How to Set Up Nextcloud with Cloudflare Tunnel on Proxmox for Secure Remote Access

Set Up Nextcloud with Cloudflare Tunnel on Proxmox for Secure Remote Access

Table of Contents

How I Set Up Nextcloud with Cloudflare Tunnel on Proxmox: A Step-by-Step Guide

In this guide, I focus on setting up Cloudflare Tunnel to provide secure, remote access to a Nextcloud instance running in a Proxmox LXC container. You’ll learn how to handle SSL certificate issues, configure trusted domains, and ensure a safe connection without opening ports on your firewall.

For a complete overview of setting up Nextcloud in a Proxmox container, including installation and system configuration, I recommend checking out my comprehensive guide on setting up Nextcloud in Proxmox. That post provides detailed instructions for server preparation, configuring PHP and Apache limits, and more.

Why I Chose Nextcloud and Cloudflare Tunnel

Nextcloud is a powerful, self-hosted alternative to popular cloud storage solutions. By running it on Proxmox, I can take advantage of containerized environments, which makes management more efficient. Additionally, I wanted to access my Nextcloud instance remotely, without exposing my home network directly to the internet. For that, Cloudflare Tunnel is a perfect solution. It creates a secure connection between my server and Cloudflare’s network without the need to open ports on my firewall.

Step 1: Set Up Nextcloud on Proxmox

The first step was to set up Nextcloud inside a Linux container (LXC) on Proxmox. The installation process was relatively straightforward:

  1. Create a new LXC container on Proxmox using a Turnkey Linux template for Nextcloud.
  2. Install the necessary dependencies such as Apache, PHP, and MariaDB, which are included in the Turnkey Linux template.
  3. Configure the Nextcloud instance locally by accessing it via its local IP address. This is crucial for initial setup and troubleshooting before exposing it to the internet.

Step 2: Securing Nextcloud with a Self-Signed SSL Certificate

Since Nextcloud stores personal and sensitive data, I wanted to ensure all connections were encrypted. To achieve this, I generated a self-signed SSL certificate:


openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nextcloud-selfsigned.key -out /etc/ssl/certs/nextcloud-selfsigned.crt

This command creates both the private key and certificate. Although a self-signed certificate won’t be trusted by browsers, it provides a secure connection during the setup process.

Step 3: Configuring Cloudflare Tunnel for Secure Nextcloud Setup

Next, I set up a Cloudflare Tunnel to securely expose my Nextcloud instance to the internet:

  1. Install Cloudflare’s cloudflared utility on my LXC container.

curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared.deb
  1. Create a tunnel and map it to my Nextcloud instance using the following command:

cloudflared tunnel create nextcloud
  1. Configure the tunnel to route traffic to my Nextcloud server:

cloudflared tunnel route dns nextcloud nextcloud.example.com
  1. Run the tunnel:

cloudflared tunnel run nextcloud

Cloudflare Tunnel securely routes traffic from nextcloud.example.com to my local Nextcloud instance without the need to open ports on my router, keeping my network safe.

Step 4: Fixing SSL and Domain Issues

One of the challenges I faced during this setup was related to SSL certificate validation. Since I was using a self-signed certificate, Cloudflare couldn’t verify the authenticity of my Nextcloud instance.

To bypass this, I disabled TLS verification in Cloudflare’s tunnel configuration:


ingress:
  - hostname: nextcloud.example.com
    service: https://192.168.1.100:443
    originRequest:
      noTLSVerify: true  # Disable TLS certificate verification

This allowed the tunnel to pass traffic without validating the self-signed certificate.

Step 5: Adding Trusted Domains in Nextcloud

After successfully setting up the tunnel, I encountered an “Access through untrusted domain” error when accessing Nextcloud from the public domain. This is a built-in security feature in Nextcloud to prevent unauthorized access.

To resolve this, I added the domain nextcloud.example.com to the list of trusted domains in Nextcloud’s configuration:

  1. Edit the config.php file:

sudo nano /var/www/nextcloud/config/config.php
  1. Add the following entry to the trusted_domains array:

'trusted_domains' => array (
  0 => 'localhost',
  1 => '192.168.1.100',
  2 => 'nextcloud.example.com',
),
  1. Save the file and restart Apache:

sudo systemctl restart apache2

Step 6: Final Touches and Firewall Configuration

To complete the setup, I ensured that the necessary ports (80 and 443) were open on my firewall. Since ufw was not installed by default, I had to install it and configure it accordingly:


sudo apt install ufw
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

This step ensured that traffic could reach my Nextcloud instance securely.

Conclusion

After following these steps, I now have a fully functional Nextcloud instance accessible via the domain nextcloud.example.com. Cloudflare Tunnel ensures that all traffic is securely routed without opening ports on my router, and my data is encrypted with SSL.

While the process had its challenges—particularly around SSL certificates and domain validation—it was a great learning experience. Now, my self-hosted cloud is up and running, providing me with complete control over my files.

If you’re considering setting up Nextcloud with Cloudflare Tunnel on Proxmox, I hope this guide helps you avoid some of the hurdles I faced.

How to Configure Trusted Domains and Resolve IP Access Issues in Nextcloud

If you’re setting up Nextcloud on a local network and want to access it via both a domain name and an internal IP address, you may run into issues with trusted domain configuration or forced HTTPS redirection. Below, we’ll walk through how to adjust Nextcloud’s config.php file to allow access via IP addresses and domains, along with resolving SSL-related security warnings.

1. Add IP Address to Trusted Domains in Nextcloud

Nextcloud requires any domain or IP address that accesses it to be explicitly added to the list of trusted domains. Follow these steps to ensure your IP address is trusted:

  1. Access your Nextcloud server and open the config.php file located in /var/www/nextcloud/config/.
  2. Add the IP address of your Nextcloud server to the trusted_domains array. For example, if your Nextcloud IP address is 192.168.1.100, the configuration should look like this:
'trusted_domains' => 
array (
  0 => 'localhost',
  1 => 'nextcloud.yourdomain.com',
  2 => 'www.nextcloud.yourdomain.com',
  3 => '192.168.1.100',
),

Save the file and exit.

2. Disable Forced HTTPS Redirection (Optional)

Nextcloud often forces HTTPS redirection for security reasons, which can cause issues when accessing the server via an internal IP address, as no SSL certificate is typically configured for the IP. To disable this redirection temporarily:

  1. Edit the same config.php file.
  2. Comment out or remove the following lines:
//'overwrite.cli.url' => 'https://nextcloud.yourdomain.com',
//'overwriteprotocol' => 'https',

This change will stop Nextcloud from automatically redirecting to HTTPS when accessed via an IP address. Remember to restart your web server to apply the changes:

sudo systemctl restart apache2

or

sudo systemctl restart nginx

3. Access Nextcloud via IP Address

Once the configuration changes have been made, you should now be able to access Nextcloud via your IP address, for example: http://192.168.1.100. If you encounter a browser security warning, it is because there is no SSL certificate for the IP address. This is expected and can be safely ignored for internal network use.

4. Re-enabling HTTPS (Optional)

If you need to re-enable HTTPS for your domain while keeping internal IP access functional, you can selectively apply SSL certificates to the domain but not the IP. Alternatively, consider creating a self-signed certificate for the IP, though this may still cause browser warnings.

To re-enable forced HTTPS, simply uncomment or re-add the following lines in config.php:

'overwrite.cli.url' => 'https://nextcloud.yourdomain.com',
'overwriteprotocol' => 'https',

Make sure to restart your web server after making any changes.

5. Conclusion

By following these steps, you can successfully configure your Nextcloud server to be accessible both via a domain and an internal IP address. Adjusting the config.php file and temporarily disabling forced HTTPS redirection will allow smoother access for internal syncing and management purposes.

Troubleshooting Nextcloud Configuration Issues: Syncing Errors and Config File Challenges

During the process of configuring my Nextcloud setup on Proxmox, I encountered several issues that required extensive troubleshooting. If you’re facing problems with file syncing or seeing changes reflected in the GUI, the steps I took may help you resolve similar problems. This troubleshooting section outlines my experience, including common pitfalls and the ultimate solution that worked for me.

Identifying the Wrong Config File

Initially, I attempted to modify Nextcloud’s php.ini and config.php files to adjust settings such as memory limits, upload limits, and file sync behaviours. However, despite making these changes, they were not reflected in the Nextcloud GUI. After hours of testing, I realized I had been modifying the wrong config file.

Solution: Make sure you are editing the correct configuration file used by your Nextcloud installation. On most setups, this file is located in /etc/php/[version]/apache2/php.ini, but depending on your environment (e.g., container, Docker, or specific VM setup), the path may differ. Double-check the path to avoid unnecessary troubleshooting steps.

Changes Not Reflecting in the GUI

After locating and editing the correct config file, some changes started reflecting in the Nextcloud GUI, such as memory limits and execution time. However, not all adjustments took effect. In particular, file syncing was still failing, especially for larger media files.

Solution: Restarting services and the entire Nextcloud machine should be the first step. Use the following commands:

  • sudo systemctl restart apache2
  • sudo systemctl restart php-fpm (if using php-fpm)

Rebooting the system can also help, but in my case, it did not solve all the issues. The changes weren’t fully taking effect until a specific update was applied to Nextcloud.

Installing Nextcloud Update

One of the final steps that fixed the syncing issue was installing the available Nextcloud update. I discovered that despite editing all the correct files, the changes only reflected correctly after updating the Nextcloud instance.

Solution: Always ensure you are running the latest version of Nextcloud. You can check for updates directly in the Nextcloud GUI under the Admin panel. In my case, I updated Nextcloud from version 30.0.0 to 30.0.1, and after the update, all config changes were applied successfully. Use the following steps to update:

  1. Navigate to the Admin panel in Nextcloud.
  2. Check for updates and follow the on-screen instructions to download and install the latest version.

Final Thoughts: Learning from the Experience

After spending several hours troubleshooting file syncing and configuration issues, the key takeaway was that modifying the correct config file, restarting services, and keeping Nextcloud up to date are all crucial steps. If you’re experiencing similar problems, I hope this guide saves you time and frustration.

By following these troubleshooting steps, my Nextcloud setup is now fully functional, syncing large media files as expected without further errors. If you encounter similar issues, I recommend carefully following each step and ensuring that all changes are applied before continuing with your setup.

Additional Tips:

  • Ensure the file permissions are correct, particularly for directories like /var/www/nextcloud.
  • If syncing still fails, double-check the Nextcloud logs (found under /var/www/nextcloud/data/nextcloud.log).
  • Make sure PHP’s memory_limit, upload_max_filesize, and post_max_size are set to accommodate larger files.

This section serves as a reference for anyone who might be facing the same challenges, and I will continue to update it as I fine-tune my Nextcloud environment.

Troubleshooting SSL Stapling and Time Zone Issues in Nextcloud

After successfully setting up Nextcloud in a Proxmox LXC container and addressing earlier syncing issues, I encountered some additional challenges related to SSL configuration and time discrepancies. These are common issues that can arise when using self-signed certificates and incorrect time zone settings. Below are the steps I took to resolve these problems.

1. Disabling SSL Stapling for Self-Signed Certificates

One issue I faced was an Apache SSL error related to certificate stapling. Since I was using a self-signed SSL certificate for my Nextcloud instance, SSL stapling was not beneficial and caused errors in my Apache logs. Disabling SSL stapling for self-signed certificates is a straightforward fix.

<VirtualHost *:443>
    ServerName nextcloud.example.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/nextcloud/

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/nextcloud-selfsigned.crt
    SSLCertificateKeyFile /etc/ssl/private/nextcloud-selfsigned.key

    # Disable SSL Stapling for self-signed certificates
    SSLUseStapling off

    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

After making this change, I restarted Apache with the following command:

sudo systemctl restart apache2

Disabling SSL stapling removed the certificate-related errors in the logs, making the setup more stable, even though I’m still using a self-signed certificate.

2. Adjusting the Server Time Zone

Another issue I discovered was that the timestamps in Nextcloud logs were off by two hours, which led to confusion when tracking errors and server activity. This discrepancy was due to an incorrect system time zone setting.

To fix this, I changed the server’s time zone to my local time zone (Europe/Bratislava) using the following commands:

sudo timedatectl set-timezone Europe/Bratislava

I verified the change by checking the current time zone settings:

timedatectl

After adjusting the time zone, the Nextcloud logs started showing the correct time, improving my ability to troubleshoot and manage the system effectively.

3. Ensuring File Permission Integrity for Syncing

During my troubleshooting, I realized that some file syncing issues were related to file and directory permissions. For Nextcloud to function correctly, all files and directories under the Nextcloud installation must be owned by the correct user and have the appropriate permissions.

To ensure this, I ran the following commands:

sudo chown -R www-data:www-data /var/www/nextcloud-data
sudo chmod -R 750 /var/www/nextcloud-data

These commands ensure that Nextcloud has full access to its data directory, fixing issues related to file access and syncing. Once the permissions were set correctly, large files like videos could be uploaded without issues.

Conclusion

By resolving these final configuration challenges—disabling SSL stapling, adjusting the server time zone, and ensuring proper file permissions—my Nextcloud setup became more stable and fully functional. These adjustments, although minor, made a significant difference in the overall reliability and performance of the system. Whether you are dealing with SSL certificate errors or time zone discrepancies, addressing these details ensures a smoother and more efficient Nextcloud experience.

Recommended Products

1. USB 2.5G Ethernet Adapter

UGREEN USB to Ethernet Adapter 2.5Gb

UGREEN USB to Ethernet Adapter 2.5Gb, Ethernet to USB Adapter, Aluminum, USB 3.0 to RJ45 Computer Network Internet LAN Ethernet Dongle for laptop, Compatible with MacBook Air/Pro, XPS, Windows, macOS

2. USB-C 2.5G Ethernet Adapter

UGREEN USB C to Ethernet Adapter 2.5G

UGREEN USB C to Ethernet Adapter 2.5G, Ethernet Adapter for Laptop, Aluminum, Type C (Thunderbolt 4/3) to RJ45 Network Internet LAN Adapter, Compatible for NAS, MacBook Air/Pro, XPS, iPhone 15 Pro/Max

3. PCIe 10G Network Card

10G PCI-E Network Card with 10Gbps Dual RJ45 Ports

10G PCI-E Network Card with 10Gbps Dual RJ45 Ports, Intel X540-T2 Controller, VIMIN 10Gb Ethernet Adapter Card Compatible with PCI Express X8, X16, Support Windows/Windows Server/Linux/VMware

4. Network Switch with 10G Uplinks

8 Port 2.5G PoE Switch Unmanaged

8 Port 2.5G PoE Switch Unmanaged with 8 x 2.5Gb Base-T PoE+@120W + 10G SFP Uplink, 2.5Gbe IEEE802.3af/at Power Over Ethernet Switch, Support WiFi6 AP, NAS, 4K PoE Camera NVR

5. High-Speed Ethernet Cable (Cat 6a)

Rapink Patch Cables Cat6a 1ft

Rapink Patch Cables Cat6a 1ft (10 Pack) Slim, Cat6a Ethernet Patch Cable 10G Support, Snagless Cat 6 Patch Cable for Patch Panel to Switch, Flexible Cat 6a Ethernet Cable with Gold Plated

6. Network Performance Monitoring Tool

Klein Tools VDV526-200 Cable Tester

Klein Tools VDV526-200 Cable Tester, LAN Scout Jr. 2 Ethernet Cable Tester for CAT 5e, CAT 6/6A Cables with RJ45 Connections

Why Support Matters

Creating valuable free content is a significant part of our mission but requires resources to maintain and grow. While we are dedicated to providing these resources without charging, they do incur costs. Your support is crucial in helping us continue offering this content. Here’s how you can help:

  • Use Affiliate Links: I earn from qualifying purchases as an Amazon Associate. Using our affiliate links for your purchases, you help us earn small commissions that contribute to covering our operational costs, at no extra cost to you.
  • Engage and Share: Engage with our content by liking, commenting, and sharing it with others. This increases our reach and attracts more visitors who might support us financially, allowing us to continue providing valuable content.
  • Provide Direct Support: Consider donating or subscribing to support the content you value. Even small contributions can make a significant difference and help us sustain our efforts.

Disclaimer

As an Amazon Associate, I earn from qualifying purchases. This means I may earn a commission from qualifying purchases made through affiliate links, at no extra cost to you.

Stay Connected with Us

For exclusive updates, training tips, fitness advice, and more, follow us across all our platforms through one easy link.

👉 Stay Connected for Exclusive Martial Arts & Fitness Tips

Join our community and never miss an update!

Return to the home section.