Nextcloud with https reverse proxy

In the previous blog post, I showed you how to setup Nextcloud on a Pantavisor device. The setup was fairly straight forward however in order to use Nextcloud app it’s required that Nextcloud be hosted over https for it to connect to Nextcloud server.

The default docker image of Nextcloud doesn’t have a HTTPS setup and thus can’t work directly with the Nextcloud app.

Using Nginx as a https reverse proxy

We can configure Nginx to act as a reverse proxy to forward all requests to the Nextcloud server. The following needs to be kept in mind while doing this,

  1. Forward the request at root level server block to Nextcloud server.
  2. Generate Self Signed certificate and key to configure Nginx.
  3. Increase file size limits so it’s easier to upload larger files from your Nextcloud App.
  4. Configure nginx to serve content over HTTPS.

Pantavisor allows you configure a platform without having to change the original docker image. We’ll utilize this feature to override nginx’s default config.

NOTE: For steps 1 and 2 below, all content is assumed to be in <prep_dir> , which can be anywhere on your system.

Step 1 – Generate a Self Signed Certificate

First let’s create content for our self signed certificate, we’ll create a file named openssl.gen with the following contents

[ req ]
 distinguished_name   = req_distinguished_name
 attributes   = req_attributes
 prompt   = no
 output_password  = changeit

[ req_distinguished_name ]
 C  = IN
 ST = Delhi
 L  = New Delhi
 O  = Pantahub
 OU = Developer
 CN = localhost
 emailAddress   = localhost@local.domain

[ req_attributes ]
 challengePassword  =

Next let’s create a script to generate the required directory structure and the key-cert.

#!/bin/bash

KEYDIR=etc/ssl/private
KEYNAME=nginx-selfsigned.key
CERTDIR=etc/ssl/certs
CERTNAME=nginx-selfsigned.crt

mkdir -p $KEYDIR
mkdir -p $CERTDIR

openssl req -x509 -nodes -days 365 \
  -newkey rsa:4096 -keyout $KEYDIR/$KEYNAME \
  -out $CERTDIR/$CERTNAME -config ./openssl.gen

Step 2 – Create a default configuration for nginx

Use the following script to generate a nginx configuration file with the required directory structure to forward all https traffic to Nextcloud Pantavisor application

#!/bin/sh
NGINX_CONF_DIR=etc/nginx/conf.d
NGINX_DEFAULT_CONF=default.conf
mkdir -p $NGINX_CONF_DIR
cat <<'EOF' > $NGINX_CONF_DIR/$NGINX_DEFAULT_CONF

server {
  listen 8080 default_server;
  server_name localhost;
  return 301 https://$server_name$request_uri;
  }

  server {
  listen 443 ssl;
  server_name default_server;
  
  location / {
      proxy_buffers 64 4k;
      proxy_buffer_size 4k;
      proxy_pass  http://127.0.0.1/;
  }
  # redirect server error pages to the static page /50x.html
  #
  error_page   500 502 503 504  /50x.html;

  location = /50x.html {
      root   /usr/share/nginx/html;
  }
  ssl_certificate  /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key  /etc/ssl/private/nginx-selfsigned.key;
  ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_timeout  5m;
  client_max_body_size 10G;
}
EOF

NOTE : If you’re changing the ssl certificates and key file location in Step 1 then make sure to update the same location in the above script accordingly.

Since Pantavisor currently runs all container in the same network namespace we’re able to set proxy_pass to a loopback address. If you’re trying to run it on separate network namespace then instead of 127.0.0.1 you should point it to the IP Address and port of the Nextcloud container which is open to receive inbound traffic.

NOTE: The steps which follow need to be used from where you’ve cloned your device

Step 3 – Move etc directory under _config

The directory _config is the way Pantavisor can make available anything to the respective containers. We need to move the etc directory created in the above two steps inside the nginx directory under _config. Thus,

mkdir -p _config/nginx
mv <prep_dir>/etc _config/nginx

Step 4 – Add Nginx as an app in your device

Create a directory named nginx in your cloned device’s directory with a file named src.json. The content of src.json should look something like below,

Note: The below configuration for nginx is for x86_64, please use a different docker digest if using another architecture.

{
    "#spec":"service-manifest-src@1",
    "args":{},
    "config":{},
    "docker_digest":"registry.hub.docker.com/library/nginx@sha256:ee5a9b68e8d4a4b8b48318ff08ad5489bd1ce52b357bf48c511968a302bc347b",
    "docker_name":"registry.hub.docker.com/library/nginx",
    "docker_source":"remote,local",
    "docker_tag":"amd64",
    "persistence":{},
    "template":"builtin-lxc-docker"
}

Step 5 – Install Nginx and Post new revision

pvr app install nginx #Install Nginx
pvr add .
pvr commit
pvr post

Running the image with QEMU for X86_64

Please check this post on how to run Pantavisor image on QEMU.

We need to use the following ports on host machine, though we can use any other host machine ports but to keep things simpler it’s better to mape host and QEMU ports 1:1, i.e host port 80 mapped to QEMU port 80 etc.

  • Port 80 is used by Nextcloud container which is using Apache Webserver.
  • Port 443 is used by nginx container.
  • Port 8022 is used by pvr-sdk to allow ssh sessions.

From a web browser, point it to your Machine’s IP address where QEMU is running. Let’s say your machine’s IP is 10.0.0.102. You should then point your browser to https://10.0.0.102

NOTE: Since you’re using a self-signed certificate, the browser will show you a warning that certificate’s authenticity can’t be guaranteed. You can ignore that warning and proceed to install Nextcloud.

After you’ve installed Nextcloud you should be able to see a page like shown below. As can be seen, the certificate is the same one as we configured and then made it available via _config/nginx

Certificate Details