Nextcloud hinter einem Reverse Proxy

Aus Wiki
Zur Navigation springen Zur Suche springen

Sollte Nextcloud hinter einem Reverse Proxy betrieben werden, kann es manchmal Probleme mit der automatischen Hosterkennung geben (falscher Hostname erkannt, generierte Links mit http statt https, ...) - als Abhilfe kann man in der Konfigurationsdatei config.php diverse Werte setzen. Alternativ kann auch Nextclouds occ Konsole verwendet werden.

Paramter in der config.php

# Your list of trusted domains that users can log into. Specifying trusted
# domains prevents host header poisoning. Do not remove this, as it performs
# necessary security checks.
'trusted_domains' =>
    array (
        0 => 'server.localdomain',

# Use this configuration parameter to specify the base URL for any URLs which
# are generated within Nextcloud using any kind of command line tools (cron or
# occ).
# The value should contain the full base URL:
'overwrite.cli.url' => 'https://server.localdomain',

# When generating URLs, Nextcloud attempts to detect whether the server is
# accessed via https or http. However, if Nextcloud is behind a proxy and the
# proxy handles the https calls, Nextcloud would not know that ssl is in use,
# which would result in incorrect URLs being generated.
# Valid values are http and https.
'overwriteprotocol' => 'https',

# Nextcloud attempts to detect the webroot for generating URLs automatically.
# For example, if is the URL pointing to the Nextcloud
# instance, the webroot is /nextcloud. When proxies are in use, it may be
# difficult for Nextcloud to detect this parameter, resulting in invalid URLs.
'overwritewebroot' => '',

# List of trusted proxy servers
# You may set this to an array containing a combination of - IPv4 addresses,
# e.g. - IPv4 ranges in CIDR notation, e.g. -
# IPv6 addresses, e.g. fd9e:21a7:a92c:2323::1
# When an incoming request’s REMOTE_ADDR matches any of the IP addresses
# specified here, it is assumed to be a proxy instead of a client. Thus, the
# client IP will be read from the HTTP header specified in forwarded_for_headers
# instead of from REMOTE_ADDR.
# So if you configure trusted_proxies, also consider setting
# forwarded_for_headers which otherwise defaults to HTTP_X_FORWARDED_FOR
# (the X-Forwarded-For header).
'trusted_proxies' => ['', ''],

# Headers that should be trusted as client IP address in combination with
# trusted_proxies. If the HTTP header looks like ‘X-Forwarded-For’, then use
# If set incorrectly, a client can spoof their IP address as visible to
# Nextcloud, bypassing access controls and making logs useless!
'forwarded_for_headers' => ['HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR'],

Service Discovery CalDAV / CardDAV

Hinter einem Reverse Proxy funktionieren die Standard Redirects für CalDAV / CardDAV nicht, daher müssen hier am Proxy entsprechende Rewrite Rules eingetragen werden.

Apache 2

RewriteEngine On
RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]

Traefik 2 via Docker Labels

  - "traefik.enable=true"
  - ""
  - "traefik.http.routers.nextcloud-tls.rule=Host(`server.localdomain`)"
  - "traefik.http.routers.nextcloud-tls.entrypoints=websecure"
  - "traefik.http.routers.nextcloud-tls.tls=true"
  - "traefik.http.routers.nextcloud-tls.middlewares=davredirects"
  - "traefik.http.middlewares.davredirects.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
  - "traefik.http.middlewares.davredirects.redirectregex.permanent=true"
  - "traefik.http.middlewares.davredirects.redirectregex.replacement=https://$$1/remote.php/dav/"   # double $$ escaping necessary!


location /.well-known/carddav {
    return 301 $scheme://$host/remote.php/dav;

location /.well-known/caldav {
    return 301 $scheme://$host/remote.php/dav;