Want to create a Caddyfile for Caddy2 that references a nextcloud reverse proxy on separate computer

1. Caddy version (caddy version):

v2.4.3

2. How I run Caddy:

Homeassistant Caddy 2 add-on

a. System environment:

HassOS, NextCloud on RPi4 Raspberrypi OS

b. Command:

Want to create a Caddyfile for Caddy2 that references a nextcloud reverse proxy on separate computer

c. Service/unit/compose file:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane.

d. My complete Caddyfile or JSON config:

https://domain.duckdns.org:port {

            root    * /usr/local/www/nextcloud
            file_server
            log {
                    output file     /var/log/nextcloud_access.log
                    format single_field common_log
            }

            tls {
                    ca https://acme-v02.api.letsencrypt.org/directory
            }

            php_fastcgi 192.168.1.XX:9000

            header {
                    Strict-Transport-Security               "max-age=15768000;"
                    X-Content-Type-Options                  "nosniff"
                    X-XSS-Protection                        "1; mode=block"
                    X-Robots-Tag                            "none"
                    X-Download-Options                      "noopen"
                    X-Permitted-Cross-Domain-Policies       "none"
                    X-Frame-Options "SAMEORIGIN"
                    Referrer-Policy                         "no-referrer"
            }

            header /core/fonts {
                    Cache-Control                           "max-age=604800"
            }

            @phpFiles {
                    path_regexp phpfile ^/(remote|public|cron|core/ajax/update|status|ocs/v1|ocs/v2)\.php
            }
            rewrite @phpFiles {http.regexp.phpfile.0}

            redir /.well-known/cardav /remote.php/dav 301
            redir /.well-known/caldav /remote.php/dav 301

            # .htaccess / data / config / ... shouldn't be accessible from outside
            @forbidden {
                    path    /.htaccess
                    path    /data/*
                    path    /config/*
                    path    /db_structure
                    path    /.xml
                    path    /README
                    path    /3rdparty/*
                    path    /lib/*
                    path    /templates/*
                    path    /occ
                    path    /console.php
            }

            respond @forbidden 404
}

3. The problem Iā€™m having:

My website comes up with 404 error, Iā€™m sure as it intends - but canā€™t connect.

4. Error messages and/or full log output:

5. What I already tried:

6. Links to relevant resources:

Do you have the nextcloud files mounted to /usr/local/www/nextcloud on both machines?

Both Caddy and the php-fpm service need access to the files for proper functionality.

Caddy needs it for the try_files behaviour built-in, to determine what kinds of URL rewrites need to be performed.

It looks like my homeassistant file system is readonly except for opening up samba share folders to config files location - should I be mounting the files from the RPi to the samba shares and how would I map/redirect the file locations for the HassOS?

I would say it would be easier to install Caddy on both machines, and reverse_proxy from the publicly accessible one to the other which is hosting nextcloud, instead of worrying about filesystem stuff.

Iā€™m down to try this method.

So Iā€™d install Caddy on the RPi Nextcloud (Internal) and reverse proxy from the HA add-on of Caddy (External). What would a proxy like this look like to get Nextcloud accepting the http from the HA add-on?

Is this where your code such as this comes in?
nextcloud.mydomain.com {
reverse_proxy https://nextcloud.roadrunner {
header_up Host {http.reverse_proxy.upstream.hostport}
header_up X-Forwarded-Host {host}
}
}

Yeah. Youā€™ll probably want to proxy over HTTP and not HTTPS though (because setting up mTLS is complicated and rarely worth the effort)

If I have a config like this Iā€™m getting 400 bad request sent http to https error on nextcloud, is there an easy solution port is 443, should I be moving off of that port up to a different one so that the reverse proxy coming funneling through is only http expected?

Blockquote
{
email username@mail.com
}
(common) {
tls {
dns duckdns {env.DUCKDNS_TOKEN}
}
header {
Strict-Transport-Security ā€œmax-age=31536000; includeSubdomainsā€
X-XSS-Protection ā€œ1; mode=blockā€
X-Content-Type-Options ā€œnosniffā€
Referrer-Policy ā€œsame-originā€
-Server
Content-Security-Policy ā€œframe-ancestors domain.duckdns.org:port *.domain.duckdns.org:portā€
Permissions-Policy ā€œgeolocation=(self), microphone=()ā€
}
}
https://domain.duckdns.org:port {
import common
reverse_proxy 192.168.1.XX:443 {
}
}

ā€˜ā€™ā€™

I have the port changed to 880 & 8443 and have a valid cert pulling up for the page Caddy config is implementing. Iā€™m getting the webpage timing out and have tried changing the reverse proxy setting to https://192.168.1.XX:8443.

Iā€™ve added the computer that is doing the reverse proxy as a trusted proxy in the config.php and added ā€˜forwarded_for_headersā€™ => array(ā€˜HTTP_X_FORWARDED_FORā€™), and set ā€˜overwriteprotocolā€™ => ā€˜httpā€™, (Iā€™ve actually tried this set to both https and http).

This is a better copy of my Caddyfile:

(common) {
        tls {
                dns duckdns {env.DUCKDNS_TOKEN}
        }
        header {
                Strict-Transport-Security "max-age=31536000; includeSubdomains"
                X-XSS-Protection "1; mode=block"
                X-Content-Type-Options "nosniff"
                Referrer-Policy "same-origin"
                -Server
                Content-Security-Policy "frame-ancestors domain.duckdns.org:port *.domain.duckdns.org:port"
                Permissions-Policy "geolocation=(self), microphone=()"
        }
}
https://domain.duckdns.org:port {
    import common
    reverse_proxy https://192.168.1.XX:8443 {
    } 
}

I appreciate your advice Francis. Please, any advice is welcome - I feel like Iā€™m really close.

So youā€™re running two instances of Caddy now, right? What are the configs for both? What are in your logs on both (make sure to turn on the debug global option to see full logs)?

Hi Francis,

I actually didnā€™t set up Caddy on the other computer yet and can install using the directions from here:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo tee /etc/apt/trusted.gpg.d/caddy-stable.asc
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

But what other config would I need to establish the connection correctly?

Really appreciate your advice - Thank you, Daniel

Iā€™m confused as to where youā€™re at, at this point. Could you recap what you have set up now? It would help if you paint a picture of your networking setup and what youā€™re trying to do.

Sure, I have Caddy2 add-on for HA setup on a VM HassOS on a Mac and serving a reverse proxy to a separate RPi with NextCloud instance moved to port 880 and 8443. I can access my unsecure login from the local network by the https://ip_address:8443. when I access the network by the external domain name using browser I get a blank screen and using curl I get a 502 bad gateway message, Server: Caddy, content-Length: 0.

My goal is to have the external site be secure for accessing Nextcloud Talk feature and not have to open up port 443 on the router as you would if you were having Nextcloud do the letsencrypt route. I also think in network design, I would want my external domain to have the certs for ssl and my internal network to communicate over https but not be using ssl.

Iā€™m not quite sure how a secondary caddy server on the Nextcloud RPi would help to accomplish the handshake between the 2 servers ā€“ ahhhh, unless you just mean set up a separate Caddy for the Nextcloud all by itself and not have it worry about the Caddy on the HA server, of course that makes sense. Same technology just reduce the middle routes altogether.

I think that I want to use the config of the Caddyfile from the 1st comment, but insert ā€œlocalhostā€ is it port 9000 or 8443 for NextCloud? all examples Iā€™ve seen have port 9000 used and Iā€™m not sure if that is correct for my instance.

Iā€™m not sure where the Caddyfile is stored and how to reference it when you type caddy run?

Iā€™ve figured out how to save the caddyfile and use it, now Iā€™m wondering if I want the initial config that has the config for nextcloud adapted off of someone in the communities V1 to V2 file or if I want to simply have the reverse proxy setting?

Hi Francis,

I have Caddy running on the Nextcloud Server and it issued a cert for the reverse proxy, but the website is saying 400 bad request youā€™re speaking plain http to an SSL-enabled server port.

Any idea whatā€™s the culprit?

Thank you,
Daniel

Should I run the reverse proxy to https://127.0.0.1:8443?

See this article:

Once youā€™re in your own network, thereā€™s no reason to proxy over HTTPS, unless you have reason to believe something could intercept requests between Caddy and your upstream, maliciously.

Do I then setup my Nextcloud instance to not be SSL secured in apache2 and how does that affect things like talk that require ssl configuration?

Itā€™s Caddyā€™s job to encrypt connections between itself and the clients (browsers). Once the request reaches Caddy, itā€™s inside of your own network. It doesnā€™t need to be re-encrypted to communicate with Apache.

but the nextcloud instance is https with the domain setup and the SSL certfile and key established and the reverse proxy is http on the local domain - so Iā€™m getting the error. Do I need to take off SSL setting off of the apache2 instance running my Nextcloud and if I do that does that take off the security that is required to run talk add-on?