Назад | Перейти на главную страницу

Nextcloud в тюрьме FreeNAS, обслуживаемой NGINX, за обратным прокси-сервером IIS

Моя среда

Чего я пытаюсь достичь?

Я создал экземпляр Nextcloud в тюрьме FreeNAS, этот экземпляр Nextcloud отлично работает при обращении через локальную сеть через HTTP. Я хочу поставить его в WAN через HTTPS, используя IIS с обратным прокси. Сертификат SSL контролируется IIS. Домен, который я пытаюсь использовать для перенаправления на сервер Nextcloud: nextcloud.MyRedactedDomain.com.

Результат

Примечание 1. Я использовал окно инкогнито, чтобы исключить плохое кеширование предыдущего результата статуса перенаправления или что-либо подобное.

Примечание 2: я ввел URL nextcloud.MyRedactedDomain.com и он перенаправил меня на nextcloud.MyRedactedDomain.com/login так что вроде Nextcloud что-то делает ...

Примечание 3: нет index.php присутствует в URL-адресе, это было, когда я использовал плагин FreeNAS. Я только следовал инструкциям, и этого не было с самого начала. Его также нет, когда я подхожу к нему по локальной сети (что отлично работает). Вставка его в URL-адрес вручную приводит к той же ошибке.

Что я уже сделал?

Настройки

IIS ' web.config правила, влияющие на сервер Nextcloud:

<rule name="HTTPS redirect" enabled="true" stopProcessing="true">
    <match url="(.*)" />
    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
        <add input="{HTTPS}" pattern="^OFF$" />
    </conditions>
    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" />
</rule>
<rule name="NextCloud reverse proxy" stopProcessing="true">
    <match url="(.*)" />
    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
        <add input="{HTTP_HOST}" pattern=nextcloud.MyRedactedDomain.com" />
    </conditions>
    <action type="Rewrite" url="http://192.168.2.37/{REQUEST_URI}" />
</rule> 

Nextcloud's config.php как сейчас:

<?php
$CONFIG = array (
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps',
      'url' => '/apps',
      'writable' => true,
    ),
    1 => 
    array (
      'path' => '/usr/local/www/nextcloud/apps-pkg',
      'url' => '/apps-pkg',
      'writable' => false,
    ),
  ),
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'instanceid' => 'REDACTED',
  'passwordsalt' => 'REDACTED',
  'secret' => 'REDACTED',
  'trusted_domains' => 
  array (
    0 => '192.168.2.37',
  ),
  'trusted_proxies' => ['192.168.2.11'],
  'datadirectory' => '/usr/local/www/nextcloud/data',
  'dbtype' => 'pgsql',
  'version' => '19.0.1.1',
  'dbname' => 'REDACTED',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'REDACTED',
  'dbpassword' => 'REDACTED',
  'installed' => true,
  'overwrite.cli.url' => 'https://nextcloud.MyRedactedDomain.com',
  'overwritehost'     => 'nextcloud.MyRedactedDomain.com',
  'overwriteprotocol' => 'https',
  'overwritecondaddr' => '^192\.168\.2\.37$',
);

NGINX's nginx.conf как сейчас:

user www;
worker_processes 4;
worker_rlimit_nofile 51200;
error_log /var/log/nginx/error.log;

events {
  worker_connections 1024;
}

http {
  include mime.types;
  default_type application/octet-stream;
  log_format main '$remote_addr - $remote_user [$time_local] "$request" ';
  access_log /var/log/nginx/access.log main;
  sendfile on;
  keepalive_timeout 65;

  upstream php-handler {
    server 127.0.0.1:9000;
  }

  server {
    listen 80;

    # HEADERS SECURITY RELATED
    add_header Referrer-Policy "no-referrer";

    # HEADERS
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header X-Frame-Options "SAMEORIGIN";

    # PATH TO THE ROOT OF YOUR INSTALLATION
    root /usr/local/www/nextcloud/;

    location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
    }

    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }

    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }

    # BUFFERS TIMEOUTS UPLOAD SIZES
    client_max_body_size 16400M;
    client_body_buffer_size 1048576k;
    send_timeout 3000;

    # ENABLE GZIP BUT DO NOT REMOVE ETag HEADERS
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    location / {
      rewrite ^ /index.php$request_uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
      deny all;
    }

    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
      deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
      fastcgi_split_path_info ^(.+\.php)(/.*)$;
      include fastcgi_params;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param PATH_INFO $fastcgi_path_info;
      fastcgi_param modHeadersAvailable true;
      fastcgi_param front_controller_active true;
      fastcgi_pass php-handler;
      fastcgi_intercept_errors on;
      fastcgi_request_buffering off;
      fastcgi_keep_conn off;
      fastcgi_buffers 16 256K;
      fastcgi_buffer_size 256k;
      fastcgi_busy_buffers_size 256k;
      fastcgi_temp_file_write_size 256k;
      fastcgi_send_timeout 3000s;
      fastcgi_read_timeout 3000s;
      fastcgi_connect_timeout 3000s;
    }

    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
      try_files $uri/ =404;
      index index.php;
    }

    # ADDING THE CACHE CONTROL HEADER FOR JS AND CSS FILES
    # MAKE SURE IT IS BELOW PHP BLOCK
    location ~ \.(?:css|js|woff2?|svg|gif)$ {
      try_files $uri /index.php$uri$is_args$args;
      add_header Cache-Control "public, max-age=15778463";
      # HEADERS
      add_header X-Content-Type-Options nosniff;
      add_header X-XSS-Protection "1; mode=block";
      add_header X-Robots-Tag none;
      add_header X-Download-Options noopen;
      add_header X-Permitted-Cross-Domain-Policies none;
      add_header X-Frame-Options "SAMEORIGIN";
      # OPTIONAL: DONT LOG ACCESS TO ASSETS
      access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
      try_files $uri /index.php$uri$is_args$args;
      # OPTIONAL: DONT LOG ACCESS TO OTHER ASSETS
      access_log off;
    }
  }
}

Журнал ошибок NGINX (это совокупность нескольких попыток и корректировок файлов конфигурации):

2020/08/12 02:35:30 [error] 63641#101838: *50 access forbidden by rule, client: 192.168.2.11, server: _, request: "GET /data/.ocdata?t=1597224931108 HTTP/1.1", host: "192.168.2.37"
2020/08/12 02:41:12 [error] 64301#102558: *126 access forbidden by rule, client: 192.168.2.11, server: _, request: "GET /data/.ocdata?t=1597225273075 HTTP/1.1", host: "192.168.2.37"
2020/08/12 03:02:22 [error] 64302#101573: *542 access forbidden by rule, client: 192.168.2.11, server: _, request: "GET /data/.ocdata?t=1597226542349 HTTP/1.1", host: "192.168.2.37"
2020/08/12 05:46:30 [emerg] 7894#100667: unknown directive "includeSubDomains" in /usr/local/etc/nginx/nginx.conf:54
2020/08/12 05:54:49 [emerg] 8245#102122: unknown directive "proxy_cach_valid" in /usr/local/etc/nginx/nginx.conf:55
2020/08/12 05:55:16 [emerg] 8274#102086: invalid time value "lm" in /usr/local/etc/nginx/nginx.conf:55
2020/08/12 06:15:00 [error] 8986#102424: *1 rewrite or internal redirection cycle while processing "/index.php//", client: 192.168.2.11, server: , request: "GET // HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:15:05 [error] 8987#101058: *2 rewrite or internal redirection cycle while internally redirecting to "/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/favicon.ico", client: 192.168.2.11, server: , request: "GET //favicon.ico HTTP/1.1", host: "192.168.2.37", referrer: "https://nextcloud.MyRedactedDomain.com/"
2020/08/12 06:17:06 [error] 9060#101663: *1 rewrite or internal redirection cycle while processing "/index.php//", client: 192.168.2.11, server: , request: "GET // HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:17:11 [error] 9060#101663: *2 rewrite or internal redirection cycle while internally redirecting to "/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/favicon.ico", client: 192.168.2.11, server: , request: "GET //favicon.ico HTTP/1.1", host: "192.168.2.37", referrer: "https://nextcloud.MyRedactedDomain.com/"
2020/08/12 06:18:42 [error] 9113#102196: *1 rewrite or internal redirection cycle while processing "/index.php//", client: 192.168.2.11, server: , request: "GET // HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:18:46 [error] 9112#101641: *2 rewrite or internal redirection cycle while internally redirecting to "/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/index.php/favicon.ico", client: 192.168.2.11, server: , request: "GET //favicon.ico HTTP/1.1", host: "192.168.2.37", referrer: "https://nextcloud.MyRedactedDomain.com/"
2020/08/12 06:19:13 [error] 9112#101641: *3 rewrite or internal redirection cycle while processing "/index.php//index.php/204", client: 192.168.2.11, server: , request: "GET //index.php/204 HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:22:20 [crit] 9260#100919: *1 connect() to unix:/var/run/nextcloud-php-fpm.sock failed (2: No such file or directory) while connecting to upstream, client: 192.168.2.11, server: _, request: "GET // HTTP/1.1", upstream: "fastcgi://unix:/var/run/nextcloud-php-fpm.sock:", host: "192.168.2.37"
2020/08/12 06:22:25 [error] 9260#100919: *1 open() "/usr/local/www/nextcloud/favicon.ico" failed (2: No such file or directory), client: 192.168.2.11, server: _, request: "GET //favicon.ico HTTP/1.1", host: "192.168.2.37", referrer: "https://nextcloud.MyRedactedDomain.com/"
2020/08/12 06:22:25 [crit] 9260#100919: *1 connect() to unix:/var/run/nextcloud-php-fpm.sock failed (2: No such file or directory) while connecting to upstream, client: 192.168.2.11, server: _, request: "GET //favicon.ico HTTP/1.1", upstream: "fastcgi://unix:/var/run/nextcloud-php-fpm.sock:", host: "192.168.2.37", referrer: "https://nextcloud.MyRedactedDomain.com/"
2020/08/12 06:28:45 [error] 9489#100770: *7 access forbidden by rule, client: 192.168.2.11, server: , request: "GET /data/.ocdata?t=1597238925594 HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:31:00 [error] 9489#100770: *78 access forbidden by rule, client: 192.168.2.11, server: , request: "GET /data/.ocdata?t=1597239060928 HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:34:38 [error] 9489#100770: *109 access forbidden by rule, client: 192.168.2.11, server: , request: "GET /data/.ocdata?t=1597239279292 HTTP/1.1", host: "192.168.2.37"
2020/08/12 06:36:20 [error] 9862#102189: *6 access forbidden by rule, client: 192.168.2.11, server: , request: "GET /data/.ocdata?t=1597239381044 HTTP/1.1", host: "192.168.2.37"

Фрагмент журнала IIS (ошибки только из тех же настроек, что указаны выше):

2020-08-14 07:35:50 192.168.2.11 GET / X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=3f4ff15f-436f-4004-bb55-360f94826d4e&SERVER-STATUS=302 443 - cust-REDACTED-IP.dyn.as47377.net Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/84.0.4147.125+Safari/537.36 - 302 0 0 81
2020-08-14 07:35:50 192.168.2.11 GET /login X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=b0b256ce-9bb6-42b7-b098-c3ab117246f7&SERVER-STATUS=200 443 - cust-REDACTED-IP.dyn.as47377.net Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/84.0.4147.125+Safari/537.36 - 200 0 0 135
2020-08-14 07:35:50 192.168.2.11 GET /favicon.ico X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=1a8b782f-0381-4118-912e-5503406c0d84&SERVER-STATUS=302 443 - cust-REDACTED-IP.dyn.as47377.net Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/84.0.4147.125+Safari/537.36 https://nextcloud.MyRedactedDomain.com/login 302 0 0 81
2020-08-14 07:35:50 192.168.2.11 GET /login X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=a70275c4-a20e-4c50-b994-933afecb9f2f&SERVER-STATUS=200 443 - cust-REDACTED-IP.dyn.as47377.net Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/84.0.4147.125+Safari/537.36 - 200 0 0 130