443 port is not available for the container

Hello. When checking a domain, an error occurs - 443 port is unavailable.
The port is open, allowed by firewall (443/tcp, 443/udp). DNS records are updated and have an A-record with my IP.
My Golang site is running on port 443. But even if I free the port, the problem remains

# The Linux startup command I use is
sudo docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8080:8080 \
--publish 8443:8443 \
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING=0.0.0.0 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
nextcloud/all-in-one:latest
# Caddyfile
https://nc.mysite.com:8443 {
    reverse_proxy https://localhost:8080 {
        transport http {
            tls_insecure_skip_verify
        }
    }
}

Also, when I try to pass to port 8443, the logs show that I can’t pass .well-known/acme-challange/* (connection refused).
Ask for what you need, I’ve been struggling for a day.

Hi, can you follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#6-how-to-debug-things?

I’m doing something wrong. I think it’s the caddy configuration, but can’t figure out how to configure it. Everything seems to be done according to the instructions
Item 7 produces a 1 instead of a 0. Caddy runs outside the container at the system level.
Снимок экрана от 2024-09-08 13-35-44
Ports 443 and 80 are open

I have tried all the items - the problem remains. Maybe I don’t understand some points.
I also changed the caddyfile

https://nc.mysite.ru:8443 {
    reverse_proxy localhost:11000
}
# That doesn't work either.

443 not 8443

1 Like

I fixed it last night, but it’s still the same. Right now my configuration is as follows:

# Caddyfile
https://nc.p1xart.ru:443 {
    reverse_proxy localhost:13500
}
# Linux command
sudo docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8080:8080 \
--publish 8443:8443 \
--env APACHE_PORT=13500 \
--env APACHE_IP_BINDING=0.0.0.0 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
nextcloud/all-in-one:latest

Output of item 7:

pixart@pixserv:~$ nc -z localhost 13500; echo $?
0

Maybe need to do --publish 443:8443?
P.S: It’s not working either… I can see the logs: Pastebin

Again, Caddy does not run as Docker, but as a system program.
nextcloud works on port 8080 but not 443

I’m behind NAT, I have the ports forwarded, but that doesn’t help either.

please review explanation-of-used-ports

your logs show ACME validation requests - AiO tries to issue a TLS certificate. to make ACME work your NC must be accessible at port 80 and 443 externally (this is hardcoded ACME requirement)… but this is not the case behind reverse proxy.

From: all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub

In order to run Nextcloud behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else), you need to specify the port that AIO’s Apache container shall use, add a specific config to your web server or reverse proxy and modify the startup command a bit. All examples below will use port 11000 as example APACHE_PORT which will be exposed on the host to receive unencrypted HTTP traffic from the reverse proxy.

in other words

  • you don’t expose AiO ports externally
  • external ports 80 and 443 goes to the reverse proxy
  • reverse proxy is responsible for TLS certificates (generation and management)
  • reverse proxy access AiO with plain http on APACHE_PORT internally
  • management interface is not relevant for reverse proxy

3 Likes

Hello again… I really read your reply and followed the instructions, but it still doesn’t work, although there are improvements (port 8443 has HTTPS).
When I go to https://nc.example.com:443 it gives something like “c3c664bffwc6c0a2398sc0b5d0fe21fd5feca8ffqc3609610a77a412 ” (I understand it’s apache).
The domain is still not accepted. I don’t understand what the problem is.

# Caddyfile
https://nc.example.com:443 {
    reverse_proxy 127.0.0.1:13500
}

# Startup command
sudo docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8443:8443 \
--publish 8080:8080 \
--env APACHE_PORT=13500 \
--env APACHE_IP_BINDING=0.0.0.0 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
nextcloud/all-in-one:latest

I’ve seen this Caddy configuration, maybe we should use it?

https://<your-nc-domain>:8443 {
    reverse_proxy https://localhost:8080 {
        transport http {
            tls_insecure_skip_verify
        }
    }
}

Port 443 is open and listening to caddy.
If you don’t mind, could you please directly point out what to do? Perhaps I need to force a domain check to be skipped?
Thank you for your patience and sorry for the long reply.

The problem was solved after I forcefully skipped the domain validation.
My configuration for those who also encounter the same problem

# Caddyfile
https://nc.example.com:443 {
    reverse_proxy 127.0.0.1:13500
}
# Startup command
sudo docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8443:8443 \
--publish 8080:8080 \
--env APACHE_PORT=13500 \
--env APACHE_IP_BINDING=0.0.0.0 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
--env SKIP_DOMAIN_VALIDATION=true \
nextcloud/all-in-one:latest

Open 443/tcp and forward ports in router if you are behind NAT

1 Like