Access Nextcloud locally

To start, I am very new to all this so probably just have some misunderstandings of how things work. Like a lot of people, I used SpaceInvader One’s tutorial on getting my unraid server setup to run nextcloud behind SWAG with my connections routing through Cloudflare.

Everything works great through that path internally and externally, however my issue is when I am on my LAN and try to upload files to my nextcloud, I am limited to the speeds through Cloudflare/my ISP - windows performance monitor is showing 8Mbits/s send, unraid shows peaks of 60Mbits/s receive on the NIC. I tested the LAN speeds from my desktop to my server using IPerf and am getting my expected 900+ Mbits/s speeds (yes, Mbits/s not MB/s)

Here’s a breakdown of my setup:

Unraid 6.10.3

Linuxserver’s SWAG docker

Linuxserver’s Nextcloud docker

Linuxserver’s MariaDB docker

selfhoster’s Cloudflare-DDNS docker

Spant’s Pihole Docker

I have port 443 access turned off on my unraid server and connect to it locally only over port 80 (http).

My SWAG uses unraidIP:1443 and unraidIP:180

My nextcloud uses unraidIP:444

mariaDB uses unraidIP:3306

Pihole is on a static IP in the same subnet as unraidIP, let’s call it PiholeIP.

I have my own domain from google domains linked to Cloudflare. Cloudflare has a ‘A’ record for my public IP (which is updated using the Cloudflare-DDNS docker I believe) and then I have a CNAME pointing to that and I am able to successfully connect to my nextcloud using that xyz.domain.com. Both the A record and CNAME record are proxied on Cloudflare (it was the only way I could get it to work when initially setting it up). SSL/TLS is set to Full (Strict) and I enabled HSTS. When I connect to xyz.domain.com the certificate is being provided by Cloudflare (so not LetsEncrypt).

My router forwards port 443 to SWAG at unraidIP:1443. I do not port forward port 80. SWAG is routed through Cloudflare (through the config files I believe?). SWAG is then connected to my nextcloud. I have nextcloud and swag on a custom docker network (‘proxynet’) so they can talk to each other without having to dig deeper into config files. I did change SWAG to use ‘Modern configuration’ (e.g. TLSv1.3) instead of ‘intermediate configuration’ in the ssl.conf as I don’t need older browser support.

This is where my knowledge gets fuzzy and I’m kinda just throwing mud at a wall at this point…I think I have to setup a ‘split-brain DNS’…

I tried changing my nextcloud to unraidIP:443 and then using Pihole (which is setup and working nicely right now) to create a DNS record that directs me to unraidIP, however when I do this I get ““Privacy error: Your connection is not private” (NET::ERR_CERT_AUTHORITY_INVALID)”

If I try going to unraidIP:443 locally, my router forwards that request to SWAG (port 1443) which then overwrites(?) that request to xyz.domain.com and sends me back through Cloudflare. So I have not tried setting nextcloud back to port 444 and using port 443 for SWAG as I believe I would get the same result anyway?

Which leads me to believe this is all a problem with Cloudflare certificates or SWAG.

I don’t know if it’s possible to get the certificate from Cloudflare and install it somewhere so that local access is allowed (since my SSL/TLS is set to Full [Strict] ) or if there’s something in the SWAG config that I can edit so that it sends requests through Cloudflare only if it is a request from outside the network? My router is a basic D-link one so I don’t have much in the way of firewall rules (that I can find) I seem to only be able to allow or deny WAN to LAN / LAN to WAN requests there.

Plz send help.

Greetings,

Thank you for asking.

How large those files you’re trying to upload are? :thinking:
In terms of a Nextcloud, you could have issues if you are on a Free plan (even Business) and going to upload files larger than 100MB. Per default, you are allowed to upload 100MB for proxied :orange: hostname (DNS record) in a single request.

Cloudflare limits the upload size (HTTP POST request size) per plan type:

  • 100MB Free and Pro
  • 200MB Business
  • 500MB Enterprise by default. Contact Customer Support to request a limit increase.

Source article:

Otherwise, if you are on Business or Enterprise plan, you can increase this (Business up to 200MB and Enterprise 500MB or larger upon request) and upload larger files.

I’d suggest you to either split it in smaller chunks, or continue using unproxied :grey: (DNS-only) hostname (DNS record) when you are uploading such large files. After you finish, switch back to :orange:.

Meaning, you’re running NextCloud without the valid SSL certificate at the origin host? :thinking:
And you’re using Flexible SSL option then?

In case you do not have an SSL certificate, you can use Cloudflare SSL, if so, kindly make sure you follow the instructions as follows on the below article to setup an SSL certificate using Cloudflare Origin CA Certificate:

After re-reading all of that again, you’d have to:

  1. Figure out where to put, or rather have Nextcloud instance running over HTTPS.
  2. Therefore, allow Cloudflare IPs to connect to it
  3. Clear and disable the cache at Cloudflare (in case something not working)
  4. Possibly disable Rocket Loader if there are some issues

Make sure you return the real visitor IP:

Helpful posts:

1 Like

To clarify - I want to have Cloudflare protection when connected externally, but I want to transfer files to nextcloud locally when I am connected locally. So I do not want to grey cloud my website.

Everything works as expected for external connections with Cloudflare… SSL certificates are working and I have the full (strict) setting enabled in Cloudflare. I also have HSTS enabled.

Internal connections also work fine, but have to pass through Cloudflare. I want to authenticate local requests to my server, so they don’t have to go through Cloudflare (and thus aren’t rate limited). If I use Pihole (My DNS server) to redirect (My domain link) to my unraidIP, tracert shows that the request goes directly to my server which is what I want. However, I get the previously mentioned error, where it says “You cannot visit (My domain link) right now because the website uses HSTS”.

I don’t know where to start with certificates on my local system to get this working - do I need to install the Cloudflare certificate on all my clients that I wish to connect locally, or do I need to install it on my server? I am very confused here and may not even be asking the right questions.

The Cloudflare origin certificate is not for client devices. It is for origin servers that will only be served through Cloudflare. If need to connect directly to the server, such as from your LAN, you will need to install a valid publicly recognized certificate on your origin server.

You could do this with Let’s Encrypt, but advising on the specifics is out of scope in the Cloudflare Community. Luckily, Let’s Encrypt has their own Community forum that can provide assistance if you encounter difficulty.

Awesome, that helps me narrow things down. SWAG includes Let’s Encrypt, so I will dig more into that.

Thank you very much.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.