Nextcloud via Proxy on unRAID

The above are two of my favorite software packages at the moment.  So powerful and I’m very content to run it on my own hardware, in house!  In order to get it to work though, I needed one more great piece to the puzzle, NginxProxyManager.

There is a great video by spaceinvader one describing setting this up with his preferred proxy package letsencrypt, but I couldn’t get the mental energy to figure it out.  And even if I did, what happens when I need to maintain it and I’ve forgotten all of it?  So I decided to go with the much clearer NginxProxyManager (I’ll call it NPM despite another project having that name).

First thing I did was create a dynamic DNS address, pointing to my home IP address.  I use but there are a bunch of others that work just as well.  Then I created a subdomain CNAME pointing to that dynamic DNS name and it worked!  The outside stuff is almost done!

Install the Nextcloud app from the App store.  Give it a HTTPS port that won’t conflict with unRAID itself and configure it on localhost as you need.

Next, install the unRAID app for the proxy manager from the app store.  Create the proxy host pointing to your unique HTTPS port for Nextcloud.  Click off HSTS support and “Force HTTPS” and don’t forget “Block common exploits” because who really wants common exploits?  Theoretically you are done – but the one thing that is missing is a certificate!  Thankfully NPM has letsencrypt support built right in.

As an aside here, make sure you have port 80 on your router open and forwarded to NPM’s HTTP port.  You should of course have a HTTPS port open because you need to access Nextcloud from outside!  Port 80 is required to respond to the challenges from letsencrypt!  I found this out when my setup worked fine for three months and then failed because the certificate expired.  Sadface.

You should be able to easily get a certificate in NPM if the above is set up.

Installing the certificate is more challenging though!  You need to copy it over from one docker app to another.  Go into /mnt/user/appdata/NginxProxyManager/archive/npm-? and copy the cert and privkey PEM into /mnt/user/appdata/nextcloud/keys and rename them cert.crt and cert.key respectively.  Sounds tricky, let’s break that down a bit

There is a question mark above – the reason is that NPM will create a bunch of sites and certificates and take care of them for you… but unless you only have 1 site, you need to figure out what certificate is for where!  So, let’s assume you have 3 different certificates.  You *think* npm-2 is the right directory, so let’s find out.  cd into it and run:

openssl x509 -in cert1.pem -text -noout

A ton of stuff should be printed but notice the CN line – if it points to your correct domain, you’re good!  Remember that number. (2 in our imaginary scenario.  I can’t believe you already forgot).

cd back to /mnt/user/appdata/nextcloud/keys and copy cert1.pem and privkey1.pem over.  Rename them to cert.crt and cert.key respectively.  Chown them to nobody:users so that NPM can read them and I would restart NPM to make sure it does.

That’s it!  Really.  But the problem is, as above, our busy minds are like sieves, and YES we will forget how to do this even though we stuck it on our OWN BLOG FOR EXACTLY THAT REASON.  How about a script to make it go down easier?

# Make sure npm-x is pointing to the correct (NextCloud) proxy path - here it's 2 but it may not be on yours!

# Get the latest files
certFile=$(ls -tr $certDir/cert*.pem | tail -1)
keyFile=$(ls -tr $certDir/privkey*.pem | tail -1)

echo "Copying $certFile";
cp $certFile ./cert.crt
chown nobody:users cert.crt

echo "Copying $keyFile";
cp $keyFile ./cert.key
chown nobody:users cert.key

Put that script file in the keys directory, along with a README.txt file pointing to this page so you know what in the world it’s for, and make it executable.  It will take care of the rest.  You could run this from cron if you like, but if so I would make some sort of backup archive of the old certificate files just to make sure you don’t overwrite a good one and not be able to get it back.

See you in 3 months!

Leave a Reply