on
dns
technitium
ubuntu
- Get link
- Other Apps
Recently I have show how to setup an Ubuntu cloud VPS on Oracle Cloud free tier with Nginx as reverse proxy to access your personal Nextcloud server through Wireguard VPN connection without local port forwarding.
Today I will configure similar setup using Tailscale VPN service and Caddy web server as reverse proxy with an Ubuntu cloud VPS on Oracle Cloud free tier or any cloud provider.
1. Setup an Ubuntu 22.04 full or minimal instance on Oracle Cloud or any others cloud provider.
2. Allow ingress TCP 80 (HTTP) and 443 (HTTPS) connection on iptables (/etc/iptables/rules.v4) and Oracle Cloud's VCN firewall for your Ubuntu cloud instance. Ignore this step if your cloud instance do not block both HTTP and HTTPS connection by default.
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT3. Register and login to Tailscale, I will be using the free tier account for this setup. Create a single-use or reusable authentication key.
4. Follow the official guide to install the Tailscale client to your Ubuntu cloud instance and Nextcloud server.
5. Register both servers to Tailscale VPN network using the generated authentication key.
sudo tailscale up --authkey your_tailscale_authentication_key6. Double check both servers show up in your Tailscale network with Tailscale dedicated IP.
7. Install caddy on your Ubuntu cloud instance as reverse proxy for your Nextcloud server. Follow caddy's official documentation for the installation.
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt-get update
sudo apt-get install caddy8. Customize the /etc/caddy/Caddyfile with below configuration. Register your Ubuntu cloud instance's public IP with a valid FQDN (I am using no-ip.com) and use it on the caddy web server.
# Replace the FQDN with your own
your.server.com:80 {
# Enable caddy logging
#log {
# output file /var/log/caddy/your.server.com.access.log {
# roll_size 10mb
# roll_keep 20
# roll_keep_for 720h
# }
#}
# Enable reverse proxy
reverse_proxy http://your_nextcloud_tailscale_IP
# Nextcloud CalDAV or CardDAV setup
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
}9. Restart caddy service and double check able to access your Nextcloud instance via the registered FQDN.
sudo systemctl restart caddy
10. If encounter trusted_domain error from Nextcloud, add your FQDN as trusted_domains to your Nextcloud's config/config.php.
sudo -u www-data php /var/www/nextcloud/occ config:system:set trusted_domains 1 --value="your.server.com"
11. Caddy support HTTPS auto provision/renewal TLS certificate. Edit /etc/caddy/Caddyfile to use Let's Encrypt free TLS certificate and listen to port 443. Ity require to key in your valid email address to register the TLS certificate.
{
# Enable below to use Let's Encrypt's staging TLS cert for testing
#acme_ca "https://acme-staging-v02.api.letsencrypt.org/directory"
email your_email@your_domain.com
}
# Replace the FQDN with your own
your.server.com:443 {
# Enable caddy logging
#log {
# output file /var/log/caddy/your.server.com.access.log {
# roll_size 10mb
# roll_keep 20
# roll_keep_for 720h
# }
#}
# Enable reverse proxy
reverse_proxy http://your_nextcloud_tailscale_IP
# Enable HTTP Strict Transport Security
header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Nextcloud CalDAV or CardDAV setup
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
}12. Add your reverse proxy's Tailscale IP as trusted_proxies in your Nextcloud server. It will also record the real IP through your reverse proxy for the fail2ban setup.
sudo -u www-data php /var/www/nextcloud/occ config:system:set trusted_proxies 0 --value="your_reverse_proxy_tailscale_IP"
Comments