Nextcloud docs - haproxy and ssl

You will need to create SSL certificates. This guide takes you through the process with Letsencrypt.

If you can’t use Letsencrypt, you can easily create self signed cert via for example: https://www.selfsignedcertificate.com

If you already have your SSL certificate (fullchain) + private key in PEM format. You can skip the creation of the certificate and just deploy move to the deployment step.

1. Create cert with letsencrypt.

sudo certbot certonly --standalone -d qcloud.dwellir.com --non-interactive --agree-tos --email info@dwellir.com

This will produce a fullchain.pem and privkey.pem file which we need for haproxy ssl-termination.

2. Deploy haproxy

juju deploy haproxy

3. Get the fullchain cert + privkey and base64 encode them as config.

juju config haproxy ssl_cert="$(base64 fullchain.pem)"
juju config haproxy ssl_key="$(base64 privkey.pem)"

Create config + services options.

Easiest is to create a config file.

cat my-cloud.yaml 
- service_name: nextcloud
  service_host: 0.0.0.0
  service_port: 443
  crts: [DEFAULT]
  service_options:
      - balance leastconn
      - option forwardfor
      - http-request set-header X-Forwarded-Port %[dst_port]
      - http-request add-header X-Forwarded-Proto https if { ssl_fc }
      - acl url_discovery path /.well-known/caldav /.well-known/carddav
      - http-request redirect location /remote.php/dav/ code 301 if url_discovery
      - http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
      - http-response set-header X-Frame-Options DENY
      - http-response set-header X-Content-Type-Options nosniff
      - http-response set-header X-Frame-Options SAMEORIGIN
      - option forwardfor header X-Real-IP
      - http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
      - http-request set-header X-Forwarded-Port %[dst_port]
      - http-request add-header X-Forwarded-Proto https if { ssl_fc }
      - http-check expect status 200
  server_options: 
     - cookie S{i} check

juju config haproxy services="$(cat my-cloud.yaml)"

Let nextcloud know about its external hostname

juju config nextcloud fqdn="qcloud.dwellir.com"

Allow access from the external domain name

juju run-action nextcloud/leader set-trusted-domain domain="qcloud.dwellir.com"

Make nextcloud server reply with https protocol.

juju config nextcloud overwriteprotocol="https"

Access the site and login

https://qloud.dwellir.com

Change the default admin password in the admin settings for security

1 Like