Technitium DNS server zone high-availability

on
0

Oracle Cloud VPS: NextCloud Reverse Proxy with Nginx and Wireguard

on

Nextcloud is a suite of client-server software for creating and using file hosting services. It is enterprise-ready with comprehensive support options. Being free and open-source software, anyone is allowed to install and operate it on their own private server devices.

Today, let setup a reverse proxy using Nginx on Oracle Cloud and proxy pass your local NextCloud instance with wireguard VPN connection.

1. Setup an Ubuntu 22.04 instance in Oracle Cloud free tier. I am using the wireguard auto setup script to setup the wireguard VPN connection.

2. Allow wireguard 51280/UDP, HTTP 80/TCP and HTTPS 443/TCP port in iptables and Oracle Cloud's VCN firewall rules. The wireguard auto setup script will take care of the iptables rule for 51820/UDP, so no need to manually allow it.

sudo nano /etc/iptables/rules.v4

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

3. Install and setup wireguard service on your local nextcloud instance.

4. Install nginx web server as reverse proxy.

sudo apt-get install nginx

5. Disable nginx's default configuration.

sudo rm /etc/nginx/sites-enabled/default

6. Create nginx reverse proxy configuration to redirect all incoming HTTP connection to your local nextcloud via the wireguard private network. Register a valid FQDN with your VPS instance public IP.

sudo nano /etc/nginx/sites-available/nextcloud.conf

server {
    listen 80;
    listen [::]:80;
   
    server_name nextcloud.your_domain.com;

    location / {
        proxy_pass http://10.7.0.2; # point to your nextcloud's VPN ip
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    location /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location /.well-known/caldav {
        return 301 $scheme://$host/remote.php/dav;
    }
}

7. Double check the nginx configuration is correct and restart the service afterward.

sudo ln -s  /etc/nginx/sites-available/nextcloud.conf /etc/nginx/sites-enabled/nextcloud.conf
sudo nginx -t
sudo systemctl restart nginx

8. Setup trusted domain for your local nextcloud instance with the VPS public IP and FQDN.

sudo -u www-data php /var/www/nextcloud/occ config:system:set trusted_domains 1 --value="your_VPS_public_IP"
sudo -u www-data php /var/www/nextcloud/occ config:system:set trusted_domains 2 --value="your_VPS_FQDN"

9. Access your local nextcloud using the VPS's FQDN in browser.

10. Let setup nginx's reverse proxy with SSL termination. Create a selfsigned SSL certificate. Skip this if you prefer to use Let's Encrypted free SSL certificate.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
sudo openssl dhparam -out /etc/nginx/dhparams.pem 4096

11. Edit /etc/nginx/sites-available/nextcloud.conf with below settings. Restart nginx service with the new settings.

server {
    listen 80;
    listen [::]:80;

    server_name nextcloud.your_domain.com;

    return 301 https://$server_name$request_uri;
}
server {
    # HTTPS with http2 support.
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    
    server_name nextcloud.your_domain.com;
    
    # Using snakeoil cert from ssl-cert package.
    #ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    #ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
    
    # Using custom selfsigned cert.
    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
    
    # Use custom Diffie-Hellman parameters.
    ssl_dhparam /etc/nginx/dhparams.pem;
    
    # Enable TLS session caching. Not needed when using let's encrypted cert.
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 10m;
    
    # Enable strong TLS ciphers and protocols. Not needed when using let's encrypted cert.
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    
    # Enable HTTP Strict Transport Security.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
    # Enable OCSP stapling mechanism. Not apply to selfsigned cert.
    #ssl_stapling on;
    #ssl_stapling_verify on;

    location / {
        proxy_pass http://10.7.0.2;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    location /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }

    location /.well-known/caldav {
        return 301 $scheme://$host/remote.php/dav;
    }
}

12. To use Let's Encypted free SSL certificate. Install certbot and use it to request the SSL certificate.

sudo apt-get install python3-certbot-nginx
sudo certbot --nginx

13. Force your local nextcloud instance to use HTTPS connection.

sudo -u www-data php /var/www/nextcloud/occ config:system:set overwriteprotocol --value="https"

14. Access your local nextcloud again using the VPS's FQDN in browser. It should auto redirect to HTTPS connection.

15. With reverse proxy, fail2ban will not detect the real IP. Configure below on your local nextcloud instance. Ignore this if you are not using fail2ban on your local nextcloud instance.

sudo -u www-data php /var/www/nextcloud/occ config:system:set trusted_proxies 0 --value="your_NGINX_VPN_IP"
sudo -u www-data php /var/www/nextcloud/occ config:system:set trusted_proxies 1 --value="your_VPS_public_IP"
sudo -u www-data php /var/www/nextcloud/occ config:system:set forwarded_for_headers 0 --value="HTTP_X_FORWARDED_FOR"

Comments

Post a Comment