Nextcloud Bad Gateway

  • Maybe it's a cache issue, where you tried before?


    I would try this... open a browser in Privacy/Incognito mode... and go to subdomain.duckdns.org and see if it gives you a secure login. If it does you know it's a cache issue. To fix that, just go to subdomain.duckdns.org (on a regular non private browser) and Hold Control and click F5. That should refresh it to a secure site.


    Start there.

    Air Conditioners are a lot like PC's... They work great until you open Windows.


  • Maybe it's a cache issue, where you tried before?


    I would try this... open a browser in Privacy/Incognito mode... and go to subdomain.duckdns.org and see if it gives you a secure login. If it does you know it's a cache issue. To fix that, just go to subdomain.duckdns.org (on a regular non private browser) and Hold Control and click F5. That should refresh it to a secure site.


    Start there.

    Nothing changed.

    It brings me to the external static IP and from there to the Router.



    Edit:

    I have to go to the address 192.168.1.1 to reach the router.

    When I enter subdomain.duckdns.org, it brings me to the address 96.89.275.666 and the home page of the Router.

  • Doesn't make any sense.


    Just to be clear, your phone (when it's not on wifi) gets to it just fine, right? Is your router DMZ'd with your modem (see earlier discussion on this).. if your phone can get there securely when not on your wifi, I'm assuming that is not the issue.


    Did you follow the very last step to disable port 450? If not, try that and see if that resolves it.

    Air Conditioners are a lot like PC's... They work great until you open Windows.


  • Thanks for your help.


    I followed the last step, but when I could not access Nextcloud, I activated it again.



    I have now activated the DMZ.

    nothing has changed.

    Anyway I'll investigate further, if I find a solution I'll share it.

    Thanks again. :)

  • You shouldn't need DMZ, assuming your router is connected directly to modem, which connects to the Internet... which seems likely in your scenario. I was pointing this out as another user I was helping was having a similar problem while DMZ'd


    I suspect there is a port problem or other issue in your case because if you go to your duckdns subdomain, it's taking you to your router login, which makes no sense at all.

    Air Conditioners are a lot like PC's... They work great until you open Windows.


  • You shouldn't need DMZ, assuming your router is connected directly to modem, which connects to the Internet... which seems likely in your scenario. I was pointing this out as another user I was helping was having a similar problem while DMZ'd


    I suspect there is a port problem or other issue in your case because if you go to your duckdns subdomain, it's taking you to your router login, which makes no sense at all.

    I am directly connected to the modem, there is no other router in between.

    I have external static IP provided by ISP.

    I have transferred this problem to ISS, they are examining the situation, I think they will give information tomorrow.

    Do you think I should close the DMZ?

  • I am directly connected to the modem, there is no other router in between.

    I have external static IP provided by ISP.

    I have transferred this problem to ISS, they are examining the situation, I think they will give information tomorrow.

    Do you think I should close the DMZ?

    I didn't want you to enable it in the first place. I was simply pointing out that the DMZ can cause some weird issues as reference earlier. It doesn't sound like you were in a DMZ beforehand so there was no reason to enable it afterwards,

    Air Conditioners are a lot like PC's... They work great until you open Windows.


  • KM0201

    Could you please allow me to migrate your tutorial to Odroid-HC4 Forum-Topic.

    What is different? It should be exactly the same. Only thing I could imagine beiñg different, is if you're trying to pull an image that is not the default one.


    But otherwise, yeah I don't own it.. do as you please.

    Air Conditioners are a lot like PC's... They work great until you open Windows.


  • What is different? It should be exactly the same. Only thing I could imagine beiñg different, is if you're trying to pull an image that is not the default one.


    But otherwise, yeah I don't own it.. do as you please.

    You are not aware because you have a good command of OMV and NC.

    Your narration is understandable and applicable to rookies like me and non-native English speakers.

    I really spent a lot of time setting up NC. They provided me with almost special support in this forum, so NC was up and running.


    When I saw your topic and applied what was written, I got the perfect and effortless NC again. By making copy and paste and completing other settings, Nextcloud-DackDns was ready in 10-15 minutes.


    For rookies like me, this kind of software is like atom science, believe me.


    Thank you for letting me use your tutorial.

    I will direct the article I will share to your topic.

  • Additional to the AWESOME tutorial posted by KM0201. I would like to add the following since I had some warnings when I logged in as root and checking some things. So following things I added to the Tutorial:


    You can see it as a continuation after the following:


    As last steps:
    Logged in as root go to Settings --> Overview and check for warnings and errors. I had 2 warnings with a reference to

    Hardening and security guidance — Nextcloud latest Administration Manual latest documentation



    --> Enable Strict-Transport-Security: More info about what STRICT TRANSPORT SECURITY is @ https://www.nginx.com/blog/htt…-security-hsts-and-nginx/


    To enable this use the following steps:

    1.) Go to Swag_Config_Folder/nginx/

    2.) use nano or other editor to edit ssl_conf

    3.) Enable the following line by removing the hashtag.

    # HSTS, remove # from the line below to enable HSTS

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

    4.) docker restart swag


    --> Enable Default Country code for phones:


    Country codes are defined in following norm:

    ISO 3166-1 alpha-2 - Wikipedia

    To enable this use following steps:

    1.) Go to Nextcloud_config_folder/www/nextcloud/config/

    2.) Use nano or other editor to edit config.php

    3.) Add following line in front of the );

    'default_phone_region' => 'COUNTRYCODE SEE WIKIPEDIA' e.g. 'DE'

    4.) docker restart nextcloud


    --> All warnings should be gone now!



    Go to https://scan.nextcloud.com/ and do a security check of your nextcloud instance by entering your Nextcloud URL.

  • Yeah, those will occur pretty much any time you reverse proxy Nextcloud. As you found they are pretty simple fixes to Google... but good info to have!.

    Air Conditioners are a lot like PC's... They work great until you open Windows.


  • Another error, that isn't really an error, that may come up on the system settings section of the webUI when you set up a reverse proxy....


    Code
    The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.

    Although this looks like an error, if you read it this is not an error at all and simply confirms your reverse proxy is working, but it's not showing your reverse proxy domain as a trusted domain. If you want to clear it...


    1. cd /config/nextcloud/www/nextcloud/config/config.php

    2. nano config.php


    Add the following to the end of your config.php, BEFORE the ); at the end.


    Code
    'trusted_proxies' =>
    array (
    0 => 'your.ip:450',
    1 => 'nextcloud.your-domain.url',
    ),


    Should look something like this when you're done.. (Note lines 27-31)


    3. Cntrl X to save

    4. Restart nextcloud docker (docker restart nextcloud)


    When you're done, go back to your settings/overview page, and that should be cleared..

    Air Conditioners are a lot like PC's... They work great until you open Windows.


    Edited 2 times, last by KM0201 ().

  • I didnt notice, because I only accessed nextcloud from outside my lan, but after following this configuration setup, I cant access the nextcloud server on port 450 anymore locally by typing <mylocalip>:450. Only if I delete the lines we changed in the config.php, specified below, I can access it locally again by the local-IP on port 450 again.

    The problem now is that it is not possible to connect to the nextcloud when im in my own LAN network. Also my phone doesnt sync to nextcloud, if its connected to the wifi, which is inside the same lan network as the nextcloud server.


    My Configuration is [Public-IP:179.12.67.26 Modem 192.168.0.1] --> [ 192.168.0.2 Router 192.168.1.1 ] --> [192.168.1.2 Openmediavault running nextcloud & 192.168.1.X Clients wanting to talk to nextcloud. (phone, laptop)


    I think since all the records are pointing to the public IP, it doesnt know where to go. after the router. So if I request nextcloud from within the lan it asks my router for the DNS entry of <nextcloud.mydomain.duckdns.org> and then gets back the public IP. Changing this in the hosts entry of the Router doesnt help though because if I set up a DNS override for <nextcloud.mydomain.duckdns.org>, going to my openmediavault server, it will just retrieve the openmediavault webpage.


    So how can I make the <nextcloud.mydomain.duckdns.org connectable from inside my lan network?

  • Also I think I found another "issue" that might turn out as a security risk or as an inconvenience, e.g. if all clients get banned because of Brute force attempts that seem to come from the same IP-adress. (although its all different users).


    After I went to my nextcloud/nginx/access.log, I saw that there were only local IP-adresses shown.


    As shown in: Nextcloud docs, it is necessary to correctly forward the real IP-adresses of the clients accessing nextcloud so that Bruteforce-protection works.

    Since swag is actually receiving the traffic for nextcloud, the only IP the nextcloud server ever sees for me is the one from the swag containers reverse proxy.

    So it is necessary to forward the real IP adresses to nextcloud.

    In the Nextcloud docs, it is described, that one should add some headers to the config.php of nextcloud which is in the location: <Nextcloud-Config-Folder/www/nextcloud/config/config.php>


    I added the following line:


    'forwarded_for_headers' => array('HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'),


    before the );


    After doing this and restarting Nextcloud, Nextclouds access.log now actually sees the real IP in <Nextcloud-Config-Folder/nginx/access.log>.


    [Optional info]

    It is notable that inside <Nextcloud-Config-Folder/nginx/site-confs/default> there are the following lines, which were added after this github issue: https://github.com/linuxserver…55#issuecomment-754623561


    set_real_ip_from 172.0.0.0/8;

    real_ip_header X-Forwarded-For;


    So if your swag is not in that IP-Range (e.g. 192.168.X.X) be the case, then it will not forward the real IP-Adress to nextcloud, which will always see the same local IP of your swag-reverse-proxy.

    So either make sure the swag container is in this IP-Range (should be if using docker and not using host network), or add another line to this site-conf with the IP-Range you want, e.g.

    set_real_ip_from 10.0.0.0/8;

    set_real_ip_from 192.168.0.0/16;



    Additionally, following the explanation about the "trusted Proxies" setting in the config.php in Nextcloud docs.

    Set the trusted_proxies parameter as an array of:

    IPv4 addresses,

    IPv4 ranges in CIDR notation

    IPv6 addresses

    to define the servers Nextcloud should trust as proxies. This parameter provides protection against client spoofing, and you should secure those servers as you would your Nextcloud server.


    I am also not really sure why you, KM0201, say to add those lines below to the config.php, since the local IP isnt a proxy and doesnt need to be there in my opinion.


    Quote from from KM0201

    'trusted_proxies' =>

    array (

    0 => 'your.ip:450',

    1 => 'nextcloud.YOUR_SUBDOMAIN.duckdns.org',

    ),


    In my config.php, I did it likeso and it works flawlessly.

    Code
    'trusted_proxies' =>
    array (
    0 => 'swag',
    ),

    It is also described to do it like this inside of the Swag-Config-Folder

    There it says:

    Quote from Swag-Config-Folder/nginx/proxy-confs/nextcloud.subdomain.conf.sample

    # assuming this container is called "swag", edit your nextcloud container's config

    # located at /config/www/nextcloud/config/config.php and add the following lines before the ");":

    # 'trusted_proxies' => ['swag'],

  • Again, if you read what I wrote.. I said, "It's not the only way...". Some of that stuff was required before swag was even a twinkle in the eye and everyone was using letsencrypt.


    I rarely change what works (unless it stops working), and how I setup nextcloud (even after the swag migration, etc..) is no exception

    Air Conditioners are a lot like PC's... They work great until you open Windows.


  • Again, if you read what I wrote.. I said, "It's not the only way...". Some of that stuff was required before swag was even a twinkle in the eye and everyone was using letsencrypt.


    I rarely change what works (unless it stops working), and how I setup nextcloud (even after the swag migration, etc..) is no exception


    Hey, I dont know why exactly you take it somehow as insulting or badmouthing of what you post (if you do, atleast it sounds like that, coming from the short and seemingly annoyed answer), yet the only thing I ever intend to do is just post information that I found out, and that may be helpful for the community. Maybe that way some people can get a more comprehensive view of what their doing and they can decide what they do with the given information on their machines.

    So you can do however you wish to do, of course, and your guide is really really helpful and I used it also to setup my nextcloud since its the best out there.

    Yet I think it is allowed to add some stuff to the forum that maybe is useful to one or another, maybe even yourself, if you get some feedback on how others do some setups that work.

    Thats why I added all the sources so that all of us in the forum can together get some more knowledge about what were doing.


    And thats also why I add the information about trusted proxy setting and also the forwarding headers, since that is actually pretty important and if people want brute force protection to work they have to use that information. Same goes for trusted proxy, for which, with my knowledge, if I setup something as a trusted proxy, and it actually shouldnt be, then I make myself vulnerable to IP spoofing.




    Concering the issue I described about accessing the nextcloud locally. How is that working for you all? do you have access locally KM0201

  • How can I use subfolder instead of subdomain with below guide?

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!