This is my first post on here so my apologies if I’m not in the right area. I have good deal of experience in break/fix or helpdesk sort of work but I’m fairly new to the server and networking side of things. I’m hoping someone here might be able to help me figure out what I’ve done wrong with my setup.
I’m trying to access my NextCloud instance remotely via https://domain.example.com but I keep getting ERR_CONNECTION_REFUSED. However, I am able to connect to it fine using http://domain.example.com. I’m currently using a fresh install of NextCloud, minus me adding the trusted domain IPs and FQDN to the config.php file. I had a NextCloud instance running for about four months, that I was able to access remotely with no issues, but only with a self signed SSL cert. I wanted to upgrade my home security and have something to handle my certs so I purchased an SG-2100.
My setup goes as follows: INTERNET => SG-2100 => GS108Tv3 (managed switch) => SERVER running TrueNAS OS => NextCloud (plugin)
I followed the LTS tutorial “How To Setup ACME, Let’s Encrypt, and HAProxy HTTPS offloading on pfsense” multiple times to try to properly set up my SG-2100. It was my thinking that after doing this I would be able to connect to my NextCloud instance remotely via https and it have a legitimate certificate from letsencrypt but I’m obviously missing something.
If I haven’t provided enough info, please let me know. I greatly appreciate any help that anyone provides!!!
P.S. Thanks for all of the amazing videos LTS!!
Personally I have the certbot pkg installed on my nextcloud jail and I let the certificates reside on the server itself. Then I setup HA-proxy on pfsense to do a ssl passthrough straight to the server and let the ssl termination happen from the server itself. If you want to look at some example configs I have let me know and I can post my examples and hopefully point you in the right direction.
Sounds like you don’t have HA Proxy setup properly. A few things that are important and often overlooked:
- Make sure the DNS entry points to the pfsense IP address
- Make sure the pfsense interface is not responding on port 443
- in the HA Proxy back end confirm is it connected to NextCloud over port 80 or whatever port you have it listening on.
- in Linux you can use commands like this
openssl s_client -servername google.com -host 22.214.171.124 -port 443 to see how the server is responding to cert requests.
Thanks for the replies, guys!
Maximus, I tried for a while to get the certbot working on my jail but I could never get it to run. I kept running into issues getting my cert from letsencrypt. I wouldn’t mind seeing your examples however. It could be useful to me or someone else in the future.
Tom, please bear with me lol
- In which area should I be looking to check the DNS entry?
- In which area should I be looking to check to make sure pfsense isn’t responding on 443?
- I believe I have the back end set up properly. This is what it looks like:
- This is the result I get when I run the command with my info: 140253569270912:error:0200206F:system library:connect:Connection refused:…/crypto/bio/b_sock2.c:110:
140253569270912:error:2008A067:BIO routines:BIO_connect:connect error:…/crypto/bio/b_sock2.c:111:
Also, I forgot to mention in my original post that I also used the " 2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages" video when originally setting up my sg-2100, if it makes a difference. Thanks again for the help, guys!
You have Encrypt(SSL) checked and it’s going to port 80 which is usually not encrypted. The DNS should point to pfsense.
All these details are covered in my HA Proxy videos
So I watched the videos a handful of more times but I can’t seem to get it working properly. Now when I go to my NextCloud’s https address “https://domain.example.com” it redirects to the http address “http://domain.example.com”. I can’t tell which part of my setup I’m screwing up lol smh. Just to clarify, I am still able to reach my NextCloud instance remotely through http and login in just as I would locally with it’s local IP but when I try https I am redirected to http.
I’m pretty close to hitting that Hire Us button on the main site lol
Just a few comments and questions
- Nextcloud – What webserver are you using with Nextcloud - Apache or Nginx? I find Nginx a little easier to work with but it can work either way
- I’m assuming you want SSL termination at the reverse proxy and then a straight http connection to nextcloud. Can you http://? By removing the reverse proxy, you can test bits and pieces of your setup in increments
- Have you tried taking nextcloud out the loop for purposes of testing the reverse proxy? So for example setup you HA proxy and the forward it to a simple nginx/apache webserver running on the backend. In this particular setup you will need the https://. The URL name must resolve to the IP address of the reverse proxy. Usually you might need to run a split DNS for this via a DHCP host override if testing this from within the LAN.
- Once you can verify Nextcloud works independently and the reverse proxy runs independently you can try to pair the setup. You might need to alter the nextcloud configuration to specify the host name.
I’m still having some issues but I think I’m making some progress. I think part of my problems are CloudFlare related, specifically the SSL/TLS section. From the options in the picture below, if I choose anything other than “flexible”, I get “Error 521: Web server is down” and am unable to reach my NextCloud instance via the https FQDN.
When I do use the flexible option, I am able to reach my NextCloud but the cert shows that it’s from sni.cloudflare and not the cert created on pfsense. If I’m understanding this correctly, that means that traffic from my browser to CloudFlare is secure but from CloudFlare to my NextCloud is not?