Cell Sync with NGINX reverse proxy (not on same machine)

I can’t get CellSync to work with Pydio behind an NGINX server.
Most “examples” I found all assume the NGINX is on the same machine as the Pydio server, for my setup this isn’t the case (as the NGINX server is on one machine and the Pydio is in a VM on a different machine).

The website interface works fine, its just the CellSync Client gets stuck with “Pick a folder”.
It has a red bar that says “Forbidden” , then a “Select Folder” that is empty and can’t be selected.

I should note the “Login to a new server …” works fine, it just can’t select the folder.
There is a valid “Let’s Encrypt” SSL certification on the NGINX server for the domain, and a “self signed” TLS that was setup by the install for the pydio server.

±–±---------------------±------------±------------------------------+
| # | BIND(S) | TLS | EXTERNAL URL |
±–±---------------------±------------±------------------------------+
| 0 | https://0.0.0.0:8080 | Self-signed | https://pydio.example.com |
±–±---------------------±------------±------------------------------+

The webserver is behind a firewall that port-forwards only 443 and 80 to it.

NGINX is basically config as:

server {
listen [::]:443 ssl http2;

    server_name pydio.example.com;
    ssl_certificate /path/to/keys/fullchain.pem; # managed by Certbot
    ssl_certificate_key /path/to/keys/privkey.pem; # managed by Certbot

    root /var/www/$server_name;
    client_max_body_size 0;
    proxy_buffering off;

    location / {
     if ($http_content_type = "application/grpc") {
         grpc_pass grpcs://192.168.1.2:8080;
     }
      proxy_pass https://192.168.1.2:8080;
    }

    location /ws/ {
      proxy_pass https://192.168.1.2:8080;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";
    }

}

I have tried it with and w/o
if ($http_content_type = “application/grpc”) {
grpc_pass grpcs://192.168.1.2:8080;
}

Because I believe grpc_pass is important for the CellSync to work correctly.
But I have had not success in making it work.

Anyone know the missing piece here?

Event though it’s supposed to be default already, I always find that explicitly putting proxy_ssl_verify off; in both location / and location /ws is best practice (in case you change default elsewhere in nginx).

Also, I have in my config this:

		# to avoid 502 Bad Gateway:
		# http://vanderwijk.info/Members/ivo/articles/ComplexSVNSetupFix
		set $destination $http_destination;
		if ($destination ~* ^https(.+)$) {
			set $destination http$1;
		}

but the source article I pulled it from no longer exists. I believe this is what worked for CellsSync (although I myself am on Linux and don’t use it, my users probably still do and this was setup way back in 2.x although we’ve upgraded along the way to 3.0.9 and nobody has been bitching).

Thanks. In this particular case it didn’t resolve the issue.

I just tried:
server {
listen [::]:443 ssl http2;

    server_name ####
    ssl_certificate ####
    ssl_certificate_key ####

    root /var/www/$server_name;
    client_max_body_size 0;

    proxy_buffering off;

    set $destination $http_destination;
    if ($destination ~* ^https(.+)$) {
      set $destination http$1;
    }

    location / {
      # Uncomment this to enable gRPC and thus be able to use cells-sync
      proxy_ssl_verify off;
      if ($http_content_type = "application/grpc") {
          grpc_pass grpcs://192.168.0.11:8080;
      }
      proxy_pass https://192.168.0.11:8080;
    }

    location /ws/ {
      proxy_ssl_verify off;
      proxy_pass https://192.168.0.11:8080;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";
    }

}

It still says “Forbidden”