Help - Reverse SSL Proxy Configuration - Docker Letsencrypt - Nextcloud

Hi,

I'm quite a newbie on the things I'm trying to do.

I've setup my NextCloud server on LibreElec. It is working fine. I used docker addon (GitHub - linuxserver/docker-nextcloud) and installed it on port 444.

Then I installed docker nginx + letsencrypt addon (GitHub - linuxserver/docker-letsencrypt) on port 443 with duckdns validation. But this part isn't working.

When I call my external ip on port 443, I've got a connection refused.

When I call it on 444, it works even if currently I've got a redirection to my DNS on 443 so it redirects and then get a connection refused. That mean the nextcloud part is OK but not the nginx and letsencrypt part.

I tried to find a solution on many websites but without finding it.

Do someone knows what I missed ? I've got no command line and have to use docker cause I'm using libreelec and don't wanna go on some other installations for long to explain reasons.

Thanks for those who will read me and try to figure out what my problem is.

Here is my Nginx Letsencrypt addon parameters :

port=443
url=mydomain.duckdns.org
subdomains=www,
validation method=duckdns
duckdns token=mytoken

My nextcloud data/www/nextcloud/config/config.php :

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'XXXXX',
  'passwordsalt' => 'XXXXX',
  'secret' => 'XXXXX',
  'dbtype' => 'sqlite3',
  'version' => '17.0.0.9',
  'installed' => true,
  'trusted_domains' =>
    array (
      0 => '192.168.0.20:444',
      1 => 'mydomain.duckdns.org:444',
      2 => 'mydomain.duckdns.org',
      3 => 'myexternalip',
    ),
  'trusted_proxies' => 
    array (
      0 => 'letsencrypt',
    ),
  'overwritewebroot' => '/nextcloud',
  'overwrite.cli.url' => 'https://mydomain.duckdns.org/nextcloud',
  'overwritehost' => 'mydomain.duckdns.org',
  'overwriteprotocol' => 'https',
  'allow_user_to_change_display_name' => true,
  'remember_login_cookie_lifetime' => 60*60*24*15,
  'session_lifetime' => 60 * 60 * 24,
  'session_keepalive' => true,
  'auth.bruteforce.protection.enabled' => true,
  'skeletondirectory' => '',
  'htaccess.RewriteBase' => '/',
);

my letsencrypt/config/nginx/proxy-confs/nextcloud.subfolder.conf (unchanged, just copied from sample) :

location = /.well-known/carddav {
    return 301 $scheme://$host/nextcloud/remote.php/dav;
}

location = /.well-known/caldav {
    return 301 $scheme://$host/nextcloud/remote.php/dav;
}

location /nextcloud {
    return 301 $scheme://$host/nextcloud/;
}

location ^~ /nextcloud/ {
    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_nextcloud nextcloud;
    rewrite /nextcloud(.*) $1 break;
    proxy_pass https://$upstream_nextcloud:443;

    proxy_max_temp_file_size 2048m;

    proxy_set_header Range $http_range;
    proxy_set_header If-Range $http_if_range;
    proxy_set_header Connection $http_connection;
    proxy_redirect off;
    proxy_ssl_session_reuse off;
}

my letsencrypt/config/nginx/site-confs/default (unchanged) :

## Version 2019/08/01 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default

# redirect all traffic to https
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

# main server block
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    root /config/www;
    index index.html index.htm index.php;

    server_name _;

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    client_max_body_size 0;

    location / {
        try_files $uri $uri/ /index.html /index.php?$args =404;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }
}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

My router ports forwarding :

    Name    Start Port    End Port    Protocol    Local IP Address
    HTTP    80    80    TCP    192.168.0.20
    HTTPS    443    444    Both    192.168.0.20

Quote from aptalca

Check the letsencrypt logs and it will tell you what's going on

Code

docker logs docker.linuxserver.letsencrypt

Hi.

Thanks for the tip. There was this message :

Quote

nginx: [emerg] "proxy_max_temp_file_size" directive invalid value in /config/nginx/proxy-confs/nextcloud.subdomain.conf:28

I corrected it by replacing 2048M by 1024M (after a quick internet search).

Then I got this message :

Quote

nginx: [emerg] BIO_new_file("/config/nginx/dhparams.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/nginx/dhparams.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

I deleted dhparams.pem to regenerate it :

rm letsencrypt/config/nginx/dhparam.pem

Now it is regenerating but it can take a long time according to the logs. I will tell you if this worked when it will be done.

Quote

Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed

Generating DH parameters, 2048 bit long safe prime, generator 2

This is going to take a long time

EDIT :

after that, there still was an error :

Quote

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see GitHub - openresty/luajit2: OpenResty's Branch of LuaJIT 2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from OpenResty - Download)

nginx: [error] lua_load_resty_core failed to load the resty.core module from GitHub - openresty/lua-resty-core: New FFI-based API for lua-nginx-module; ensure you are using an OpenResty release from OpenResty - Download (rc: 2, reason: module 'resty.core' not found:

no field package.preload['resty.core']

no file './resty/core.lua'

no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'

no file '/usr/local/share/lua/5.1/resty/core.lua'

no file '/usr/local/share/lua/5.1/resty/core/init.lua'

no file '/usr/share/lua/5.1/resty/core.lua'

no file '/usr/share/lua/5.1/resty/core/init.lua'

no file '/usr/share/lua/common/resty/core.lua'

no file '/usr/share/lua/common/resty/core/init.lua'

no file './resty/core.so'

no file '/usr/local/lib/lua/5.1/resty/core.so'

no file '/usr/lib/lua/5.1/resty/core.so'

no file '/usr/local/lib/lua/5.1/loadall.so'

no file './resty.so'

no file '/usr/local/lib/lua/5.1/resty.so'

no file '/usr/lib/lua/5.1/resty.so'

no file '/usr/local/lib/lua/5.1/loadall.so')

Server ready

Display More

I added the following line into the http block of nginx.conf (after finding this solution online) :

Quote

lua_load_resty_core off;

and now this works !!

Thanks to your help on finding the docker's log, I have now being able to secure my site.

I leave it here so people with the same problem can find the solution.