduction to Pantabox our front-end for managing Pantavisor Linux.

Using NGINX as an https reverse proxy

You can configure NGINX to act as a reverse proxy that will forward all requests to the Nextcloud server. But the following points need to be kept in mind while doing this:

  1. Forward the request at the root level server block to Nextcloud server.
  2. Generate a self-signed certificate and key to configure NGINX.
  3. Increase file size limits so that it’s easier to upload larger files from Nextcloud.
  4. Configure NGINX to serve content over HTTPS.

Pantavisor allows you configure a platform without having to change the original Docker image. We’ll describe how to use this feature to override NGINX’s default configuration.

NOTE: For steps 1 and 2 below, all content is assumed to be in <prep_dir> , which can be anywhere on your system.

Step 1 – Generate a self-signed certificate

First let’s create content for our self-signed certificate. We’ll create a file named openssl.gen with the following:

[ req ]
 distinguished_name   = req_distinguished_name
 attributes   = req_attributes
 prompt   = no
 output_password  = changeit

[ req_distinguished_name ]
 C  = IN
 ST = Delhi
 L  = New Delhi
 O  = Pantahub
 OU = Developer
 CN = localhost
 emailAddress   = localhost@local.domain

[ req_attributes ]
 challengePassword  =

Next, create a script to generate the required directory structure and the key-cert.

#!/bin/bash

KEYDIR=etc/ssl/private
KEYNAME=nginx-selfsigned.key
CERTDIR=etc/ssl/certs
CERTNAME=nginx-selfsigned.crt

mkdir -p $KEYDIR
mkdir -p $CERTDIR

openssl req -x509 -nodes -days 365 \
  -newkey rsa:4096 -keyout $KEYDIR/$KEYNAME \
  -out $CERTDIR/$CERTNAME -config ./openssl.gen

Step 2 – Create a default configuration for NGINX

Use the following script to generate a NGINX configuration file with the required directory structure that forwards all https traffic to the Nextcloud Pantavisor application

#!/bin/sh
NGINX_CONF_DIR=etc/nginx/conf.d
NGINX_DEFAULT_CONF=default.conf
mkdir -p $NGINX_CONF_DIR
cat <<'EOF' > $NGINX_CONF_DIR/$NGINX_DEFAULT_CONF

server {
  listen 8080 default_server;
  server_name localhost;
  return 301 https://$server_name$request_uri;
  }

  server {
  listen 443 ssl;
  server_name default_server;
  
  location / {
      proxy_buffers 64 4k;
      proxy_buffer_size 4k;
      proxy_pass  http://127.0.0.1/;
  }
  # redirect server error pages to the static page /50x.html
  #
  error_page   500 502 503 504  /50x.html;

  location = /50x.html {
      root   /usr/share/nginx/html;
  }
  ssl_certificate  /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key  /etc/ssl/private/nginx-selfsigned.key;
  ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_timeout  5m;
  client_max_body_size 10G;
}
EOF

NOTE : If you’re changing the ssl certificates and key file location in Step 1 then make sure to update the same location in the above script accordingly.

Since Pantavisor runs all containers in the same network namespace you can set proxy_pass to a loopback address. If you’re trying to run it on separate network namespace then instead of 127.0.0.1 you can point it to the IP Address and port of the Nextcloud container that is open to inbound traffic.

NOTE: The steps below need to be done from where you cloned your device.

Step 3 – Move the etc directory in _config

The _config directory allows you to change the configuration of any container running with Pantavisor. First, move the etc directory created in the above two steps inside the nginx directory under _config:

mkdir -p _config/nginx
mv <prep_dir>/etc _config/nginx

Step 4 – Add NGINX as an app to your device

Create a directory named nginx in your cloned device’s directory with a file named src.json. The content of src.json should look something like below.

Note: The below configuration for nginx is for x86_64, please use a different Docker digest if you are using a different architecture.

{
    "#spec":"service-manifest-src@1",
    "args":{},
    "config":{},
    "docker_digest":"registry.hub.docker.com/library/nginx@sha256:ee5a9b68e8d4a4b8b48318ff08ad5489bd1ce52b357bf48c511968a302bc347b",
    "docker_name":"registry.hub.docker.com/library/nginx",
    "docker_source":"remote,local",
    "docker_tag":"amd64",
    "persistence":{},
    "template":"builtin-lxc-docker"
}

Step 5 – Install Nginx and post a new revision

pvr app install nginx #Install Nginx
pvr add .
pvr commit
pvr post

Run the image with QEMU for X86_64

Refer to this post that describes how to run Pantavisor image on QEMU.

We need to use the following ports on host machine, though we can use any other host machine ports but to keep things simpler it’s better to map the host and QEMU ports 1:1, i.e host port 80 mapped to QEMU port 80 etc.

  • Port 80 is used by Nextcloud container which is using Apache Webserver.
  • Port 443 is used by nginx container.
  • Port 8022 is used by pvr-sdk to allow ssh sessions.

From a web browser, to your Machine’s IP address where QEMU is running. Let’s say your machine’s IP is 10.0.0.102. You should then point your browser to https://10.0.0.102

NOTE: Since you’re using a self-signed certificate, the browser will show you a warning that certificate’s authenticity can’t be guaranteed. You can ignore that warning and proceed to install Nextcloud.

After you’ve installed Nextcloud you should be able to see a page like shown below. As can be seen, the certificate is the same one as we configured and then made it available via _config/nginx

Certificate Details

Final Thoughts

Check out the new Slack community and website for Pantavisor Linux at pantavisor.io. You’ll find new tutorials as well as an introduction to Pantabox our front-end for managing Pantavisor Linux.