[ Note: ] This is a continuation of Setting up Nextcloud on FreeNAS Part 1 in June 2021 blog.
I mentioned in my previous blog that what I did here was not unique. There were many great open source crafters who have done this better than I did. I stood on the shoulders of giants whose videos have helped me to learn and configure Nextcloud on FreeNAS™ (not TrueNAS® CORE, because my weekend exercises were on version 11.2U5). The videos made by Nhan P. Nguyen were instrumental in getting my Nextcloud to work, and I would shamefully admit that I have copied his work almost verbatim.
This is for my own development, so using a self-signed certificate for SSL/HTTPS is okay. But other than the fact that they are risky, they also behaved differently with different browsers (more about this later). Here are the steps I have taken to create the Nextcloud certificate and key in the /usr/local/etc/ssl/nginx directory (which has to be created) via the iocage console (or the Nextcloud shell in jails).
To enforce the validation of the HTTP header from the requesting browser sessions, and to prevent the possibility of HTTP host header injections, Nextcloud is configured to accept only trusted domains. This is to prevent the Nextcloud server exposing itself to HTTP/HTTPS requests that do not have a valid HTTP header or a domain name in the HTTP header that does not match.
The configuration file to add the additional trusted domain name(s) entries is /usr/local/www/nextcloud/config/config.php. Add an additional entry such as 1 => ‘cfheoh.ddns.net’; . Do it for each domain that Nextcloud is configured to serve.
Redirecting HTTP to HTTPS
We redirect the traffic requests to Nextcloud’s HTTP server to HTTPS in the /usr/local/etc/nginx/nginx.conf file. Under the ‘Basic Settings’ comment line, insert the following lines as shown below:
Nextcloud SSL configuration for HTTPS service
Next, modify the file /usr/local/etc/nginx/conf.d/nextcloud.conf. Remove the first 3 lines (as in Nextcloud version 17 in FreeNAS™ version 11.2U5) and replace it with the following:
Restart the Nextcloud plugin after these few configurations have been made.
Local network access
Once Nextcloud is restarted, you can point your browser to https://<ip address> of the Nextcloud plugin configured in the local network. Each browser (I have tried Google Chrome, Microsoft Edge, Mozilla Firefox and MacOS Safari) has its own different ways of responding but advancing with the understanding of the risks will take you the login page of Nextcloud.
However, the story changes when accessing the Nextcloud from the public Internet. Assuming port forwarding has been configured correctly, the Chromium-based browsers (Google Chrome and Microsoft Edge) displayed several messages that prevented me from proceeding to access Nextcloud service from the outside to the local network. Here are the screenshots of the self-signed certificate risks.
I was stumped here for a few days and there were no links on both popular browsers to advance, because both Firefox and Safari were OK to access Nextcloud service from the Internet despite the SSL certificate warnings. Over the weekend, I did a bit of research and found a novel way to proceed with the Chromium browsers.
I just had to type “thisisunsafe” blindly on the browser page, and they worked. I progressed and now both Chrome and Edge are able to access the Nextcloud service externally.
Why the delay since Part 1?
Well, it was part procrastination, and part trying to figure out the Port Forwarding on my home ZTE modem/router. Despite numerous public IP settings on my ZTE, it has disallowed me to forward the outside connection to the Nextcloud server in the LAN. In the end, I realized that if I left the WAN IP blank in the Port Forwarding configuration, it just worked (silly me).
Overall, this side project was a great learning experience for me. It expanded my knowledge of the HTTPS service, and the self-signed SSL certificate. I enjoyed the documentation of my Nextcloud chronicles, and I hope others can learn from my mistakes and befuddlement.
Personally, I have taken a liking to Nextcloud. I have another side thing running Nextcloud on CentOS 7.9 and I intend to upgrade my knowledge and experience working on the latest version 22 (with version 23 coming soon). With the learnings I have gained here, I also want to try this out on TrueNAS® CORE 12.0U5 as well.