502 Gateway Error with Specific Apps on Mobile

mikeleffring · April 22, 2024, 4:28pm

Hello everyone!

Install information:
Nextcloud version: 28.0.4
Operating system and version: Debian 12.5 in Proxmox LXC container
Apache Web Server version (On nextcloud lxc): Apache/2.4.57 (Debian)
Nginx reverse proxy version (On seperate lxc): nginx/1.22.1
PHP version: PHP 8.2.7, Zend Engine v4.2.7, OPcache v8.2.7

Issue at hand:

When loading various mobile apps on IOS or Android (Nextcloud notes, nextcloud deck, sometimes nextcloud), I get various version of a 502 error. When trying to login to the nextcloud notes app (on or off the network that the nextcloud instance is in), I get:

Error Getting Settings: Request retry failed with retry error: Request rety failed with retry error: Responce status code was unacceptable:502., original error.

When I try to login to the nextcloud decks app, I get:

Error: Request failed with status code 502.

Other times when using the normal nextcloud app I get 502 gateway or other 502 errors but its infrequent, that one at least lets me login. I have made a ton of network changes but think I’ve got back to test and fix everything. Note, that everything from the pc web browser works fine with all of these apps.

Somethings I’ve done to troubleshoot, is make sure that since I’m running my nextcloud lxc behind a nginx reverse proxy lxc that is exposed by my opnsense for 80/443, I made sure that the nginx config looked good:

server {
server_name cloud.example.com;
client_max_body_size 64000m;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.1.3:80;
proxy_max_temp_file_size 65536m;
proxy_set_header Connection “Keep-Alive”;
proxy_buffers 16 4k;
proxy_buffer_size 2k;
}

    location /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }

    location /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/cloud.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/cloud.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
if ($host = cloud.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

    listen 80;
    server_name cloud.example.com;
return 404; # managed by Certbot

}

I also checked the apache config and it looked fine:

<VirtualHost *:80>
ServerName cloud.example.com
DocumentRoot /var/www/nextcloud/

# log files
ErrorLog /var/log/apache2/cloud.example.com-error.log
CustomLog /var/log/apache2/cloud.example.com-access.log combined

<Directory /var/www/nextcloud/>
    Options +FollowSymlinks
    AllowOverride All

    <IfModule mod_dav.c>
        Dav off
    </IfModule>

    SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_HOME /var/www/nextcloud
</Directory>

I’ve checked both the php.ini and the config.php for nc, and they seem to be setup for best practices. I can share snippits if needed, but I have trusted domains and trusted proxies setup, and again it works fine in browser.

I was getting along with the 502 errors, some weird stuff with sometimes at login on mobile gettings login temp error the first time entering creds and they were correct, then enter again and it works, or state issues. I fixed this by going onto my firewall (opnsense) and turning off sticky session in admin, and then editing the nat and hairpin settings as they were pointed to old interfaces from before I redid my vlans.

I’m running out of things this could be and like the rest of the nextcloud community, I’m ready to start migrating more and more things away from big cloud and onto my setup, but I need it to be functional and rock solid first, and seeing that more than 1 of the nextcloud owned apps are getting the same/similar 502 errors, obviously I have some small piece of this wrong.

Please let me know if there is something more I can provide.

Thanks,

Hungry Nextcloud Server Owner.

mikeleffring · April 22, 2024, 7:10pm

An update for anyone that found this, I’m starting to think my rock solid reverse proxy config for nextcloud and my config.php that seemed so perfect may not be. I was doing the trusted proxies part of the nc config.php with ip address (lan) of that reverse proxy. Then I found this forum post:

and I figured I’d try it. Then, I didn’t have dns working, so added an internal dns record for the proxy server and made sure the nextcloud box could dig it, it could. Restarted everything, now I get 401 errors and a lot of gateway not found errors, which makes me think I broke it more, but it does make good sense to be using dns. I also triggered the administration section of nextcloud to say:

You are accessing your instance over a secure connection, however your instance is generating insecure URLs. This most likely means that you are behind a reverse proxy and the overwrite config variables are not set correctly. Please read the documentation page about this .

Which it didn’t before. So digging back into that and leaving it via dns for now as at least it got ride of the 502.

jtr · April 22, 2024, 8:08pm

Where are the 502 errors being logged? Are they visible in your Nginx error log?

Also, check your Apache error log during the same time period.

Can you clarify what you’re doing on your firewall? Just routing/NAT/ACLs or are you doing any sort of proxy/load balancing?

Using the IP address of your reverse proxy in trusted_proxies is the appropriate way to do things. Do not use hostnames. That’s not a valid configuration (and there is a check in upcoming versions that will warn people doing that).

That said, don’t get too hung up on trusted_proxies for your 502 problems. That parameter is likely not the source of those.

A 502, assuming it’s coming from Nginx and not something on your firewall, just indicates the below isn’t reachable:

proxy_pass http://192.168.1.3:80;

It also sounds like you may have some problems with your overwrite* values (either missing outright or they’re wrong). Maybe share those, anonymized as desired.

mikeleffring · April 23, 2024, 12:50pm

@jtr Thanks for the reply, I think that makes sense. I have tried to parse the logs but will have to get them off cli and onto something where I can parse them better, as its so much data.

On the firewall, nothing special. No Proxy or load balancing. That is what I have my one nginx lxc for is to be a reverse proxy for everything as I only have one IP address. The network changes I was mentioning is I recently redid my vlans and so all the networks changed. But I fixed everything there.

Yes, I was reading that and have since reverted it to internal IP address. Found your data was supported here: Reverse proxy — Nextcloud latest Administration Manual latest documentation
I wonder why that worked for that other guy… anyway. I agree it’s not that as 502 is generally related to the gateway at some layer or another.

I think you are right and I will post here my config.php so you can try to point me in the right direction there. I’ll also do more looking into that. I had a feeling it was that, as when I first started doing nextcloud, getting the config.php working with the nginx reverse proxy config for the site was tough, and once I got all the errors (both red and yellow) out of the security and setup warnings of nextcloud, I just stopped and called it a win. But obviously, the checker is missing something small that is still misconfigured.

mikeleffring · April 23, 2024, 1:19pm

<?php
$CONFIG = array (
  'instanceid' => 'oc instance id',
  'passwordsalt' => 'the salt',
  'secret' => 'the secret',
  'trusted_domains' => 
  array (
    0 => 'cloud.example.com',
  ),
  'trusted_proxies' => 
  array (
    0 => '192.168.1.2',
  ),
  'overwritehost' => 'cloud.example.com',
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '28.0.4.1',
  'overwrite.cli.url' => 'https://cloud.example.com',
  'dbname' => 'nextcloud_db',
  'dbhost' => 'localhost:5432',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'ncuser',
  'dbpassword' => 'A Good DB Password',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'default_phone_region' => 'US',
  'mail_from_address' => 'mail-example',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'example.com',
  'mail_smtphost' => 'smtp-mail.example.com',
  'mail_smtpport' => '587',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'mail@example.com',
  'mail_smtppassword' => 'A Good Password',
  'maintenance_window_start' => 7,
  'maintenance' => false,
  'updater.secret' => 'random...',
  'theme' => '',
  'loglevel' => 2,
);

mikeleffring · April 23, 2024, 1:21pm

Also, I’m sure it makes sense but for this example, 192.168.1.2 is the separate lxc with nginx reverse proxy, 192.168.1.3 is the nextcloud lxc, and 192.168.1.1 is the gateway.
In reality, they are different ips and in different vlans but nothing blocking them. and it works all fine in browser as far as I can tell.