Setting up Nextcloud on FreeNAS Part 2

[ Note: ] This is a continuation of Setting up Nextcloud on FreeNAS Part 1 in June 2021 blog.

Nextcloud logo

I mentioned in my previous blog that what I did here was not unique. There were many great open source crafters who have done this better than I did. I stood on the shoulders of giants whose videos have helped me to learn and configure Nextcloud on FreeNAS™ (not TrueNAS® CORE, because my weekend exercises were on version 11.2U5). The videos made by Nhan P. Nguyen were instrumental in getting my Nextcloud to work, and I would shamefully admit that I have copied his work almost verbatim.

Self-signed certificate

This is for my own development, so using a self-signed certificate for SSL/HTTPS is okay. But other than the fact that they are risky, they also behaved differently with different browsers (more about this later). Here are the steps I have taken to create the Nextcloud certificate and key in the /usr/local/etc/ssl/nginx directory (which has to be created) via the iocage console (or the Nextcloud shell in jails).

SSL Key & Certificate creation in /usr/local/etc/ssl/nginx

Trusted Domains

To enforce the validation of the HTTP header from the requesting browser sessions, and to prevent the possibility of HTTP host header injections, Nextcloud is configured to accept only trusted domains. This is to prevent the Nextcloud server exposing itself to HTTP/HTTPS requests that do not have a valid HTTP header or a domain name in the HTTP header that does not match.

The configuration file to add the additional trusted domain name(s) entries is /usr/local/www/nextcloud/config/config.php. Add an additional entry such as 1 => ‘cfheoh.ddns.net’; . Do it for each domain that Nextcloud is configured to serve.

Nextcloud Trusted Domains in /usr/local/etc/www/nextcloud/config/config.php

Redirecting HTTP to HTTPS

We redirect the traffic requests to Nextcloud’s HTTP server to HTTPS in the /usr/local/etc/nginx/nginx.conf file. Under the ‘Basic Settings’ comment line, insert the following lines as shown below:

nginx configuration file redirecting HTTP requests to HTTPS

Nextcloud SSL configuration for HTTPS service

Next, modify the file /usr/local/etc/nginx/conf.d/nextcloud.conf. Remove the first 3 lines (as in Nextcloud version 17 in FreeNAS™ version 11.2U5) and replace it with the following:

Nextcloud configuration for the SSL definitions for the HTTPS service

Restart the Nextcloud plugin after these few configurations have been made.

Local network access

Once Nextcloud is restarted, you can point your browser to https://<ip address> of the Nextcloud plugin configured in the local network. Each browser (I have tried Google Chrome, Microsoft Edge, Mozilla Firefox and MacOS Safari) has its own different ways of responding but advancing with the understanding of the risks will take you the login page of Nextcloud.

Browsers advising the risks of continuing

Nextcloud showing the Not Secure warning in the HTTPS URL

Browsers “thisisunsafe”

However, the story changes when accessing the Nextcloud from the public Internet. Assuming port forwarding has been configured correctly, the Chromium-based browsers (Google Chrome and Microsoft Edge) displayed several messages that prevented me from proceeding to access Nextcloud service from the outside to the local network. Here are the screenshots of the self-signed certificate risks.

Chromium browsers reaction to self-signed certificate. Unable to advance.

I was stumped here for a few days and there were no links on both popular browsers to advance, because both Firefox and Safari were OK to access Nextcloud service from the Internet despite the SSL certificate warnings. Over the weekend, I did a bit of research and found a novel way to proceed with the Chromium browsers.

I just had to type “thisisunsafe” blindly on the browser page, and they worked. I progressed and now both Chrome and Edge are able to access the Nextcloud service externally.

Why the delay since Part 1? 

Well, it was part procrastination, and part trying to figure out the Port Forwarding on my home ZTE modem/router. Despite numerous public IP settings on my ZTE, it has disallowed me to forward the outside connection to the Nextcloud server in the LAN. In the end, I realized that if I left the WAN IP blank in the Port Forwarding configuration, it just worked (silly me).

Overall, this side project was a great learning experience for me. It expanded my knowledge of the HTTPS service, and the self-signed SSL certificate. I enjoyed the documentation of my Nextcloud chronicles, and I hope others can learn  from my mistakes and befuddlement.

Personally, I have taken a liking to Nextcloud. I have another side thing running Nextcloud on CentOS 7.9 and I intend to upgrade my knowledge and experience working on the latest version 22 (with version 23 coming soon). With the learnings I have gained here, I also want to try this out on TrueNAS® CORE 12.0U5 as well.

Tagged , , , , , , , , , , . Bookmark the permalink.

About cfheoh

I am a technology blogger with 30 years of IT experience. I write heavily on technologies related to storage networking and data management because those are my areas of interest and expertise. I introduce technologies with the objectives to get readers to know the facts and use that knowledge to cut through the marketing hypes, FUD (fear, uncertainty and doubt) and other fancy stuff. Only then, there will be progress. I am involved in SNIA (Storage Networking Industry Association) and between 2013-2015, I was SNIA South Asia & SNIA Malaysia non-voting representation to SNIA Technical Council. I currently employed at iXsystems as their General Manager for Asia Pacific Japan.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.