Reverse_Proxy to NextCloud

gyfer · May 1, 2020, 12:46pm

1. My Caddy version (`caddy version`):

v2.0.0-rc.3 h1:z2H/QnaRscip6aZJxwTbghu3zhC88Vo8l/K57WUce4Q=

2. How I run Caddy:

mynextcloud. example.com:443 {
encode gzip
reverse_proxy 192.168.0.222:443
}

mynextcloud. example. com:80 {
encode gzip
reverse_proxy 192.168.0.222:80
}

and/or

mynextcloud. example.com {
encode gzip
reverse_proxy 192.168.0.222
}

a. System environment:

FreeNAS Jail

nextcloud is serving using Caddy v1

b. Command:

paste command here

c. Service/unit/compose file:

paste full file contents here

d. My complete Caddyfile or JSON config:

mywordpress. example. com {
        root *  /usr/local/www/wordpress
        log     /var/log/caddy_log.log

        encode gzip
        php_fastcgi 127.0.0.1:9000

        # Prevent malicious PHP uploads from running
        @uploads {
          path_regexp path /uploads\/(.*)\.php
        }
        rewrite @uploads /

        @wp-admin {
          path  not ^\/wp-admin/*
        }
        rewrite @wp-admin {path}/index. php?{query}
        file_server
}
mynextcloud. example. com {
            encode gzip
            reverse_proxy 192.168.0.222
            }

3. The problem I’m having:

I am getting this error

4. Error messages and/or full log output:

2020/05/01 12:39:54.282 ERROR http.log.access handled request {“request”: {“method”: “GET”, “uri”: “/csrftoken”, “proto”: “HTTP/2.0”, “remote_addr”: “13.240.21.236:51627”, “host”: “mynextcloud.example.com”, “headers”: {“Sec-Fetch-Mode”: [“cors”], “Accept-Encoding”: [“gzip, deflate, br”], “Cookie”: [“oc_sessionPassphrase=ltyBz4Fw505SdSMdbZWKJz7h5LnoyxaAETc3OaiNOs6u3lCIUqNrT2rJrfrhZz5QEowqNJD9j%2FTJSBtPmfL7yEsW2KPl70mNHPwG5IuMY3%2BHbH5%2FOCn4CoNptc2h4TOK; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oclh1bbj34to=rhea66ecem4t7cuk73evhj41f2; nc_username=ilias; nc_token=EE3yTQbBUtQK63f4vgisIs9xffVPf9J5; nc_session_id=rhea66eeem4t7cuk73evhj41f2”], “Sec-Fetch-Site”: [“same-origin”], “Requesttoken”: [“kSSMyz2KnkpJToA8K6WshkjIa/hJtsRlOCPFR5CGOy4=:vlS88nrj1QcdIe9KaMr+0yaeDr4G/Iwqb0KTJP7eVH0=”], “X-Requested-With”: [“XMLHttpRequest”], “User-Agent”: [“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36”], “Ocs-Apirequest”: [“true”], “Sec-Fetch-Dest”: [“empty”], “Accept-Language”: [“en-US,en;q=0.9”], “Accept”: ["/"]}, “tls”: {“resumed”: false, “version”: 772, “ciphersuite”: 4867, “proto”: “h2”, “proto_mutual”: true, “server_name”: “mynextcloud.example.com”}}, “common_log”: “43.240.21.236 - - [01/May/2020:20:39:54 +0800] “GET /csrftoken HTTP/2.0” 502 0”, “latency”: 0.001126973, “size”: 0, “status”: 502, “resp_headers”: {“Server”: [“Caddy”]}}`

5. What I already tried:

I will open port 80 to port 443 back to nextcloud
I don’t know what to do next.

6. Links to relevant resources:

-none-

Sidenote : I have to add a space to above test. example. com because it keey saying “new user can put link 4 max”

gyfer · May 1, 2020, 1:05pm

Thank you everyone
I seem to able to figure out, taking some sample from other post.
it seem work fine now after some mod:

mynextcloud.example.com {
            encode gzip
            @nextcloud {
                header Host {http.request.host}
                header X-Real-IP {http.request.remote}
                header X-Forwarded-For {http.request.remote}
                header X-Forwarded-Port {http.request.port}
                header X-Forwarded-Proto {http.request.scheme}
                header X-Forwarded-For {remote_host}
                }
            reverse_proxy @nextcloud 192.168.0.222
    }

francislavoie · May 1, 2020, 3:01pm

I don’t think that does what you think it does. I’d actually be surprised if that config works.

@nextcloud declares a request matcher. Essentially you’re saying:

if the Host header is {http.request.host}
or if the X-Real-IP header is {http.request.remote}
… etc
then proxy to 192.168.0.222

The Host header will always be equal to {http.request.host}, because that placeholder takes its value from the original request!

I think you were reading examples using the header_up subdirective that look something like this:

reverse_proxy 192.168.0.222 {
    header_up X-Real-IP {http.request.remote}
    ...
}

There’s a big difference here, that means “pass the X-Real-IP header to the proxied service”. This does make more sense and has a purpose, but I don’t think it’s necessary for you here.

I’m pretty certain the following should work, and the issue you were seeing in your top post must’ve been something else:

mynextcloud.example.com {
    encode gzip
    reverse_proxy 192.168.0.222
}

This just says “always proxy to 192.168.0.222”. Simple.

gyfer · May 1, 2020, 5:00pm

mynextcloud.example.com {
    encode gzip
    reverse_proxy 192.168.0.222
}

The simple reverse_proxy don’t work. I keep getting error message as show above

mynextcloud.example.com {
            encode gzip
            @nextcloud {
                header Host {http.request.host}
                header X-Real-IP {http.request.remote}
                header X-Forwarded-For {http.request.remote}
                header X-Forwarded-Port {http.request.port}
                header X-Forwarded-Proto {http.request.scheme}
                header X-Forwarded-For {remote_host}
                }
            reverse_proxy @nextcloud 192.168.0.222
    }

This one, on the other hand actually work. Even the nextcloud app works too. Won’t change if is not broken. ( hope is not any vulnerabilities … )

gyfer · May 1, 2020, 5:48pm

well, you are right. it only work in local, but not from WAN side.

help.

I cannot use header_up
root@wordpress:/usr/local/www # caddy adapt
2020/05/01 18:21:08.021 INFO using adjacent Caddyfile
adapt: getting matcher module ‘header_up’: module not registered: http.matchers.header_up
root@wordpress:/usr/local/www #

francislavoie · May 1, 2020, 6:43pm

This means you’re placing header_up in the wrong place. You can’t put it inside a matcher block, it needs to go inside of the reverse_proxy directive’s block. Please re-read my post above.

gyfer · May 5, 2020, 12:51am

Caddyfile :

1****.duckdns.org {
    encode gzip
    reverse_proxy 192.168.0.222
}

test.xxxx.my {
        root *  /shop
        log {
             output file /var/log/caddy_log.log
             }

        encode gzip
        php_fastcgi 127.0.0.1:9000

        # Prevent malicious PHP uploads from running
        @uploads {
          path_regexp path /uploads\/(.*)\.php
        }
        rewrite @uploads /

        @wp-admin {
          path  not ^\/wp-admin/*
        }
}

Error :

2020/05/05 00:41:46.346 ERROR http.log.access handled request {“request”: {“method”: “GET”, “uri”: “/”, “proto”: “HTTP/2.0”, “remote_addr”: “43.240.21.236:51954”, “host”: “1xxxxx.duckdns.org”, “headers”: {“Sec-Fetch-User”: ["?1"], “Accept-Encoding”: [“gzip, deflate, br”], “User-Agent”: [“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36”], “Accept”: [“text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9”], “Sec-Fetch-Site”: [“none”], “Accept-Language”: [“en-US,en;q=0.9”], “Upgrade-Insecure-Requests”: [“1”], “Sec-Fetch-Mode”: [“navigate”], “Sec-Fetch-Dest”: [“document”]}, “tls”: {“resumed”: false, “version”: 772, “ciphersuite”: 4867, “proto”: “h2”, “proto_mutual”: true, “server_name”: “1xxxx.duckdns.org”}}, “common_log”: “43.240.21.236 - - [05/May/2020:08:41:46 +0800] “GET / HTTP/2.0” 500 0”, “duration”: 0.000097752, “size”: 0, “status”: 500, “resp_headers”: {“Server”: [“Caddy”]}}`

any advice how I can fix this ?

matt · May 5, 2020, 1:07am

That’s an access log (http.log.access), but is there an error log (http.log.error)? If not, it’s probably your backend that is returning 500.

gyfer · May 6, 2020, 7:51pm

where can I find access log ?

root@wordpress:/var/log # ls -al
total 269
drwxr-xr-x   6 root   wheel        30 May  7 03:50 .
drwxr-xr-x  25 root   wheel        25 May  1 21:40 ..
-rw-------   1 root   wheel       139 May  1 21:53 auth.log
-rw-r--r--   1 root   wheel      1704 May  5 08:41 caddy_log.log
-rw-------   1 root   wheel     38662 May  7 03:50 cron
drwxr-xr-x   2 root   wheel         2 May  1 05:34 cups
-rw-------   1 root   wheel       272 Apr 25 12:31 debug.log
-rw-r--r--   1 root   wheel        66 Apr 25 11:42 devd.log
-rw-------   1 root   www      403496 May  7 03:06 dmesg.today
-rw-------   1 root   www      365473 May  6 03:05 dmesg.yesterday
-rw-r--r--   1 root   wheel        66 Apr 25 11:42 lpd-errs
-rw-r-----   1 root   wheel    375956 May  7 03:50 maillog
-rw-r--r--   1 root   wheel     16696 May  5 12:37 messages
-rw-------   1 root   wheel        59 Apr 26 03:02 mount.today
drwxr-xr-x   2 root   wheel         4 Apr 28 22:55 nginx
-rw-------   1 root   wheel     49474 May  3 01:12 php-fpm.log
-rw-r-----   1 root   network      66 Apr 25 11:42 ppp.log
drwxr-xr-x   2 redis  redis         2 Apr 24 00:21 redis
drwxr-xr-x   2 root   wheel         2 May  1 05:34 samba4
-rw-------   1 root   wheel        66 Apr 25 11:42 security
-rw-r-----   1 root   wheel         0 May  2 12:00 sendmail.st
-rw-r-----   1 root   wheel         0 May  2 12:00 sendmail.st.0
-rw-r-----   1 root   wheel         0 Apr 25 12:00 sendmail.st.1
-rw-------   1 root   www        3539 May  2 03:03 setuid.today
-rw-------   1 root   wheel      3304 Apr 26 03:02 setuid.yesterday
-rw-------   1 root   wheel      1066 May  1 05:34 userlog
-rw-r--r--   1 root   wheel         0 Apr 25 11:42 utx.lastlogin
-rw-r--r--   1 root   wheel        22 May  1 21:40 utx.log
-rw-r--r--   1 root   wheel        55 May  1 05:00 utx.log.0
-rw-------   1 root   wheel        66 Apr 25 11:42 xferlog

matt · May 6, 2020, 7:55pm

Your access log for xxxxx.my is at /var/log/caddy_log.log. (That’s what your config says, anyway.)

gyfer · May 6, 2020, 8:00pm

root@wordpress:/var/log # cat caddy_log.log
2020/05/05 00:41:14.478 info    http.log.access.log0    handled request {"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "179.43.169.182:39240", "host": "test.petua.my", "headers": {"User-Agent": ["Mozilla/5.0 (X11; Linux i686; rv:10.0) Gecko/20100101 Firefox/10.0"], "Accept-Encoding": ["gzip"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4867, "proto": "h2", "proto_mutual": true, "server_name": "test.petua.my"}}, "common_log": "179.43.169.182 - - [05/May/2020:08:41:14 +0800] \"GET / HTTP/2.0\" 200 5862", "duration": 0.990672023, "size": 5862, "status": 200, "resp_headers": {"Vary": ["Accept-Encoding"], "Server": ["Caddy"], "X-Powered-By": ["PHP/7.3.17"], "Content-Type": ["text/html; charset=UTF-8"], "Link": ["<https://shop.petua.my/wp-json/>; rel=\"https://api.w.org/\""], "Content-Encoding": ["gzip"]}}
2020/05/05 00:41:14.493 info    http.log.access.log0    handled request {"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "179.43.169.182:39240", "host": "test.petua.my", "headers": {"User-Agent": ["Mozilla/5.0 (X11; Linux i686; rv:10.0) Gecko/20100101 Firefox/10.0"], "Accept-Encoding": ["gzip"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4867, "proto": "h2", "proto_mutual": true, "server_name": "test.petua.my"}}, "common_log": "179.43.169.182 - - [05/May/2020:08:41:14 +0800] \"GET / HTTP/2.0\" 200 5862", "duration": 1.006009418, "size": 5862, "status": 200, "resp_headers": {"Content-Type": ["text/html; charset=UTF-8"], "Link": ["<https://shop.petua.my/wp-json/>; rel=\"https://api.w.org/\""], "Content-Encoding": ["gzip"], "Vary": ["Accept-Encoding"], "Server": ["Caddy"], "X-Powered-By": ["PHP/7.3.17"]}}
root@wordpress:/var/log #

But that is only what I got.

edit : hey, the output is nicely display here. It doesn’t work on my notepad !

system · June 5, 2020, 8:12pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.