Reverse proxy nextcloudpi and freedombox

efesto85 · October 19, 2021, 7:52pm

Hello everyone, I am a newby and hope to find help here.

I have two servers behind the same router, nextcloudpi and freedombox and I have made a reverse proxy with nextcloudpi as the exposed server and freedombox behind nextcloudpi.

However when I try to connect to plinth at the web address of my freedombox I get an error message ‘Bad Request (400)’ which does not occur when I connect to freedombox services without needing authentication (e.g. searX).

Steps to Reproduce
I created on my nextcloudpi server a freedombox.conf file in the sites-enable directory of apache with these instructions:

<VirtualHost *:80>
                ServerName mysite.freedombox.rocks
                ServerAlias mysite.freedombox.rocks
                ProxyPreserveHost on
                ProxyPass / http://192.168.X.X:80/
                ProxyPassReverse / http://192.168.X.X/
</VirtualHost>
#Listen 443
<IfModule mod_ssl.c>
<VirtualHost *:443>
SSLEngine On
    SSLProxyEngine On
                 ServerName mysite.freedombox.rocks
                 ServerAlias mysite.freedombox.rocks
                ProxyPreserveHost on
                ProxyPass / http://192.168.X.X:80/
                ProxyPassReverse / http://192.168.X.X/
SSLCertificateFile /etc/letsencrypt/live/blubox.freedombox.rocks/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/blubox.freedombox.rocks/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

After that I used certbot on nextcloudpi to get the ssl certificates.

Expected Results
The ability to use plinth with freedombox through my web domain.

Actual results

I get an error message Bad Request (400) when I connect to the address mysite.freedombox.rocks/plinth/

Everything works normally when I connect to services without the need of authentication for example searx mysite.freedombox.rocks/searx

Information

FreedomBox version: FreedomBox 21.11
Hardware: pioneer

Thanks in advance

efesto85 · December 20, 2021, 11:06am

ok, i’m trying a new approach: i set Freedombox as exposed device and i created ncp.conf file in /etc/apache2/conf-available with these instructions

<Location /ncp>
    ProxyPass http://192.168.xxx.xxx:80
        ProxyPassReverse http://192.168.xxx.xxx:80
    RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
    RequestHeader    unset X-Forwarded-For
</Location>

The goal is to be able to reach my nextcloudpi device through the address mysite.freedombox.rocks/ncp I can only reach my nextcloud within my local network but not outside. Is anyone able to help me solve this problem?

Thanks in advance

mudflap · August 24, 2023, 3:44pm

Any updates on this? did it work?

red789 · September 9, 2023, 10:06am

I’ve been looking for a long time for a way to operate more like a server behind a router with the required SSL certificate (port 443). There are many well-intentioned suggestions to be found on the Internet - but none of them work in practice. I then found the solution myself. You need pfSense and the two packages HaProxy and acme. I use HaProxy to connect several servers that do not integrate a certificate themselves, such as ownCloud or Joplin Server. The trick is that HaProxy gets a NAT rule 8443:443 and Freedombox gets a NAT rule 4443:443, and a host override is created in pfSense in the DNS Resolver service with the desired domain on Freedombox. Can’t be explained in detail here - but it works.

timmy · September 13, 2023, 12:50pm

Can confirm this works. Been running a few of my services like this for a few years now.