[SOLVED]Nextcloud config for HAProxy as reverse proxy

[Inxsible]

I recently moved from using caddy2 as the reverseproxy to using HAProxy plugin on opnsense. The reverse proxying part is working fine. But when I get to the Settings page in Nextcloud, I am seeing the following warnings:

Code Select Expand


There are some warnings regarding your setup.
The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.
The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.
Your web server is not properly set up to resolve "/.well-known/webfinger". Further information can be found in the documentation.
Your web server is not properly set up to resolve "/.well-known/nodeinfo". Further information can be found in the documentation.
Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation.
Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.


When using caddy2, I didn't have any warnings/errors on the Nextcloud settings page. In my caddy2 setup I had the following configuration for nextcloud apart from the actual proxying:

Code Select Expand


redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/carddav /remote.php/dav 301
php_fastcgi 127.0.0.1:9000
header {
Strict-Transport_security max-age=31536000;
Host $host;
X-Real-IP $remote_addr
X-Forwarded-For $proxy_add_x_forwarded_for;
X-Forwarded-Proto $scheme;
}


I checked Nextcloud documentation regarding HAProxy as the reverse-proxy and it describes what needs to be added but where would I add these in the Opnsense HAProxy plugin settings?


Thanks.

[lfirewall1243]

I recently moved from using caddy2 as the reverseproxy to using HAProxy plugin on opnsense. The reverse proxying part is working fine. But when I get to the Settings page in Nextcloud, I am seeing the following warnings:

Code Select Expand


There are some warnings regarding your setup.
The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.
The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips [emoji658].
Your web server is not properly set up to resolve "/.well-known/webfinger". Further information can be found in the documentation.
Your web server is not properly set up to resolve "/.well-known/nodeinfo". Further information can be found in the documentation.
Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation.
Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.


When using caddy2, I didn't have any warnings/errors on the Nextcloud settings page. In my caddy2 setup I had the following configuration for nextcloud apart from the actual proxying:

Code Select Expand


redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/carddav /remote.php/dav 301
php_fastcgi 127.0.0.1:9000
header {
Strict-Transport_security max-age=31536000;
Host $host;
X-Real-IP $remote_addr
X-Forwarded-For $proxy_add_x_forwarded_for;
X-Forwarded-Proto $scheme;
}


I checked Nextcloud documentation regarding HAProxy as the reverse-proxy and it describes what needs to be added but where would I add these in the Opnsense HAProxy plugin settings?


Thanks.

What options do you have to add ?

[Inxsible]

What options do you have to add ?

The ones that would help me fix the warnings in Nextcloud. I assume they would be similar to the ones I had setup in caddy2. like the X-Real-IP, Strict Transport, X-Forwarded-For etc.  I just am not sure how or where to add them in the HAProxy plugin in opnsense.

Would I have to create a new condition? Which condition type should I choose to add the headers? I guess the redirects need to be enabled via Rules?

[lfirewall1243]

What options do you have to add ?

The ones that would help me fix the warnings in Nextcloud. I assume they would be similar to the ones I had setup in caddy2. like the X-Real-IP, Strict Transport, X-Forwarded-For etc.  I just am not sure how or where to add them in the HAProxy plugin in opnsense.

Would I have to create a new condition? Which condition type should I choose to add the headers? I guess the redirects need to be enabled via Rules?

I think you'll have to add them in the Frontend options.

Maybe its enough to enable "Enable-X-Forwarded-For-Header"
If not you can add them manually at the Backend Options (Advanced config enabled) -> Options pass-trough
But keep the settings in your frontend enabled

[Inxsible]

I think you'll have to add them in the Frontend options.

Maybe its enough to enable "Enable-X-Forwarded-For-Header"

Under Public Services on the server, I enabled the X-forwarded for header and that got rid of the first issue. To enable the Strict-transport-security, I had to enable the Advanced settings and then select the Enable HSTS and add the max age. That fixed the warnings.

But i am still unable to set up the nodeinfo & webfinger settings. Here's the condition and rule that I setup. See attached files. But it's still not working.

I have also tried the condition "Path contains subdir" with the subdir matches = /.well-known/ and also tried "Path contains string" with string match = well-known but still didn't change anything

[Inxsible]

I finally fixed this by using the  Custom condition (option pass-through) as the Condition Type rather than using the Path matches

The Path matches creates an acl with "path -i" and for some reason, webfinger and nodeinfo don't like that. when I created the condition as in the attached image (nc_webfinger.png), I was able to get the warnings for webfinger to go away.  For the rule see the image nc_webfinger_rule.png. The HTTP redirect value is

Code Select Expand

code 301 location /index.php%[capture.req.uri]

Create the same condition and rule for the nodeinfo  and you should be able to get the green All Checks passed in Nextcloud.

[f87]

 :)
Спасибо! Была такая же проблема.

pfSense + HAProxy -> TrueNAS + NextCloud (jail)

Помогло твое решение.

[kosta]

Hello,

sorry for bringing this post back to life, but I have the same issue. I have followed this suggestion, but I still have the same issue.

Are there any known alternatives, or maybe could you describe if you had to change any config files in the nextcloud server itself? (shouldn't be needed, since it's going over reverse proxy, same as mine)

Thank you.
Kosta

[Inxsible]

Hello,

sorry for bringing this post back to life, but I have the same issue. I have followed this suggestion, but I still have the same issue.

Are there any known alternatives, or maybe could you describe if you had to change any config files in the nextcloud server itself? (shouldn't be needed, since it's going over reverse proxy, same as mine)

Thank you.
Kosta

You should list out your config so we can see. It's been working fine for me.

I can also suggest looking into using the Caddy plugin from the mimugmail repository. Finding config examples for Caddy is much easier than finding something for HAProxy on OpnSense. I plan to migrate to the Caddy plugin too... but currently everything works, so I am afraid to mess around with it now.