Thank you for your suggestions, they seem reasonable and almost work. I think I need to add a bit more information on my setup. I am running a Ubuntu 20.04 VPS Server with a dedicated ip address and my domain (let’s call it mydomain.com) pointing to it.
What I want to do and why
It is always good to state the WHY first. So, I want to have 2 services (nextcloud and gitea) running on my server accessible through the internet without entering port numbers and with automatic letsencrypt renewable certificates. Currently, I already have nextcloud installed as a snap, docker installed as a snap, and gitea installed using docker-compose. My current setup is:
- My nextcloud is accessible on https ://nextcloud.mydomain.com:444
- My gitea instance is accessible on htps://git.mydomain.com:3000
- UFW blocks all ports except 22,80,81,443,444,3000
I really would like to keep my nextcloud running as a snap (for now at least), as for my usecase it works fine and I like the automatic updates.
I have separate letsencrypt certificates for my nextcloud and my gitea instances. The nextcloud snap already takes care of the renewal, but for gitea I have to do it manually (which is fine I know how to, but I want to change this). The idea now is that I don’t want to enter the port numbers and have the reverse proxy take care of the renewal of the letsencrypt certificates. So ideally:
- My nextcloud is accessible on https ://nextcloud.mydomain.com (even though it is running on http port 81 and https port 444)
- My gitea instance is accessible on https ://git.mydomain.com (even though it is running on port 3000)
- the reverse proxy letsencrypt docker is taking care of the letsencrypt certificates and autorenewal
Steps I have taken so far
Let’s focus only on the reverse proxy and nextcloud, as gitea is a docker container and should work fine.
I have done the following so far:
- Step 1: I disable UFW for debugging
- Step 2: I installed the letsencrypt reverse proxy docker via docker-compose to get letsencrypt certificates for mydomainDOTcom, nextcloudDOTmydomainDOTcom, and gitDOTmydomainDOTcom.
- Step 3: Now, I use the following
set $upstream_app nextcloud.mydomain.com;
set $upstream_port 444;
set $upstream_proto https;
and also follow the suggestions to adapt my nextcloud config.php file.
With this setup, I am able to access my nextcloud on https ://nextcloud.mydomain.com without entering the port number (this is what I want). When I point my browser to https ://mydomain.com I get the landing page of the nginx reverse proxy (so it is working).
So far so good. BUT, If i now ENABLE UFW and block all ports except 80, 443, I am no longer able to access my nextcloud. The nginx reverse proxy is still accessibla on https ://mydomain.com So I think the problem I am facing is that I need to enter my internal ip address so the forwarding happens internally on my server. But I don’t know how to get this as localhost or 127.0.0.1 does not work. The problem might be that I have both docker and nextcloud installed as snaps. Can they communicate with each other internally?