Reverse proxy problem with non-standard ports in onlyoffice.

[7980963]

a.md

Do you want to request a feature or report a bug?
bug
What is the current behavior?

Error when trying to connect (cURL error 35: OpenSSL/3.1.4: error:0A000438:SSL routines::tlsv1 alert internal error (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://xx.com/healthcheck)

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.
Hello, I want to use OnlyOffice for NextCloud, I deployed it in my home network with a dynamic public IP but not open port 80 443, so I used port 7980 instead of 80 and 9780 instead of 443, I used Docker for the installation, the installation command is as follows:

sudo docker run -i -t -d -p 9003:80 --restart=always \
    -v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice  \
    -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data  \
    -v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice \
    -v /app/onlyoffice/DocumentServer/setting:/etc/onlyoffice \
    -v /app/onlyoffice/DocumentServer/db:/var/lib/postgresql -e JWT_SECRET=WIy4qCH1fE3k5f3J onlyoffice/documentserver

As shown in the command, I mapped port 80 443 within Docker to port 9003 9004 of the server respectively, I deployed OpenResty on the same server, and used a reverse proxy to proxy port 9003 to ports 7980 and 9780, and because NextCloud requires HTTPS, I also 301ed 7980 to 9780 and resolved to xx.com, then when I visited https://xx.com:9780/ , it should go to https://xx.com:9780/welcome/ , but it actually went to https://xx.com/welcome/, manually visit https://xx.com:9780/welcome/ can be opened normally.
Fill https://xx.com:9780/ into ONLYOFFICE Docs address, and check Disable certificate verification (insecure), it will prompt:

Error when trying to connect (cURL error) 35: OpenSSL/3.1.4: error:0A000438:SSL routines::tlsv1 alert internal error (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://xx.com/healthcheck).

Put https://192.168.4.3:9004/ in to the ONLYOFFICE Docs address and check Disable certificate verification (insecure), it can be used normally, but only for intranet environment.
What is the expected behavior?
can be used
Did this work in previous versions of DocumentServer?
unknown
DocumentServer Docker tag:
7.5.1
Host Operating System:
debian-12.2 x86_64

[7980963]

This is my nginx configuration:

upstream docservice {
  server 192.168.4.3:9003;
}

map $http_host $this_host {
    "" $host;
    default $http_host;
}

map $http_x_forwarded_proto $the_scheme {
     default $http_x_forwarded_proto;
     "" $scheme;
}

map $http_x_forwarded_host $the_host {
    default $http_x_forwarded_host;
    "" $this_host;
}

map $http_upgrade $proxy_connection {
  default upgrade;
  "" close;
}

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Forwarded-Host $the_host;
proxy_set_header X-Forwarded-Proto $the_scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

server {
    listen 7980 ;
    listen 9780 ssl http2 ;
    server_tokens off;
    server_name xx.com;
    index index.php index.html index.htm default.php default.htm default.html;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $server_name;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    access_log /www/sites/xx.com/log/access.log;
    error_log /www/sites/xx.com/log/error.log;
    access_by_lua_file /www/common/waf/access.lua;
    set $RulePath /www/sites/xx.com/waf/rules;
    set $logdir /www/sites/xx.com/log;
    set $redirect on;
    set $attackLog on;
    set $CCDeny off;
    set $urlWhiteAllow off;
    set $urlBlockDeny off;
    set $argsDeny off;
    set $postDeny off;
    set $cookieDeny off;
    set $fileExtDeny off;
    set $ipBlockDeny off;
    set $ipWhiteAllow off;
    location ^~ /.well-known/acme-challenge {
        allow all;
        root /usr/share/nginx/html;
    }
    include /www/sites/xx.com/proxy/*.conf;
    if ($scheme = http) {
        return 302 https://$host$request_uri;
    }
    ssl_certificate /www/sites/xx.com/ssl/fullchain.pem;
    ssl_certificate_key /www/sites/xx.com/ssl/privkey.pem;
    ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    ssl_verify_client off;

    add_header Strict-Transport-Security "max-age=31536000";
    error_page 497 https://$host$request_uri;
    proxy_set_header X-Forwarded-Proto https;
    ssl_stapling on;
    ssl_stapling_verify on;
}

This is my reverse proxy configuration:

location ^~ / {
    proxy_pass http://192.168.4.3:9003;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header REMOTE-HOST $remote_addr;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_http_version 1.1;
    add_header Cache-Control no-cache;
}

Thanks for all the help!

[igwyd]

Hello @7980963, i havn't expirience with the OpenResty, but know it is enhancement nginx proxy. We have examples for some proxies, try use it https://helpcenter.onlyoffice.com/installation/docs-community-proxy.aspx.