NS8: behind nginx reverse proxy

rolf · December 29, 2024, 4:01pm

NethServer Version: 8
Hi,
After doing a successful migration from my test NS7 to a test NS8, I am challenged to make it accessible from the internet.
I run NS8 as a VM on proxmox. On proxmox, I also have an nginx reverse proxy.
This proxies not only for nethserver, but also for other applications/VM’s on my proxmox. It takes care of a LetsEncrypt cert as well.
So, I want to keep it like:
internet - router - nginx - NS8

Furthermore, I do not want to reconfigure all my families’ devices to change (for instance) https://home.myname.com/nxtcl8tst in https://nxtcl8tst.myname.com, as is expected with NS8

Therefore, I need to tell nginx reverse proxy to forward https://home.myname.com/nxtcl8tst to NS8 internal IP, but with a header that says the request is supposedly coming from https://nxtcl8tst.myname.com.
Extra benefit from that appoach is that I do not need to publish all subdomains on public DNS, I can leave it as is; home.myname.com is publicly resolved.

I made it so far:

# to neth7
        
        location /nextcloud/ {
                proxy_pass https://192.168.1.102/nextcloud/ ;
        client_max_body_size 1024M;
                }
     
# naar NS8
        location /nxtcl8tst/ {
                proxy_pass https://192.168.1.61/;        # Replace with the internal IP of your NethServer8 
                proxy_set_header Host nxtcl8tst.home.myname.com;            # Preserve the original host header 
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_redirect default;

                # Ensure redirects from the backend are handled correctly 
                proxy_redirect nxtcl8tst.home.myname.com/ /nxtcl8tst/;

                # SSL settings for proxying 
                proxy_ssl_protocols TLSv1.2 TLSv1.3;
                proxy_ssl_ciphers HIGH:!aNULL:!MD5;

                }

This does send me to the Nextcloud app, however, it shows me a almost blank page (with link to nexcloud.com and the text “a safe home for all your data” .
Inspecting with F12 (browser console) shows a lot of 502 errors (bad gateway):

Failed to load resource: the server responded with a status of 502 (Bad Gateway)
default.css:1 
       Failed to load resource: the server responded with a status of 502 (Bad Gateway)
guest.css:1 
       Failed to load resource: the server responded with a status of 502 (Bad Gateway)
default.css:1 
       Failed to load resource: the server responded with a status of 502 (Bad Gateway)
dark.css:1 
      Failed to load resource: the server responded with a status of 502 (Bad Gateway)
light.css:1 
       Failed to load resource: the server responded with a status of 502 (Bad Gateway)

Does someone have a similar setup, and want to share the correct nginx location { } config?
Or a developer who understands what is going wrong here?
I did not try with webtop (the other app I am using) since that is a bit more complicated. But when you have the proper config for that, please let me know!

dnutan · December 29, 2024, 6:07pm

internet - router - nginx - NS8 traefik (aka http routes) - NS8 app (container)

Here’s a post with a similar setup:

rolf · January 10, 2025, 10:58am

Thanks for you answer, but in that posting I do not find my answer
What I try to achieve: Let nginx be the single point of entry for port 80 & 443, and proxy as follows:
home.mydomain.com/abc > forward to internal IP A, with nginx handling (letsencypt) cert.
home.mydomain.com/def > forward to internal IP B, with nginx handling (letsencypt) cert.
pqr.home.mydomain.com > forward to NethServer (with/out nginx handling cert).
xyz.home.mydomain.com > forward to NethServer (with/out nginx handling cert).
(where IP A and IP B are not NS8 related VM’s)

So far I’ve tried dozens of solutions (with for instance a stream block, ssl_preread), but I cannot get the combination of the top2 requirements and bottom 2 work together.

I cannot imagine being the only one with a setup like this. Can someone post a working solution for this? Or help me in the right direction?
Edit: a solution with nginx taking care of ALL certs, and NS8 accepting traffic from nginx is also fine.