Solved Nginx, Jail, Nextcloud : I Need Help !

MsieurSVP

MsieurSVP

Hello from France !

I need your help to achieve my configuration qhat I'm trying to test : I want to securize my server with working with Jail.

I have :
  • a FreeBSD Host 13.1 (ip=192.168.1.120) with an nginx ;
  • a jail (ip=10.7.16.101) with nginx, php-fpm for Nextcloud 26 in a subdirectory /nextcloud ;
My problem is that the Nextcloud don't works normaly...

This is the config file of the nginx of the host :
Code: 
worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       /usr/local/etc/nginx/mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    server {
        listen       80;
        server_name  localhost;

        include       /usr/local/etc/nginx/mime.types;

        location / {
            root   /usr/local/www/nginx;
            index  index.html index.htm;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/local/www/nginx-dist;
        }

            location /nextcloud 
                     {
                     proxy_set_header Host               $host; #gp
                     proxy_set_header X-Real-IP          $remote_addr;#gp
                     proxy_set_header X-Forwarded-Proto  $scheme;
                     proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
                     proxy_set_header X-Forwarded-Server $server_name;
                     proxy_pass http://10.7.16.101;
                     }
    }
}
This is the config file of the nginx of the jail :
Code: 
worker_processes  1;

events {
    worker_connections  1024;
}


http {
    include       /usr/local/etc/nginx/mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    keepalive_timeout  65;

upstream php-handler {
    server 127.0.0.1:9000;
}

map $arg_v $asset_immutable {
    "" "";
    default "immutable";
}

    server {
        listen       80;
        server_name  10.7.16.101;

        root /usr/local/www/nextcloud;

    server_tokens off;
    client_max_body_size 512M;
    client_body_timeout 300s;
    fastcgi_buffers 64 4K;
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    client_body_buffer_size 512k;
    fastcgi_hide_header X-Powered-By;

    include /usr/local/etc/nginx/mime.types;
    types {
        text/javascript js mjs;
    }

    index index.php index.html /index.php$request_uri;

    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location ^~ /.well-known {
        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        return 301 /index.php$request_uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

    location ~ \.php(?:$|/) {
        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;

        fastcgi_max_temp_file_size 0;
    }

    # Serve static files
    location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
        access_log off;     # Optional: Don't log access to assets

        location ~ \.wasm$ {
            default_type application/wasm;
        }
    }

    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    # Rule borrowed from `.htaccess`
    location /remote {
        return 301 /remote.php$request_uri;
    }

    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }

    }
}

This is the config file of Nextcloud :
Code: 
<?php
$CONFIG = array (
  'overwritehost' => '192.168.1.120', 
  'overwritewebroot' => '/nextcloud',
  'trusted_domains' =>
  array (
    0 => '10.7.16.101',
    2 => '192.168.1.120',
  ),
  'overwrite.cli.url' => '[URL]http://192.168.1.120/nextcloud[/URL]',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps',
      'url' => '/apps',
      'writable' => true,
    ),
    1 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps-pkg',
      'url' => '/apps-pkg',
      'writable' => false,
    ),
  ),
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'instanceid' => 'oc1lgk4z97b8',
);

When I try to access 192.168.1.120/nextcloud, I get this :

Capture d’écran 2023-06-10 151759.jpeg

I don't know how to solve the errors that appear...

Any idea/Advice ?

Many thanks in advance !
 
Nextcloud seems to be running. So you managed the hard part already ?

I suspect that the problem is somewhere in your proxy setting. Or your jail doesn't have proper internet access and can't load external css stuff.

You could try to directly forward http/https traffic to your jail via pf. That way you can simplify your setup and make sure that nextcloud itself is running properly.

You can always figure out how to proxy it later.
 
So, I'have :
  • stopped the host nginx ;
  • added this rules in the pf.conf : rdr pass on $ext_if inet proto tcp from any to any port 80 -> 10.7.16.101
No change : same errors ?

Any Idea ?
 
I'm gonna guess the error is in here somewhere
Code: 
    # Serve static files
    location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
        access_log off;     # Optional: Don't log access to assets

        location ~ \.wasm$ {
            default_type application/wasm;
        }
    }

Try commenting out the access_log off; tremporarily and see if you get errors in the logs. I suspect these are all 404s.
 
Jose said:
I'm gonna guess the error is in here somewhere
Code: 
    # Serve static files
    location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
        access_log off;     # Optional: Don't log access to assets

        location ~ \.wasm$ {
            default_type application/wasm;
        }
    }

Try commenting out the access_log off; tremporarily and see if you get errors in the logs. I suspect these are all 404s.
Click to expand...
Well, in the same way, from your guess, i've commented out the try_files and yes, there is 404s !
Capture d’écran 2023-06-11 204628.jpeg


All rights on all files are good...
 
MsieurSVP said:
Well, in the same way, from your guess, i've commented out the try_files and yes, there is 404s !
View attachment 16400

All rights on all files are good...
Click to expand...
Right, so anything in the access logs after you commented out the access_log off; bit?

Also, those URLs look different. Before you had patterns like .../nextcloud/core/css... now you have .../nc/core/css...
 
Yes, i'have maid a new installation to see if it was a problem with the directory used.
Same thing with the nextcloud installed via pkg or nc installed with git.

And Yes, those errors shows up in the access.log.
 
Well, after many researchs and tests, I've found my error !

This is my first config :
1689055450981.png


And the solution :
1689055488637.png

The Ip Address is different because the screen is from differents jails of test !

Thanks for your help !
 
Please don't post pictures of text. Copy/paste the information please.
 
You must log in or register to reply here.
Back
Top