nextcloud/all-in-one
1
1
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2024-09-20 14:56:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

improve the reverse-proxy documentation another time

Browse source 
Signed-off-by: szaimen <szaimen@e.mail.de>
This commit is contained in:
szaimen 2022-05-06 23:20:04 +02:00
parent f699c57f07
commit 375ddad429
2 changed files with 17 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
docker-compose.yml
View file

@ -33,3 +33,4 @@ services:
# - ./config:/config
# - ./data:/data
# - ./sites:/srv
# network_mode: "host"

32
reverse-proxy.md
View file

@ -1,10 +1,10 @@
## Reverse Proxy Documentation
**Please note:** Publishing the AIO interface with a valid certificate to the public internet is **NOT** the goal of this documentation! Instead, the main goal is to publish Nextcloud with a valid certificate to the public internet which is **NOT** running inside the mastercontainer but in a different container! If you need a valid certificate for the AIO interface, see [point 3](#3-optional-get-a-valid-certificate-for-the-aio-interface).
**Please note:** Publishing the AIO interface with a valid certificate to the public internet is **not** the goal of this documentation! Instead, the main goal is to publish Nextcloud with a valid certificate to the public internet which is **not** running inside the mastercontainer but in a different container! If you need a valid certificate for the AIO interface, see [point 3](#3-optional-get-a-valid-certificate-for-the-aio-interface).
In order to run Nextcloud behind a reverse proxy, you need to specify the port that the Apache container shall use, add a specific config to your reverse proxy and modify the startup command a bit. All examples below will use port `11000` as example Apache port. Modify it to your needings.
In order to run Nextcloud behind a reverse proxy, you need to specify the port that the Apache container shall use, add a specific config to your reverse proxy and modify the startup command a bit. All examples below will use port `11000` as example Apache port which will be exposed on the host. Modify it to your needings.
**Attention** The process to run Nextcloud behind a reverse proxy consists of at least these 2 steps:
**Attention** The process to run Nextcloud behind a reverse proxy consists of at least these 2 steps:
1. **Configure the reverse proxy! See [point 1](#1-add-this-to-your-reverse-proxy-config)**
1. **Use the in this document provided startup command! See [point 2](#2-use-this-startup-command)**
- Optional: get a valid certificate for the AIO interface! See [point 3](#3-optional-get-a-valid-certificate-for-the-aio-interface)
@ -12,7 +12,7 @@ In order to run Nextcloud behind a reverse proxy, you need to specify the port t
### 1. Add this to your reverse proxy config
**Please note:** Since the Apache container gets spawned by the mastercontainer, there is **NO** way to provide custom docker labels or custom environmental variables for the Apache container. So please do not attempt to do this because you will fail!
**Please note:** Since the Apache container gets spawned by the mastercontainer, there is **NO** way to provide custom docker labels or custom environmental variables for the Apache container. So please do not attempt to do this because you will fail! Only the documented way will work!
#### Caddy
@ -25,11 +25,11 @@ Add this to your Caddyfile:
```
https://<your-nc-domain>:443 {
header Strict-Transport-Security max-age=31536000;
reverse_proxy <private.ip.address.of.the.host>:11000
reverse_proxy localhost:11000
}
```
Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. Also you need to modify `<private.ip.address.of.the.host>` to the private ip-address of the host that is running the docker daemon. **Advice:** the `nextcloud-aio-mastercontainer` is **NOT** running the docker daemon. The host itself is running the docker daemon.
Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `locahost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
</details>
@ -45,7 +45,7 @@ Add this to you nginx config:
```
location / {
proxy_pass http://<private.ip.address.of.the.host>:11000;
proxy_pass http://localhost:11000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -58,7 +58,7 @@ location / {
}
```
Of course SSL needs to be set up as well e.g. by using certbot and your domain must be also added inside the nginx config. You will also need to modify `<private.ip.address.of.the.host>` to the private ip-address of the host that is running the docker daemon. **Advice:** the `nextcloud-aio-mastercontainer` is **NOT** running the docker daemon. The host itself is running the docker daemon.
Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `locahost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
</details>
@ -103,7 +103,7 @@ Pull requests are very welcome!
[http.services.nc-svc.loadBalancer]
passHostHeader = true
[[http.services.nc-svc.loadBalancer.servers]]
url = "http://<private.ip.address.of.the.host>:11000"
url = "http://locahost:11000"
```
2. Add to the bottom of the `middlewares.toml` file in the Treafik rules folder the following content:
@ -131,7 +131,7 @@ Pull requests are very welcome!
---
Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. You will also need to modify `<private.ip.address.of.the.host>` to the private ip-address of the host that is running the docker daemon. **Advice:** the `nextcloud-aio-mastercontainer` is **NOT** running the docker daemon. The host itself is running the docker daemon.
Of course you need to modify `<your-nc-domain>` in the nextcloud.toml to the domain on which you want to run Nextcloud. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `locahost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
</details>
@ -197,7 +197,7 @@ Simply translate the docker run command into a docker-compose file. You can have
---
#### How to continue?
After using the above command, you should be able to access the AIO Interface via `https://private.ip.address.of.the.host:8080`. Enter your domain that you've entered in the reverse proxy config and you should be done. Please do not forget to open port `3478/TCP` and `3478/UDP` in your firewall/router for the Talk container!
After using the above command, you should be able to access the AIO Interface via `https://ip.address.of.the.host:8080`. Enter your domain that you've entered in the reverse proxy config and you should be done. Please do not forget to open port `3478/TCP` and `3478/UDP` in your firewall/router for the Talk container!
### 3. Optional: get a valid certificate for the AIO interface
@ -205,7 +205,7 @@ If you want to also access your AIO interface publicly with a valid certificate,
```
https://<your-nc-domain>:8443 {
reverse_proxy https://<private.ip.address.of.the.host>:8080 {
reverse_proxy https://localhost:8080 {
transport http {
tls_insecure_skip_verify
}
@ -213,14 +213,14 @@ https://<your-nc-domain>:8443 {
}
```
Of course, you also need to modify `<your-nc-domain>` to the domain that you want to use. You will also need to modify `<private.ip.address.of.the.host>` to the private ip-address of the host that is running the docker daemon. **Advice:** the `nextcloud-aio-mastercontainer` is **NOT** running the docker daemon. The host itself is running the docker daemon.
Of course you need to modify `<your-nc-domain>` in the nextcloud.toml to the domain on which you want to run Nextcloud. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `locahost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
Afterwards should the AIO interface be accessible via `https://<your-nc-domain>:8443`. You can alternatively change the domain to a different subdomain by using `https://<your-alternative-domain>:443` in the Caddyfile and use that to access the AIO interface.
Afterwards should the AIO interface be accessible via `https://ip.address.of.the.host:8443`. You can alternatively change the domain to a different subdomain by using `https://<your-alternative-domain>:443` instead of `https://<your-nc-domain>:8443` in the Caddyfile and use that to access the AIO interface.
### 4. How to debug things?
If something does not work, follow the steps below:
1. Make sure to exactly follow the whole reverse proxy documentation step-for-step from top to bottom!
1. Find out if you can ping the private ip-address of the host that is running the docker daemon from inside the reverse proxy container (if runing the reverse proxy in a container). **Advice:** the `nextcloud-aio-mastercontainer` is **NOT** running the docker daemon. The host itself is running the docker daemon.
1. Make sure that the reverse proxy is running on the host OS or if running in a container, connected to the host network. If that is not possible, substitute `localhost` in the default configurations by the ip-address that you can easily get when running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (Only works on Linux)
1. Make sure that the mastercontainer is able to spawn other containers. You can do so by checking that the mastercontainer indeed has access to the Docker socket which might not be positioned in one of the suggested directories like `/var/run/docker.sock` but in a different directory, based on your OS and the way how you installed Docker. The mastercontainer logs should help figuring this out. You can have a look at them by running `sudo docker logs nextcloud-aio-mastercontainer` after the container is started the first time.
1. Check if after the mastercontainer was started, the reverse proxy if running inside a container, can reach the provided apache port. You can test this by running `nc -z locahost 11000; echo $?` from inside the reverse proxy container. If the output is `0`, everything works. Alternatively you can of course use instead of `locahost` the ip-address of the host here again.
1. Try to configure everything from scratch if it still does not work!
1. If nothing works and as last resort, you can modify `<private.ip.address.of.the.host>` to `localhost`. For that to work, the reverse proxy needs to be member of the host network. This means, that when running the reverse proxy inside a container, you need to use the `--network host` option when starting the container.