Reverse proxy and AiO setup

[Michael-Hennemann]

Hi@all

I have just a little problem of understanding on how to reverse proxy AiO

If I understand the AiO documentation here on github correctly, you can setup NC AiO either for the use with a reverse proxy of for the use without reverse proxy.

If I choose “no proxy” for some reason I cannot use a reverse proxy and if I choose “with proxy” the traffic between my proxy and the NC will be unencrypted. The docs say, if I don’t like the traffic being unencrypted I can use a separate container on the same box with e.g. apache or nginx to encrypt traffic between NC and my reverse proxy.

I don’t understand why I cannot just use the full “no reverse proxy” setup that makes the NC accessible via TLS and then put my reverse proxy in front of it (e.g. in the DMZ)?

Cheers
Michael

[szaimen]

Hi,

If I understand the AiO documentation here on github correctly, you can setup NC AiO either for the use with a reverse proxy of for the use without reverse proxy.

If I choose “no proxy” for some reason I cannot use a reverse proxy and if I choose “with proxy” the traffic between my proxy and the NC will be unencrypted. The docs say, if I don’t like the traffic being unencrypted I can use a separate container on the same box with e.g. apache or nginx to encrypt traffic between NC and my reverse proxy.

Correct

I don’t understand why I cannot just use the full “no reverse proxy” setup that makes the NC accessible via TLS and then put my reverse proxy in front of it (e.g. in the DMZ)?

Because in "no reverse proxy" setup, we try to retreive the Lets encrypt certificate automatically and that obviously fails if it is actually running behind a reverse proxy.

[Michael-Hennemann]

Ah, I see.. Thanks for the quick response btw.

Is there a way to automate it via AiO setup? Or do I have to spin up and configure a completely separate container?

[szaimen]

Is there a way to automate it via AiO setup? Or do I have to spin up and configure a completely separate container?

I don't understand the question. You can use any reverse proxy you want if you do not want to use the built-in one: https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md

[Michael-Hennemann]

I do have a reverse proxy but it's on a separate machine. (I got a little OPNsense box with HAProxy that fetches a LE cert)
In general I think it's a good idea to encrypt traffic that moves from one machine to another.

So I would need a AiO setup that exposes NC via TLS but uses a self signed cert (or maybe one that I created myself via openssl) instead of trying to get a LE cert

[szaimen]

I see. Currently you need to add the reverse proxy in between yourself. However in theory there could be a community container that does this automatically: https://github.com/nextcloud/all-in-one/tree/main/community-containers#how-to-add-containers.

Maybe https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus allows to create self-signed certificates but I cannot tell.

[Michael-Hennemann]

Great, thanks! I will give it a try! :-)

My setup is more or less for testing and my personal homelab, but I work for an it service provider and I would say that a lot of professional setups would look like that: reverse proxy already in place and used for other publishings and an NC is added to it. So maybe it might be nice to consider adding a corresponding feature in the future. (TLS without LE to encrypt between NC and reverse proxy) :-)

cheers
Michael

[szaimen]

So maybe it might be nice to consider adding a corresponding feature in the future. (TLS without LE to encrypt between NC and reverse proxy) :-)

As I said, this is probably doable with https://github.com/nextcloud/all-in-one/tree/main/community-containers#how-to-add-containers :)