Solution:
- trusted_proxies as a snippet, call it under every reverse_proxy
- I didn’t have tls internal set up so added that in. Works fine now.
- SSL/TLS set to Full in Cloudflare
Updated to 2.5 and the trusted_proxies change is messing with my setup. I do use Cloudflare proxy in front of my setup, and am trying to figure out where the trusted_proxy block needs to go. My Google-fu is failing and it doesn’t seem to have a good page in the wiki.
Something like this in global options:
trusted_proxies {
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
}
What I have now (before the update):
(headers) {
header {
Strict-Transport-Security max-age=31536000;
X-Content-Type-Options nosniff
X-Frame-Options DENY
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection 1
}
}
collabora.$DOMAIN {
encode gzip
@collabora {
path /loleaflet/*
path /hosting/discovery
path /hosting/capabilities
path /lool/*
}
reverse_proxy @collabora 172.16.0.112:9980
}
drive.$DOMAIN {
reverse_proxy 172.16.0.252:8080
}
family.$DOMAIN {
reverse_proxy 172.16.0.169:8080
}
Then for Nextcloud (drive.$DOMAIN), this is the Caddyfile
:8080 {
root * /srv/nextcloud
file_server
encode gzip zstd
php_fastcgi unix//run/php/php8.0-fpm.sock
header {
Strict-Transport-Security max-age=31536000;
}
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
@forbidden {
path /.htaccess
path /data/*
path /config/*
path /db_structure
path /.xml
path /README
path /3rdparty/*
path /lib/*
path /templates/*
path /occ
path /console.php
}
respond @forbidden 404
}