Getting Nextcloud running behind a reverse proxy like nginx can really up your security and make managing your server way easier. Plus, you can secure it with SSL using certbot. This article shows you how to do all that step by step.

If you’re managing a private cloud—whether you’re a sysadmin or just like to tinker—this guide’s gonna help you navigate the setup. We’ll walk through what you need to do to get everything running smoothly.

Why Use a Reverse Proxy for Nextcloud?

Using nginx in front of your Nextcloud changes how traffic hits your server. Instead of hitting Nextcloud directly, external requests go through nginx first.

Here’s why it’s smarter:

  • Handle SSL: nginx deals with SSL, keeping your data encrypted with certbot.
  • Manage Traffic: It can help with load balancing and caching.
  • Control Access: nginx can regulate who gets in, which can keep randoms out.
  • Easy URLs: Seamlessly manage multiple services or domains.

Real-Life Example

In a few setups we’ve done for clients, putting Nextcloud behind nginx beefed up their security. One time, it cut login attempts from sketchy IPs by a whole 90%—just with smart access controls.

Before You Start with nginx as a Proxy

Double-check you’ve got these sorted:

  • Nextcloud is up and running (same server or a private link).
  • A Linux server with nginx (Ubuntu/Debian works great).
  • Domain name pointing to your server’s IP.
  • Linux command-line basics.
  • certbot installed to grab SSL certificates:
sudo apt update
sudo apt install certbot python3-certbot-nginx
  • Ports 80 and 443 open on your firewall.

Step 1: Quick Install of Nextcloud

If you haven’t set up Nextcloud, here’s a quick peek. For full details, check their official docs.

  • Grab and unzip Nextcloud:
wget https://download.nextcloud.com/server/releases/nextcloud-26.0.0.zip
unzip nextcloud-26.0.0.zip -d /var/www/
  • Set the right permissions:
sudo chown -R www-data:www-data /var/www/nextcloud/
sudo chmod -R 755 /var/www/nextcloud/
  • Set up your database, then finish the Nextcloud setup through its web interface on http://server-ip/nextcloud.

Step 2: Make nginx Your Nextcloud Reverse Proxy

Now let’s set nginx to handle the traffic flow between browsers and Nextcloud. Assuming it runs on the same server at port 8080.

Configuring nginx

Create or tweak your domain’s server block in /etc/nginx/sites-available/nextcloud.conf:

server {
    listen 80;
    server_name nextcloud.example.com;

    # Redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name nextcloud.example.com;

    ssl_certificate /etc/letsencrypt/live/nextcloud.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.example.com/privkey.pem;

    # SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

    # Proxy headers for Nextcloud
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;

    # configs for WebDAV and more
    proxy_buffering off;
    proxy_request_buffering off;

    location / {
        proxy_pass http://127.0.0.1:8080/;
        proxy_set_header Connection "";

        # Support for WebSockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # File upload settings
        client_max_body_size 512M;
        fastcgi_buffers 64 4K;
    }

    # Hide config files
    location ~ /\. {
        deny all;
    }
}

Why It’s Set Up This Way

  • Redirects port 80 traffic to HTTPS on port 443.
  • Uses SSL certificates from Let’s Encrypt.
  • Correct headers ensure Nextcloud knows it’s safe to use the proxy.
  • Stops buffering for big uploads.
  • Supports WebSockets for notifications.

Set It Up in nginx

Activate this site and reload nginx:

sudo ln -s /etc/nginx/sites-available/nextcloud.conf /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Step 3: Secure with certbot SSL

certbot makes securing connections a breeze by fetching those SSL certs.

Grab SSL Certs

Run certbot with this command for automatic SSL setup:

sudo certbot --nginx -d nextcloud.example.com

certbot will handle the steps to get and install your certificates, then reload nginx.

Keep SSL Certs Fresh

certbot takes care of renewing certs. To check it’s working, use:

sudo certbot renew --dry-run

Step 4: Align Nextcloud with Proxy Settings

Tell Nextcloud about your proxy so it plays nice.

Edit the Nextcloud config.php (found in /var/www/nextcloud/config/config.php):

'trusted_proxies' => ['127.0.0.1', '<nginx_ip_here>'],
'overwritehost' => 'nextcloud.example.com',
'overwriteprotocol' => 'https',
'overwrite.cli.url' => 'https://nextcloud.example.com',
  • trusted_proxies helps Nextcloud trust nginx.
  • overwriteprotocol makes sure Nextcloud uses HTTPS.
  • Set overwritehost and overwrite.cli.url to your domain.

Restart PHP handling:

sudo systemctl restart php8.1-fpm

(Use your PHP version here.)

Common Hiccups and Solutions

Can’t Upload Large Files

Double-check:

  • client_max_body_size in nginx (make it 512M or more).
  • PHP settings (upload_max_filesize and post_max_size) are high enough.
  • Nextcloud config allows big uploads.

WebSocket Woes

If notifications falter, misconfigured headers can be the culprit. Review your nginx setup again.

Wrong Permissions

Right file permissions are a must. Make sure Nextcloud files are www-data owned.

SSL Certificate Headaches

Expired certificates mean trouble. Verify by checking:

sudo certbot certificates

Ensure your site shows a valid SSL lock icon.

Keep Nextcloud Safe

Using nginx and certbot boosts security but isn’t the endgame. Do these things to keep safe:

  • Use firewalls or nginx to restrict access.
  • Update Nextcloud and nginx regularly.
  • Backup everything routinely.
  • Watch logs for weird activities.

This stuff keeps your setup solid in real-world use cases.

Example: A Small Biz Makes It Work

One small biz had its file-sharing set up open to the world. They faced constant login spam.

After we set up nginx with certbot:

  • SSL encrypted everything.
  • Reduced rogue logins by blocking at nginx.
  • Auto-renewed certs, so they stopped worrying.
  • Improved performance with zero downtime.

This shows why smart setups matter.

Wrap Up

Setting up Nextcloud behind an nginx proxy with certbot SSL makes everything safer and smoother. You get better security and easier management.

Clean up your configuration, grab those SSL certificates, and make Nextcloud trust nginx. Once you’ve got that down, routine monitoring keeps your cloud up and running without a hitch.

For deeper insights, explore dhabaka.com.

Ready to Give It a Go?

Try this out. If things get tricky, revisit your configs, peek at certbot logs, and keep everything up to date. Need expert advice? There are plenty of resources online.

Time to lock your Nextcloud down—it’s worth it.

Get in Touch