AiO and traefik reverse proxy: bad Gateway but can reach in local

Liamm · April 22, 2025, 11:43am

Hi there!
I’m trying to install nextcloud-aio running behind traefik3.
I’m discovering docker and successfully installed containers for my website and Dolibarr.
I followed the recommandations but I still have a “Bad Gateway” response (there’s something I did bad, for sure!).
Here is my docker-compose.yml:

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer
    volumes:
      - ./nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 8080:8080
    networks:
      - netraefik
    environment: # Is needed when using any of the options below
      - APACHE_PORT=11000
      - APACHE_IP_BINDING=0.0.0.0 # tried with localhost and 127.0.0.1
      - APACHE_ADDITIONAL_NETWORK=netraefik
      - SKIP_DOMAIN_VALIDATION=true
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=netraefik"

networks:
  netraefik:
    external: true

Here is my traefik’s docker-compose.yml

networks:
  netraefik:
    external: true

services:
  traefik:
    image: "traefik:latest"
    container_name: "traefik"
    restart: always
    command:
      - "--api=true"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
    ports:
      - "80:80"
      - "8086:8080"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./traefik.toml:/etc/traefik/traefik.toml"
      - "./nextcloud:/config"
      - "./acme.json:/acme.json"
    networks:
      - netraefik
    labels:
      - "traefik.docker.network=netraefik"

My traefik.toml:

[api]
  dashboard = true
  insecure = true

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http]
      [entryPoints.web.http.redirections]
        [entryPoints.web.http.redirections.entryPoint]
          to = "websecure"
          scheme = "https"
          permanent = true

  [entryPoints.websecure]
    address = ":443"
      [entryPoints.websecure.http.tls]
        certResolver = "default"

[providers]
  [providers.docker]
    watch = true
    exposedByDefault = false
    network = "netraefik"
  [providers.file]
    directory = "/config"
    watch = true

[certificatesResolvers]
  [certificatesResolvers.default]
    [certificatesResolvers.default.acme]
      email = "postmaster@example.com"
      storage = "./acme.json"
      caServer = "https://acme-v01.api.letsencrypt.org/directory"
    [certificatesResolvers.default.acme.tlsChallenge]

And so my nextcloud/nextcloud.yaml:

http:
  routers:
    nextcloud:
      rule: "Host(`next.example.com`)"
      entrypoints:
        - "websecure"
      service: nextcloud
      middlewares:
        - nextcloud-chain
      tls:
        certresolver: "letsencrypt"

  services:
    nextcloud:
      loadBalancer:
        servers:
          - url: "http://localhost:11000" 

  middlewares:
    nextcloud-secure-headers:
      headers:
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        referrerPolicy: "same-origin"

    https-redirect:
      redirectscheme:
        scheme: https

    nextcloud-chain:
      chain:
        middlewares:
          - https-redirect
          - nextcloud-secure-headers

I can reach it on http://SERVER_IP:8080 but on https://next.example.com I have a Bad gateway… Everything seems fine in Traefik’s dashboard (nextcloud@file routed to http://localhost:11000)

If someone could help me! Thank you very much!

jtr · April 22, 2025, 2:01pm

See Adapting the configuration step 3 - On the same server in a Docker container option ii.

Liamm · April 22, 2025, 2:42pm

Hi!
Thanks! I saw this… That’s why I put the APACHE_ADDITIONNAL_NETWORK. Does it mean I should put

- url: "http://netraefik:11000"

in my nextcloud.yaml?

jtr · April 22, 2025, 2:46pm

Probably something more like:

- url: "http://nextcloud-aio-apache:11000"

Liamm · April 22, 2025, 3:00pm

It doesn’t have to be the value of APACHE_ADDITIONAL_NETWORK? (sorry if it seems stupid question!)

Liamm · April 23, 2025, 1:14pm

A little up here…
I don’t know why I still have the Bad Gateway…
Which value I have to give to APACHE_ADDITIONAL_NETWORK? (I saw other people who put the network’s name, so for me => netraefik?)
And Which value to “url” in the loadBalancer, if it’s not “localhost”, neither “netraefik”? I tried with “nextcloud-aio-apache” or “nextcloud-aio-mastercontainer” (my container’s name)… but always this awful Bad Gateway!

wwe · April 23, 2025, 6:32pm

Please review the AiO reverse proxy guide for traefik

Liamm · April 24, 2025, 6:10am

Hi there!
Thank you! As I said, I followed this page but still don’t reach the nextcloud’s container.
Maybe I didn’t understand something (I’m discovering Docker since a few weeks), but I can’t see where are my errors…

wwe · April 24, 2025, 11:04am

without logs nobody can tell… start looking at the config docker inspect {container} will show you which docker network inspect netraefik will show you container and network settings and if your containers are connected to the right network. in the next step enable traefik access logs and check what happens with the request.

Liamm · April 24, 2025, 11:47am

Hi there! Thank you!
Here is the network called netraefik (with traefik and nextcloud on the same one):

{
        "Name": "netraefik",
        "Id": "4149176fdc5aef69fd1235c8deef0e7e06c14f5ec9e3cc906bdb46dd505fd64d",
        "Created": "2025-04-22T09:40:47.343623076Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv4": true,
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.19.0.0/16",
                    "Gateway": "172.19.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
                        "9915c2b5b7e1c2ca2f92c48c569a7e53b15066c892cad6951321b33b2d184eba": {
                "Name": "nextcloud-aio-mastercontainer",
                "EndpointID": "f347fffc51ff7fe0a21cfde50d86e04514981936cde04d2ab9c04abe59e30175",
                "MacAddress": "46:00:e8:80:73:4d",
                "IPv4Address": "172.19.0.6/16",
                "IPv6Address": ""
            },
                        "af0bfb7ddc865a676643024141f5a051f4e550609d515ec727e5fee5efb78f7d": {
                "Name": "traefik",
                "EndpointID": "315463f48fd7435b2b4cdadaa951dc94823bf32da4d3f2bb133b013cbcc483f9",
                "MacAddress": "7e:da:a6:6a:74:c2",
                "IPv4Address": "172.19.0.4/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }

And now the access logs:

192.168.0.254 - - [24/Apr/2025:11:32:04 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 1 "nextcloud@file" "http://nextcloud_aio_mastercontainer:11000" 3ms
192.168.0.254 - - [24/Apr/2025:11:34:58 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 2 "nextcloud@file" "http://nextcloud@file:11000" 2ms
192.168.0.254 - - [24/Apr/2025:11:35:07 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 3 "nextcloud@file" "http://nextcloud:11000" 2ms
192.168.0.254 - - [24/Apr/2025:11:35:18 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 4 "nextcloud@file" "http://localhost:11000" 1ms
192.168.0.254 - - [24/Apr/2025:11:36:47 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 5 "nextcloud@file" "http://192.168.0.254:11000" 0ms

I tried must things, changing the value of “url” in nextcloud.yaml… I tried too with the nextcloud container’s IP (172.19.0.6:11000)… But we don’t see it in the logs…
I saw this error too:

2025-04-24T11:28:59Z ERR Router uses a nonexistent certificate resolver certificateResolver=letsencrypt routerName=nextcloud@file

so I changed the value of the resolver in nextcloud.yaml “letsencrypt” to “default”… Since I did that, the command docker logs traefik returns empty.

nc -z localhost 11000; echo $? (logged in traefik container) returns 1… Same things with 127.0.0.1, container’s IP…

Hope it will help!

wwe · April 24, 2025, 12:08pm

as you can see Apache container is not connected to your netraefik network - this is obviously the reason you can’t access it. did you start the container? and please take into account there “mastercontainer” hosting the management interface (on port :8080) is not the same as “apache container” hosting the application interface on port :11000 (by default)

does not match the docs:

Check if after the mastercontainer was started, the reverse proxy if running inside a container, can reach the provided apache port. You can test this by running nc -z localhost 11000; echo $? from inside the reverse proxy container. If the output is 0, everything works. Alternatively you can of course use instead of localhost the ip-address of the host here for the test.

Please work through troubleshooting steps.

Liamm · April 24, 2025, 12:15pm

Hi!
I didn’t understand I should have a “mastercontainer” + “apachecontainer”!
How to start it? It doesn’t start when docker compose up -d?

edit: I saw this… ghcr.io/nextcloud-releases/all-in-one:latest I didn’t saw it before! Should I use this image instead of nextcloud/all-in-one:latest?

Liamm · April 24, 2025, 3:15pm

Oh! I found why!
Once done docker compose up -d, I had to reach https://server-ip:8080 to install and start containers before try to reach https://next.domain.com!

Now it works fine with my config and -url: http://nextcloud-aio-apache:11000

That’s all! Sorry and thanks!

wwe · April 24, 2025, 3:23pm

mastercontainer is kind of orchestrator - it spawns multiple containers required for NC itself, depending on which features you enabled.

both should be the same AFAIK

AIO in home network behind reverse proxy

let me share a drawing which should explain the architecture more clear hopefully.

you should see the state of of dependent containers once you access the management interface on port :8080 of your mastercontainer. usually you would no expose this IF to the internet - this is only for internal management and becomes inaccessible/limited once the application starts. this is used to spin up containers and review the status, this is also the place where you get you admin password on first setup
once the apache container starts examine it is connected to netraefik network and from this point connection should be possible to the Nextcloud interface through reverse proxy

flowchart LR

  internet-->fritz.box
   fritz.box(router);
   subgraph intLAN[home network]
                        fritz.box-- port-forward<br>tcp/80<br>tcp/443 --->RP;

			subgraph docker
				subgraph all-in-one
				subgraph mastercontainer
					master[mastercontainer<br><br>https\://internal.ip.address.of.server:8080:<br>AIO-interface with self-signed cert];
				end
				subgraph apache-container
					NC[APACHE_PORT<br>:11000];
				end
				subgraph talk-container
					TALK[TALK_PORT<br>tcp/3478<br>udp/3478];
				end
				end
	                        proxynw(netraefik<br>proxy network)
				RP[reverse proxy<br>https:\//your-nc-domain.com] 
				end
				management[admin]-- management ----->master
		end
		RP-->proxynw--http-->NC
		fritz.box--port forward<br>tcp/3478<br>udp/3478-->TALK

Liamm · April 24, 2025, 3:29pm

Thank you so much for this drawing that is very clear, now!

system · May 2, 2025, 3:29pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.