To start, I am very new to all this so probably just have some misunderstandings of how things work. Like a lot of people, I used SpaceInvader One’s tutorial on getting my unraid server setup to run nextcloud behind SWAG with my connections routing through Cloudflare.
Everything works great through that path internally and externally, however my issue is when I am on my LAN and try to upload files to my nextcloud, I am limited to the speeds through Cloudflare/my ISP - windows performance monitor is showing 8Mbits/s send, unraid shows peaks of 60Mbits/s receive on the NIC. I tested the LAN speeds from my desktop to my server using IPerf and am getting my expected 900+ Mbits/s speeds (yes, Mbits/s not MB/s)
Here’s a breakdown of my setup:
Linuxserver’s SWAG docker
Linuxserver’s Nextcloud docker
Linuxserver’s MariaDB docker
selfhoster’s Cloudflare-DDNS docker
Spant’s Pihole Docker
I have port 443 access turned off on my unraid server and connect to it locally only over port 80 (http).
My SWAG uses unraidIP:1443 and unraidIP:180
My nextcloud uses unraidIP:444
mariaDB uses unraidIP:3306
Pihole is on a static IP in the same subnet as unraidIP, let’s call it PiholeIP.
I have my own domain from google domains linked to Cloudflare. Cloudflare has a ‘A’ record for my public IP (which is updated using the Cloudflare-DDNS docker I believe) and then I have a CNAME pointing to that and I am able to successfully connect to my nextcloud using that xyz.domain.com. Both the A record and CNAME record are proxied on Cloudflare (it was the only way I could get it to work when initially setting it up). SSL/TLS is set to Full (Strict) and I enabled HSTS. When I connect to xyz.domain.com the certificate is being provided by Cloudflare (so not LetsEncrypt).
My router forwards port 443 to SWAG at unraidIP:1443. I do not port forward port 80. SWAG is routed through Cloudflare (through the config files I believe?). SWAG is then connected to my nextcloud. I have nextcloud and swag on a custom docker network (‘proxynet’) so they can talk to each other without having to dig deeper into config files. I did change SWAG to use ‘Modern configuration’ (e.g. TLSv1.3) instead of ‘intermediate configuration’ in the ssl.conf as I don’t need older browser support.
This is where my knowledge gets fuzzy and I’m kinda just throwing mud at a wall at this point…I think I have to setup a ‘split-brain DNS’…
I tried changing my nextcloud to unraidIP:443 and then using Pihole (which is setup and working nicely right now) to create a DNS record that directs me to unraidIP, however when I do this I get ““Privacy error: Your connection is not private” (NET::ERR_CERT_AUTHORITY_INVALID)”
If I try going to unraidIP:443 locally, my router forwards that request to SWAG (port 1443) which then overwrites(?) that request to xyz.domain.com and sends me back through Cloudflare. So I have not tried setting nextcloud back to port 444 and using port 443 for SWAG as I believe I would get the same result anyway?
Which leads me to believe this is all a problem with Cloudflare certificates or SWAG.
I don’t know if it’s possible to get the certificate from Cloudflare and install it somewhere so that local access is allowed (since my SSL/TLS is set to Full [Strict] ) or if there’s something in the SWAG config that I can edit so that it sends requests through Cloudflare only if it is a request from outside the network? My router is a basic D-link one so I don’t have much in the way of firewall rules (that I can find) I seem to only be able to allow or deny WAN to LAN / LAN to WAN requests there.
Plz send help.