Nginx SSL Certification + Nextcloud +Guacamole

wirestyle22

@dustinb3403 I can understand that thought process. Have to look at some of @JaredBusch's Nextcloud guides to see how he did it.

black3dynamite

I normally create two separate server blocks, one for listening port 80 and another for port 443.
Port 80 always gets redirected to 443.

wirestyle22

@black3dynamite If we use one of my configs as an example:

server {
        client_max_body_size 40M;
        listen 80;
        server_name connect.domain.com;
        return 301 https://$host$request_uri;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header N-Nginx-Proxy true;
        proxy_redirect off;
        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass http://192.168.1.205:8080/guacamole/;
                proxy_redirect off;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $http_connection;
                proxy_buffering off;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/connect.domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/connect.domain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

Correct? I don't think they need to be two separate server blocks. If there is some kind of benefit to doing it that way let me know.

JaredBusch

@wirestyle22 said in Nginx SSL Certification + Nextcloud +Guacamole:

@black3dynamite If we use one of my configs as an example:

server {
        client_max_body_size 40M;
        listen 80;
        server_name connect.domain.com;
        return 301 https://$host$request_uri;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header N-Nginx-Proxy true;
        proxy_redirect off;
        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass http://192.168.1.205:8080/guacamole/;
                proxy_redirect off;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $http_connection;
                proxy_buffering off;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/connect.domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/connect.domain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

Correct? I don't think they need to be two separate server blocks. If there is some kind of benefit to doing it that way let me know.

Last night you were not redirecting port 80 to 443. You are accepting both and proxying on.

black3dynamite

@wirestyle22

I just preferred to keep them separate.
Here is one of my configs for nextcloud where I use separate server blocks.

upstream backend-nextcloud-demo {
    server nc-demo1:80;
}

server {
        listen 80;
        listen [::]:80;
       
        server_name nc-demo.domain.com;

        return 301 https://$host$request_uri;
}

server {
        client_max_body_size 40M;
        listen 443 http2 ssl;
        listen [::]:443 http2 ssl;

        server_name nc-demo.domain.com;

        ssl on;
        ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
        ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;


        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
        ssl_ecdh_curve secp384r1;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off;
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 1.1.1.1 8.8.8.8 valid=300s;
        resolver_timeout 5s;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#       add_header X-Content-Type-Options nosniff;
#       add_header X-Frame-Options SAMEORIGIN;
#       add_header X-Robots-Tag none;
#       add_header X-XSS-Protection "1; mode=block";

        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass http://backend-nextcloud-demo;
                proxy_redirect off;
                proxy_connect_timeout 600;
                proxy_send_timeout 600;
                proxy_read_timeout 600;
                send_timeout 600;
        }

wirestyle22

@jaredbusch said in Nginx SSL Certification + Nextcloud +Guacamole:

@wirestyle22 said in Nginx SSL Certification + Nextcloud +Guacamole:

@black3dynamite If we use one of my configs as an example:

server {
        client_max_body_size 40M;
        listen 80;
        server_name connect.domain.com;
        return 301 https://$host$request_uri;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header N-Nginx-Proxy true;
        proxy_redirect off;
        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass http://192.168.1.205:8080/guacamole/;
                proxy_redirect off;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $http_connection;
                proxy_buffering off;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/connect.domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/connect.domain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

Correct? I don't think they need to be two separate server blocks. If there is some kind of benefit to doing it that way let me know.

Last night you were not redirecting port 80 to 443. You are accepting both and proxying on.

Right, but the quoted config is how i would redirect. I didn't change the initial post configs.

wirestyle22

@black3dynamite Thanks dude

wirestyle22

Hm. I can still access via http

JaredBusch

@wirestyle22 said in Nginx SSL Certification + Nextcloud +Guacamole:

Hm. I can still access via http

I use a rewrite

server {
    client_max_body_size 40M;
    listen 80;
    server_name nc.domain.com;
    rewrite        ^ https://\$server_name\$request_uri? permanent;
}

wirestyle22

@jaredbusch Hm. I'm getting too many rewrite errors now. Some odd problems occurring. Relative pathing problem?