From 0051b04683f0e1c7d94a0568a187e01fb0b2bf91 Mon Sep 17 00:00:00 2001 From: pun kyard <59349105+punkyard@users.noreply.github.com> Date: Tue, 10 Sep 2024 22:03:58 +0200 Subject: [PATCH 1/5] Update reverse-proxy.md 59349105+punkyard@users.noreply.github.com> Signed-off-by: Simon L. Co-Authored-By: Jean-Yves <7360784+docjyJ@users.noreply.github.com> --- reverse-proxy.md | 116 +++++++++++++++++++++++------------------------ 1 file changed, 58 insertions(+), 58 deletions(-) diff --git a/reverse-proxy.md b/reverse-proxy.md index f986047e59c..64f67e1161a 100644 --- a/reverse-proxy.md +++ b/reverse-proxy.md @@ -1,24 +1,25 @@ # Reverse Proxy Documentation -**Note:** The maintainers of AIO noticed that this documentation could be improved to make it easier to follow. All contributions that improve this are very welcome! +> [!NOTE] +> The maintainers of AIO noticed that this documentation could be improved to make it easier to follow. All contributions that improve this are very welcome! -A [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) is basically a web server that enables computers on the internet to access a service in a [private subnet](https://en.wikipedia.org/wiki/Private_network). +A [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) is basically a software service that can be thought of as the gateway of a web server. It enables computers on the internet to access a service or web-site in a [private subnet](https://en.wikipedia.org/wiki/Private_network) of that web server. -**Please note:** Publishing the AIO interface with a valid certificate to the public internet is **not** the goal of this documentation! Instead, the main goal is to publish Nextcloud with a valid certificate to the public internet which is **not** running inside the mastercontainer but in a different container! If you need a valid certificate for the AIO interface, see [point 5](#5-optional-get-a-valid-certificate-for-the-aio-interface). +**Please note:** Publishing the AIO interface with a valid certificate to the public internet is **not** the goal of this documentation! If you need a valid certificate for the AIO interface, see [point 5](#5-optional-get-a-valid-certificate-for-the-aio-interface). -In order to run Nextcloud behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else), you need to specify the port that AIO's Apache container shall use, add a specific config to your web server or reverse proxy and modify the startup command a bit. All examples below will use port `11000` as example `APACHE_PORT` which will be exposed on the host to receive unencrypted HTTP traffic from the reverse proxy. **Advice:** If you need https between Nextcloud and the reverse proxy because it is running on a different server in the same network, simply add another reverse proxy to the chain that runs on the same server like AIO and takes care of https proxying (most likely via self-signed cert). Another option is to create a VPN between the server that runs AIO and the server that runs the reverse proxy which takes care of encrypting the connection. +In order to run Nextcloud behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else), you need to
1. specify the port that AIO's integrated Apache container shall use
2. add a specific config to your web server or reverse proxy
3. modify the startup command a bit.
All examples below will use port `11000` as `APACHE_PORT`. This port will be exposed in the private network to receive unencrypted HTTP traffic from the reverse proxy. **Advice:** If you need HTTPS between Nextcloud and the reverse proxy because it is running on a different server in the same network, simply add another reverse proxy to the chain that runs on the same server like AIO and takes care of HTTPS proxying (most likely via self-signed certificates). Another option would be to create a VPN between the server that runs AIO and the server that runs the reverse proxy which takes care of encrypting the connection. **Attention:** The process to run Nextcloud behind a reverse proxy consists of at least steps 1, 2 and 4: 1. **Configure the reverse proxy! See [point 1](#1-configure-the-reverse-proxy)** 1. **Use this startup command! See [point 2](#2-use-this-startup-command)** -1. Optional: If the reverse proxy is installed on the same host and in the host network, you should limit the apache container to only listen on localhost. See [point 3](#3-limit-the-access-to-the-apache-container) +1. Optional: if the reverse proxy is installed on the same host and in the host network, you should limit the apache container to only listen on localhost. See [point 3](#3-limit-the-access-to-the-apache-container) 1. **Open the AIO interface. See [point 4](#4-open-the-aio-interface)** -1. Optional: Get a valid certificate for the AIO interface! See [point 5](#5-optional-get-a-valid-certificate-for-the-aio-interface) -1. Optional: How to debug things? See [point 6](#6-how-to-debug-things) +1. Optional: get a valid certificate for the AIO interface! See [point 5](#5-optional-get-a-valid-certificate-for-the-aio-interface) +1. Optional: how to debug things? See [point 6](#6-how-to-debug-things) -**Please note:** Since the Apache container gets created by the mastercontainer, there is **NO** way to provide custom docker labels or custom environmental variables for the Apache container. So please do not attempt to do this because you will fail! Only the documented way will work! +**Please note:** Since the Apache container gets created by the mastercontainer, there is **NO** way to provide custom docker labels or custom environmental variables for the Apache container. So please do not attempt to do this because it will fail! -## 1. Configure the reverse proxy +## 1. Configure the reverse proxy πŸ› οΈ ### Adapting the sample web server configurations below 1. Replace `` with the domain on which you want to run Nextcloud. @@ -39,7 +40,7 @@ In order to run Nextcloud behind a web server or reverse proxy (like Apache, Ngi For this setup, you can use as target `host.docker.internal:$APACHE_PORT` instead of `localhost:$APACHE_PORT`. **⚠️ Important:** In order to make this work on Docker for Linux, you need to add `--add-host=host.docker.internal:host-gateway` to the docker run command of your reverse proxy container or `extra_hosts: ["host.docker.internal:host-gateway"]` in docker compose (it works on Docker Desktop by default). - Another option and actually the recommended way in this case is to use `--network host` option (or `network_mode: host` for docker-compose) as setting for the reverse proxy container to connect it to the host network. If you are using a firewall on the server, you need to open ports 80 and 443 for the reverse proxy manually. By doing so, the default sample configurations that point at `localhost:$APACHE_PORT` should work without having to modify them. + Another option (actually the recommended way) in this case is to use `--network host` option (or `network_mode: host` for docker-compose) as setting for the reverse proxy container to connect it to the host network. If you are using a firewall on the server, you need to open ports 80 and 443 for the reverse proxy manually. By doing so, the default sample configurations that point at `localhost:$APACHE_PORT` should work without having to modify them. @@ -53,7 +54,7 @@ In order to run Nextcloud behind a web server or reverse proxy (like Apache, Ngi -### Apache +### Apache πŸͺΆ
@@ -132,7 +133,7 @@ To make the config work you can run the following command:
-### Caddy (Recommended) +### Caddy (recommended) πŸ”
@@ -147,13 +148,13 @@ https://:443 { ``` The Caddyfile is a text file called `Caddyfile` (no extension) which – if you should be running Caddy inside a container – should usually be created in the same location as your `compose.yaml` file prior to starting the container. -⚠️ **Please note:** Look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. +⚠️ **Please note:** Look in [here](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. **Advice:** You may have a look at [this](https://github.com/nextcloud/all-in-one/discussions/575#discussion-4055615) for a more complete example.
-### Caddy with ACME DNS-challenge +### Caddy with ACME DNS-challenge πŸ”€
@@ -181,7 +182,7 @@ You can get AIO running using the ACME DNS-challenge. Here is how to do it.
-### Citrix ADC VPX / Citrix Netscaler +### Citrix ADC VPX / Citrix Netscaler πŸ”€
@@ -191,7 +192,7 @@ For a reverse proxy example guide for Citrix ADC VPX / Citrix Netscaler, see thi
-### Cloudflare Tunnel +### Cloudflare Tunnel ☁
@@ -201,13 +202,13 @@ Although it does not seem like it is the case but from AIO perspective a Cloudfl 1. Install the Cloudflare Tunnel on the same machine where AIO will be running on and point the Tunnel with the domain that you want to use for AIO to `http://localhost:11000`.
⚠️ **Please note:** Look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. -1. Now continue with [point 2](#2-use-this-startup-command) but additionally, add `--env SKIP_DOMAIN_VALIDATION=true` to the docker run command which will disable the domain validation (because it is known that the domain validation will not work behind a Cloudflare Tunnel). So you need to ensure yourself that you've configured everything correctly. +1. Now continue with [point 2](#2-use-this-startup-command) but add `--env SKIP_DOMAIN_VALIDATION=true` to the docker run command - which will disable the domain validation (because it is known that the domain validation will not work behind a Cloudflare Tunnel). **Advice:** Make sure to [disable Cloudflares Rocket Loader feature](https://help.nextcloud.com/t/login-page-not-working-solved/149417/8) as otherwise Nextcloud's login prompt will not be shown.
-### HaProxy +### HaProxy πŸ”€
@@ -304,17 +305,17 @@ backend Nextcloud
-### Nginx, Freenginx, Openresty +### Nginx, Freenginx, Openresty πŸ”€
click here to expand -**Disclaimer:** This config was tested and should normally work on all modern nginx version if you configure it correctly. Improvements to the config are very welcome! +**Disclaimer:** This config was tested and should normally work on all modern Nginx versions. Improvements to the config are very welcome! -Add the below template to your nginx config. +Add the below template to your Nginx config. -**Note:** please check your nginx version by running: `nginx -v` and adjust it the lines marked with version notes, so that they fit your nginx version. +**Note:** please check your Nginx version by running: `nginx -v` and adjust the lines marked with version notes to fit your version. ``` map $http_upgrade $connection_upgrade { @@ -392,19 +393,19 @@ server { ``` -⚠️ **Please note:** Look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. +⚠️ **Please note:** look in [here](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. **Advice:** You may have a look at [this](https://github.com/nextcloud/all-in-one/discussions/588#discussioncomment-2811152) for a more complete example.
-### Nginx-Proxy-Manager +### Nginx-Proxy-Manager - NPM πŸ”€
click here to expand -First, please make sure that the environmental variables `PUID` and `PGID` in the compose.yaml file for NPM are either unset or set to `0`. +First, make sure the environmental variables `PUID` and `PGID` in the `compose.yaml` file for NPM are either unset or set to `0`. If you need to change the GID/PID then please add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf`. Note: this will cause that non root users can bind privileged ports. Second, see these screenshots for a working config: @@ -423,34 +424,32 @@ proxy_read_timeout 86400s; client_max_body_size 0; ``` -⚠️ **Please note:** Look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. - +⚠️ **Please note:** look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. Also change `@` to a mail address of yours.
-### Nginx-Proxy +### Nginx-Proxy πŸ”€
click here to expand -Unfortunately it is not possible to configure nginx-proxy in a way that works because it completely relies on environmental variables of the docker containers itself. Providing these variables does not work as stated above. +Unfortunately, it is not possible to configure Nginx-proxy in a way that works because it completely relies on environmental variables of the docker containers itself. Providing these variables does not work as stated above. If you really want to use AIO, we recommend you to switch to caddy. It is simply amazing!
-Of course understandable if that is not possible for you. -Apart from that, there is this: [manual-install](https://github.com/nextcloud/all-in-one/tree/main/manual-install) +Apart from that, there is a [manual-install](https://github.com/nextcloud/all-in-one/tree/main/manual-install).
-### Node.js with Express +### Node.js with Express πŸ”€
click here to expand -**Disclaimer:** It might be possible that the config below is not working 100% correctly, yet. Improvements to it are very welcome! +**Disclaimer:** it might be possible that the config below is not working 100% correctly, yet. Improvements to it are very welcome! For Node.js, we will use the npm package `http-proxy`. WebSockets must be handled separately. @@ -527,17 +526,17 @@ httpServer.on('upgrade', (req, socket, head) => { }); ``` -⚠️ **Please note:** Look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. +⚠️ **Please note:** look in [here](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration.
-### Synology Reverse Proxy +### Synology Reverse Proxy πŸ”€
click here to expand -**Disclaimer:** It might be possible that the config below is not working 100% correctly, yet. Improvements to it are very welcome! +**Disclaimer:** it might be possible that the config below is not working 100% correctly, yet. Improvements to it are very welcome! See these screenshots for a working config: @@ -545,17 +544,17 @@ See these screenshots for a working config: ![image](https://user-images.githubusercontent.com/70434961/213193789-fa936edc-e307-4e6a-9a53-ae26d1bf2f42.jpg) -⚠️ **Please note:** Look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. +⚠️ **Please note:** look [here](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration.
-### Traefik 2 +### Traefik 2 πŸ”€
click here to expand -**Disclaimer:** It might be possible that the config below is not working 100% correctly, yet. Improvements to it are very welcome! +**Disclaimer:** it might be possible that the config below is not working 100% correctly, yet. Improvements to it are very welcome! Traefik's building blocks (router, service, middlewares) need to be defined using dynamic configuration similar to [this](https://doc.traefik.io/traefik/providers/file/#configuration-examples) official Traefik configuration example. Using **docker labels _won't work_** because of the nature of the project. @@ -632,13 +631,12 @@ The examples below define the dynamic configuration in YAML files. If you rather --- -⚠️ **Please note:** Look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. - +⚠️ **Please note:** look [here](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. **Hint**: see https://www.youtube.com/watch?v=VLPSRrLMDmA for a video on configuring Traefik.
-### IIS with ARR and URL Rewrite +### IIS with ARR and URL Rewrite πŸ”€
@@ -706,7 +704,7 @@ Add the following `web.config` file to the root of the site you created as the r
-### Others +### Others πŸ”§
@@ -716,11 +714,11 @@ Config examples for other reverse proxies are currently not documented. Pull req
-## 2. Use this startup command +## 2. Use this startup command πŸš€ After adjusting your reverse proxy config, use the following command to start AIO:
-(For a docker-compose example, see the example further [below](#inspiration-for-a-docker-compose-file).) +(For a `compose.yaml` example, see the example further [below](#inspiration-for-a-docker-compose-file).) ``` # For Linux: @@ -737,9 +735,9 @@ sudo docker run \ nextcloud/all-in-one:latest ``` -Note: You may be interested in adjusting Nextcloud’s datadir to store the files in a different location than the default docker volume. See [this documentation](https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir) on how to do it. +Note: you may be interested in adjusting Nextcloud’s datadir to store the files in a different location than the default docker volume. See [this documentation](https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir) on how to do it. -You should also think about limiting the apache container to listen only on localhost in case the reverse proxy is running on the same host and in the host network, by providing an additional environmental variable to this docker run command. See [point 3](#3-limit-the-access-to-the-apache-container). +You should also think about limiting the Apache container to listen only on localhost in case the reverse proxy is running on the same host and in the host network, by providing an additional environmental variable to this docker run command. See [point 3](#3-limit-the-access-to-the-apache-container). On macOS see https://github.com/nextcloud/all-in-one#how-to-run-aio-on-macos. @@ -773,16 +771,17 @@ On Synology DSM see https://github.com/nextcloud/all-in-one#how-to-run-aio-on-sy Simply translate the docker run command into a docker-compose file. You can have a look at [this file](https://github.com/nextcloud/all-in-one/blob/main/compose.yaml) for some inspiration but you will need to modify it either way. You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588 -## 3. Limit the access to the apache container +## 3. Limit the access to the Apache container πŸ”’ Use this environment variable during the initial startup of the mastercontainer to make the apache container only listen on localhost: `--env APACHE_IP_BINDING=127.0.0.1`. **Attention:** This is only recommended to be set if you use `localhost` in your reverse proxy config to connect to your AIO instance. If you use an ip-address instead of localhost, you should set it to `0.0.0.0`. -## 4. Open the AIO interface. +## 4. Open the AIO interface πŸ–₯️ + After starting AIO, you should be able to access the AIO Interface via `https://ip.address.of.the.host:8080`.
⚠️ **Important:** do always use an ip-address if you access this port and not a domain as HSTS might block access to it later! (It is also expected that this port uses a self-signed certificate due to security concerns which you need to accept in your browser)
Enter your domain in the AIO interface that you've used in the reverse proxy config and you should be done. Please do not forget to open/forward port `3478/TCP` and `3478/UDP` in your firewall/router for the Talk container! -## 5. Optional: get a valid certificate for the AIO interface +## 5. Optional: get a valid certificate for the AIO interface πŸ” If you want to also access your AIO interface publicly with a valid certificate, you can add e.g. the following config to your Caddyfile: @@ -799,18 +798,19 @@ https://:8443 { Afterwards should the AIO interface be accessible via `https://ip.address.of.the.host:8443`. You can alternatively change the domain to a different subdomain by using `https://:443` instead of `https://:8443` in the Caddyfile and use that to access the AIO interface. -## 6. How to debug things? +## 6. How to debug things? πŸ› + If something does not work, follow the steps below: 1. Make sure to exactly follow the whole reverse proxy documentation step-for-step from top to bottom! -1. Make sure that you used the docker run command that is described in this reverse proxy documentation. **Hint:** make sure that you have set the `APACHE_PORT` via e.g. `--env APACHE_PORT=11000` during the docker run command! +1. Make sure that you used the `docker run` command that is described in this reverse proxy documentation. **Hint:** make sure that you have set the `APACHE_PORT` via e.g. `--env APACHE_PORT=11000` during the docker run command! 1. Make sure to set the `APACHE_IP_BINDING` variable correctly. If in doubt, set it to `--env APACHE_IP_BINDING=0.0.0.0` 1. Make sure that all ports to which your reverse proxy is pointing match the chosen `APACHE_PORT`. -1. Make sure to follow [this](#adapting-the-sample-web-server-configurations-below) to adapt the example configurations to your specific setup +1. Make sure to follow [this](#adapting-the-sample-web-server-configurations-below) to adapt the example configurations to your specific setup! 1. Make sure that the mastercontainer is able to spawn other containers. You can do so by checking that the mastercontainer indeed has access to the Docker socket which might not be positioned in one of the suggested directories like `/var/run/docker.sock` but in a different directory, based on your OS and the way how you installed Docker. The mastercontainer logs should help figuring this out. You can have a look at them by running `sudo docker logs nextcloud-aio-mastercontainer` after the container is started the first time. 1. Check if after the mastercontainer was started, the reverse proxy if running inside a container, can reach the provided apache port. You can test this by running `nc -z localhost 11000; echo $?` from inside the reverse proxy container. If the output is `0`, everything works. Alternatively you can of course use instead of `localhost` the ip-address of the host here for the test. -1. Make sure that you are not behind CGNAT. If that is the case, you will not be able to open ports properly. In that case you might use a Cloudflare Tunnel. -1. If you use Cloudflare, you might need to skip the domain validation anyways since it is known that Cloudflare might block the validation attempts. In that case, see the last option below. -1. If your reverse proxy is configured to use the host network (as recommended in the above docs) or running on the host, make sure that you've configured your firewall to open port 443 and 80. -1. Check if you have a public IPv4- and public IPv6-address. If you only have a public IPv6-address (e.g. due to DS-Lite), make sure to enable IPv6 in Docker and your whole networking infrastructure (e.g. also by adding an AAAA DNS-entry to your domain). -1. Try to configure everything from scratch if it still does not work by following https://github.com/nextcloud/all-in-one#how-to-properly-reset-the-instance. +1. Make sure that you are not behind CGNAT. If that is the case, you will not be able to open ports properly. In that case you might use a Cloudflare Tunnel! +1. If you use Cloudflare, you might need to skip the domain validation anyways since it is known that Cloudflare might block the validation attempts. In that case, see the last option below! +1. If your reverse proxy is configured to use the host network (as recommended in the above docs) or running on the host, make sure that you've configured your firewall to open port 443 (and 80)! +1. Check if you have a public IPv4- and public IPv6-address. If you only have a public IPv6-address (e.g. due to DS-Lite), make sure to enable IPv6 in Docker and your whole networking infrastructure (e.g. also by adding an AAAA DNS-entry to your domain)! +1. Try to configure everything from scratch - if it still does not work by following https://github.com/nextcloud/all-in-one#how-to-properly-reset-the-instance. 1. As last resort, you may disable the domain validation by adding `--env SKIP_DOMAIN_VALIDATION=true` to the docker run command. But only use this if you are completely sure that you've correctly configured everything! From 6b30744fc3a38e36c8fecd53c3a0c50c72ea858f Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Thu, 10 Oct 2024 12:40:17 +0200 Subject: [PATCH 2/5] revert headings so that old links still work and adjust some details Signed-off-by: Simon L. --- reverse-proxy.md | 50 ++++++++++++++++++++++++------------------------ 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/reverse-proxy.md b/reverse-proxy.md index 64f67e1161a..1e0231d2fff 100644 --- a/reverse-proxy.md +++ b/reverse-proxy.md @@ -19,7 +19,7 @@ In order to run Nextcloud behind a web server or reverse proxy (like Apache, Ngi **Please note:** Since the Apache container gets created by the mastercontainer, there is **NO** way to provide custom docker labels or custom environmental variables for the Apache container. So please do not attempt to do this because it will fail! -## 1. Configure the reverse proxy πŸ› οΈ +## 1. Configure the reverse proxy ### Adapting the sample web server configurations below 1. Replace `` with the domain on which you want to run Nextcloud. @@ -54,7 +54,7 @@ In order to run Nextcloud behind a web server or reverse proxy (like Apache, Ngi -### Apache πŸͺΆ +### Apache
@@ -133,7 +133,7 @@ To make the config work you can run the following command:
-### Caddy (recommended) πŸ” +### Caddy (recommended)
@@ -148,13 +148,13 @@ https://:443 { ``` The Caddyfile is a text file called `Caddyfile` (no extension) which – if you should be running Caddy inside a container – should usually be created in the same location as your `compose.yaml` file prior to starting the container. -⚠️ **Please note:** Look in [here](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. +⚠️ **Please note:** look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. **Advice:** You may have a look at [this](https://github.com/nextcloud/all-in-one/discussions/575#discussion-4055615) for a more complete example.
-### Caddy with ACME DNS-challenge πŸ”€ +### Caddy with ACME DNS-challenge
@@ -182,7 +182,7 @@ You can get AIO running using the ACME DNS-challenge. Here is how to do it.
-### Citrix ADC VPX / Citrix Netscaler πŸ”€ +### Citrix ADC VPX / Citrix Netscaler
@@ -192,7 +192,7 @@ For a reverse proxy example guide for Citrix ADC VPX / Citrix Netscaler, see thi
-### Cloudflare Tunnel ☁ +### Cloudflare Tunnel
@@ -208,7 +208,7 @@ Although it does not seem like it is the case but from AIO perspective a Cloudfl
-### HaProxy πŸ”€ +### HaProxy
@@ -305,7 +305,7 @@ backend Nextcloud
-### Nginx, Freenginx, Openresty πŸ”€ +### Nginx, Freenginx, Openresty
@@ -393,13 +393,13 @@ server { ``` -⚠️ **Please note:** look in [here](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. +⚠️ **Please note:** look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. **Advice:** You may have a look at [this](https://github.com/nextcloud/all-in-one/discussions/588#discussioncomment-2811152) for a more complete example.
-### Nginx-Proxy-Manager - NPM πŸ”€ +### Nginx-Proxy-Manager - NPM
@@ -429,7 +429,7 @@ Also change `@` to a mail address of yours.
-### Nginx-Proxy πŸ”€ +### Nginx-Proxy
@@ -443,7 +443,7 @@ Apart from that, there is a [manual-install](https://github.com/nextcloud/all-in
-### Node.js with Express πŸ”€ +### Node.js with Express
@@ -526,11 +526,11 @@ httpServer.on('upgrade', (req, socket, head) => { }); ``` -⚠️ **Please note:** look in [here](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. +⚠️ **Please note:** look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration.
-### Synology Reverse Proxy πŸ”€ +### Synology Reverse Proxy
@@ -544,11 +544,11 @@ See these screenshots for a working config: ![image](https://user-images.githubusercontent.com/70434961/213193789-fa936edc-e307-4e6a-9a53-ae26d1bf2f42.jpg) -⚠️ **Please note:** look [here](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. +⚠️ **Please note:** look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration.
-### Traefik 2 πŸ”€ +### Traefik 2
@@ -631,12 +631,12 @@ The examples below define the dynamic configuration in YAML files. If you rather --- -⚠️ **Please note:** look [here](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. +⚠️ **Please note:** look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. **Hint**: see https://www.youtube.com/watch?v=VLPSRrLMDmA for a video on configuring Traefik.
-### IIS with ARR and URL Rewrite πŸ”€ +### IIS with ARR and URL Rewrite
@@ -704,7 +704,7 @@ Add the following `web.config` file to the root of the site you created as the r
-### Others πŸ”§ +### Others
@@ -714,7 +714,7 @@ Config examples for other reverse proxies are currently not documented. Pull req
-## 2. Use this startup command πŸš€ +## 2. Use this startup command After adjusting your reverse proxy config, use the following command to start AIO:
@@ -771,17 +771,17 @@ On Synology DSM see https://github.com/nextcloud/all-in-one#how-to-run-aio-on-sy Simply translate the docker run command into a docker-compose file. You can have a look at [this file](https://github.com/nextcloud/all-in-one/blob/main/compose.yaml) for some inspiration but you will need to modify it either way. You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588 -## 3. Limit the access to the Apache container πŸ”’ +## 3. Limit the access to the Apache container Use this environment variable during the initial startup of the mastercontainer to make the apache container only listen on localhost: `--env APACHE_IP_BINDING=127.0.0.1`. **Attention:** This is only recommended to be set if you use `localhost` in your reverse proxy config to connect to your AIO instance. If you use an ip-address instead of localhost, you should set it to `0.0.0.0`. -## 4. Open the AIO interface πŸ–₯️ +## 4. Open the AIO interface After starting AIO, you should be able to access the AIO Interface via `https://ip.address.of.the.host:8080`.
⚠️ **Important:** do always use an ip-address if you access this port and not a domain as HSTS might block access to it later! (It is also expected that this port uses a self-signed certificate due to security concerns which you need to accept in your browser)
Enter your domain in the AIO interface that you've used in the reverse proxy config and you should be done. Please do not forget to open/forward port `3478/TCP` and `3478/UDP` in your firewall/router for the Talk container! -## 5. Optional: get a valid certificate for the AIO interface πŸ” +## 5. Optional: get a valid certificate for the AIO interface If you want to also access your AIO interface publicly with a valid certificate, you can add e.g. the following config to your Caddyfile: @@ -798,7 +798,7 @@ https://:8443 { Afterwards should the AIO interface be accessible via `https://ip.address.of.the.host:8443`. You can alternatively change the domain to a different subdomain by using `https://:443` instead of `https://:8443` in the Caddyfile and use that to access the AIO interface. -## 6. How to debug things? πŸ› +## 6. How to debug things? If something does not work, follow the steps below: 1. Make sure to exactly follow the whole reverse proxy documentation step-for-step from top to bottom! From e4528678b179ff3a4c4441c6a9ea81e1035f4976 Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Thu, 10 Oct 2024 15:33:29 +0200 Subject: [PATCH 3/5] adjust description of reverse proxy Signed-off-by: Simon L. Co-authored-by: Jean-Yves <7360784+docjyJ@users.noreply.github.com> Signed-off-by: Simon L. --- reverse-proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reverse-proxy.md b/reverse-proxy.md index 1e0231d2fff..242130fd7e0 100644 --- a/reverse-proxy.md +++ b/reverse-proxy.md @@ -3,7 +3,7 @@ > [!NOTE] > The maintainers of AIO noticed that this documentation could be improved to make it easier to follow. All contributions that improve this are very welcome! -A [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) is basically a software service that can be thought of as the gateway of a web server. It enables computers on the internet to access a service or web-site in a [private subnet](https://en.wikipedia.org/wiki/Private_network) of that web server. +A [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) is a software service that acts as a gateway between services and a client. It is commonly used to allow a client connected to the Internet to access a website located in the [private subnet](https://en.wikipedia.org/wiki/Private_network) of that web server. **Please note:** Publishing the AIO interface with a valid certificate to the public internet is **not** the goal of this documentation! If you need a valid certificate for the AIO interface, see [point 5](#5-optional-get-a-valid-certificate-for-the-aio-interface). From e45bd1ef2d172556293dfc7ec9e6c122498dd03a Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Thu, 10 Oct 2024 15:34:15 +0200 Subject: [PATCH 4/5] address review Signed-off-by: Simon L. Co-authored-by: Jean-Yves <7360784+docjyJ@users.noreply.github.com> Signed-off-by: Simon L. --- reverse-proxy.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/reverse-proxy.md b/reverse-proxy.md index 242130fd7e0..a435f2dac36 100644 --- a/reverse-proxy.md +++ b/reverse-proxy.md @@ -7,7 +7,13 @@ A [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) is a software ser **Please note:** Publishing the AIO interface with a valid certificate to the public internet is **not** the goal of this documentation! If you need a valid certificate for the AIO interface, see [point 5](#5-optional-get-a-valid-certificate-for-the-aio-interface). -In order to run Nextcloud behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else), you need to
1. specify the port that AIO's integrated Apache container shall use
2. add a specific config to your web server or reverse proxy
3. modify the startup command a bit.
All examples below will use port `11000` as `APACHE_PORT`. This port will be exposed in the private network to receive unencrypted HTTP traffic from the reverse proxy. **Advice:** If you need HTTPS between Nextcloud and the reverse proxy because it is running on a different server in the same network, simply add another reverse proxy to the chain that runs on the same server like AIO and takes care of HTTPS proxying (most likely via self-signed certificates). Another option would be to create a VPN between the server that runs AIO and the server that runs the reverse proxy which takes care of encrypting the connection. +In order to run Nextcloud behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else), you need to: +1. specify the port that AIO's integrated Apache container shall use +2. add a specific config to your web server or reverse proxy +3. modify the startup command a bit. +All examples below will use port `11000` as `APACHE_PORT`. This port will be exposed in the private network to receive unencrypted HTTP traffic from the reverse proxy. +> [!IMPORTANT] +> If you need HTTPS between Nextcloud and the reverse proxy because it is running on a different server in the same network, simply add another reverse proxy to the chain that runs on the same server like AIO and takes care of HTTPS proxying (most likely via self-signed certificates). Another option would be to create a VPN between the server that runs AIO and the server that runs the reverse proxy which takes care of encrypting the connection. **Attention:** The process to run Nextcloud behind a reverse proxy consists of at least steps 1, 2 and 4: 1. **Configure the reverse proxy! See [point 1](#1-configure-the-reverse-proxy)** From 9b25f8b061013f57ed1e24a70b2cda619f290c6a Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Thu, 10 Oct 2024 15:34:31 +0200 Subject: [PATCH 5/5] make wording consistant Signed-off-by: Simon L. Co-authored-by: Jean-Yves <7360784+docjyJ@users.noreply.github.com> Signed-off-by: Simon L. --- reverse-proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reverse-proxy.md b/reverse-proxy.md index a435f2dac36..205d789238f 100644 --- a/reverse-proxy.md +++ b/reverse-proxy.md @@ -207,7 +207,7 @@ For a reverse proxy example guide for Citrix ADC VPX / Citrix Netscaler, see thi Although it does not seem like it is the case but from AIO perspective a Cloudflare Tunnel works like a reverse proxy. Please see the [caveats](https://github.com/nextcloud/all-in-one#notes-on-cloudflare-proxytunnel) before proceeding. Here is then how to make it work: 1. Install the Cloudflare Tunnel on the same machine where AIO will be running on and point the Tunnel with the domain that you want to use for AIO to `http://localhost:11000`.
-⚠️ **Please note:** Look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. +⚠️ **Please note:** look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration. 1. Now continue with [point 2](#2-use-this-startup-command) but add `--env SKIP_DOMAIN_VALIDATION=true` to the docker run command - which will disable the domain validation (because it is known that the domain validation will not work behind a Cloudflare Tunnel). **Advice:** Make sure to [disable Cloudflares Rocket Loader feature](https://help.nextcloud.com/t/login-page-not-working-solved/149417/8) as otherwise Nextcloud's login prompt will not be shown.