The Basics
- Nextcloud Server version:
- Nextcloud AIO 30.0.5
- Operating system and version:
- Debian 12.9
- Web server and version :
- Apache 2.4.62 (Unix)
- Reverse proxy and version:
- Caddy 1.8.0_1 installed on OPNsense 24.7.12_2 amd64
- PHP version :
- 8.3.15
- Is this the first time you’ve seen this error?):
- yes
- When did this problem seem to first start?
- after installation
- Installation method:
- AIO Docker
- Are you using CloudfIare, mod_security, or similar?
- No
Hello community,
I really hope that you guys can help me. I went throught the palast of my brain, old forum posts, documentations, chatgpt etc. but I cant solve the problem! I really cant wrap my head around that…
You would really help me out because I tried so many hours and I wont be the last human beeing that will be running into that problem.
And I just bought new hardware so I really really want to use my new baby asap.
I tried to structure this text a little bit, so you have a easier time reading it.
I know its a long post, but I wanted to include everything, so that you can read that in one time and not have to ask for every detail :)))
So thanks community and lets begin:
I installed a Debian VM on my Proxmox 8.3.2, where I installed Docker version 27.5.0, build a187fa5.
I installed the caddy reverse proxy plugin on my OPNsense Firewall.
Here are the screenshots:
MY PROBLEM:
I set up Nextcloud with the Docker command provided by Nextcloud for reverse proxy enviroments here, here is the Docker command:
sudo docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8080:8080 \
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING=0.0.0.0 \
--env APACHE_ADDITIONAL_NETWORK="" \
--env SKIP_DOMAIN_VALIDATION=false \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
nextcloud/all-in-one:latest
This is my config.php:
<?php
$CONFIG = array (
'one-click-instance' => true,
'one-click-instance.user-limit' => 100,
'memcache.local' => '\\OC\\Memcache\\APCu',
'apps_paths' =>
array (
0 =>
array (
'path' => '/var/www/html/apps',
'url' => '/apps',
'writable' => false,
),
1 =>
array (
'path' => '/var/www/html/custom_apps',
'url' => '/custom_apps',
'writable' => true,
),
),
'check_data_directory_permissions' => false,
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => 'nextcloud-aio-redis',
'password' => '2cf7e112bade65d0a3b9a0dcb550390909b64ecab1b31600',
'port' => 6379,
),
'overwritehost' => 'cloud.domain.com',
'overwriteprotocol' => 'https',
'passwordsalt' => 'CyCcgjUrP4F80UEWofzEJYFnf8G1Je',
'secret' => '35BkGXtkaCI+qSjzj39Zs8UCKIzAHufnW4XulcOUBi6JfB61',
'trusted_domains' =>
array (
0 => 'localhost',
1 => 'cloud.domain.com',
2 => '192.168.27.6',
3 => '192.168.27.99',
),
'datadirectory' => '/mnt/ncdata',
'dbtype' => 'pgsql',
'version' => '30.0.5.1',
'overwrite.cli.url' => 'https://cloud.domain.com/',
'dbname' => 'nextcloud_database',
'dbhost' => 'nextcloud-aio-database:5432',
'dbport' => '',
'dbtableprefix' => 'oc_',
'dbuser' => 'oc_nextcloud',
'dbpassword' => 'b112f1afaa939f998f968cfa6f3efc5f0e484cd04ef71891',
'installed' => true,
'instanceid' => 'oc4iy40xvou5',
'maintenance' => false,
'loglevel' => 2,
'log_type' => 'file',
'logfile' => '/var/www/html/data/nextcloud.log',
'log_rotate_size' => 10485760,
'log.condition' =>
array (
'apps' =>
array (
0 => 'admin_audit',
),
),
'preview_max_x' => 2048,
'preview_max_y' => 2048,
'jpeg_quality' => 60,
'enabledPreviewProviders' =>
array (
1 => 'OC\\Preview\\Image',
2 => 'OC\\Preview\\MarkDown',
3 => 'OC\\Preview\\MP3',
4 => 'OC\\Preview\\TXT',
5 => 'OC\\Preview\\OpenDocument',
6 => 'OC\\Preview\\Movie',
7 => 'OC\\Preview\\Krita',
0 => 'OC\\Preview\\Imaginary',
23 => 'OC\\Preview\\ImaginaryPDF',
),
'enable_previews' => true,
'upgrade.disable-web' => true,
'mail_smtpmode' => 'smtp',
'trashbin_retention_obligation' => 'auto, 30',
'versions_retention_obligation' => 'auto, 30',
'activity_expire_days' => 30,
'simpleSignUpLink.shown' => false,
'share_folder' => '/Shared',
'one-click-instance.link' => 'https://nextcloud.com/all-in-one/',
'upgrade.cli-upgrade-link' => 'https://github.com/nextcloud/all-in-one/discussions/2726',
'updatedirectory' => '/nc-updater',
'maintenance_window_start' => 100,
'allow_local_remote_servers' => true,
'davstorage.request_timeout' => 3600,
'documentation_url.server_logs' => 'https://github.com/nextcloud/all-in-one/discussions/5425',
'htaccess.RewriteBase' => '/',
'dbpersistent' => false,
'auth.bruteforce.protection.enabled' => true,
'ratelimit.protection.enabled' => true,
'files_external_allow_create_new_local' => false,
'trusted_proxies' =>
array (
0 => '127.0.0.1',
1 => '::1',
10 => '172.18.0.0/16',
2 => '192.168.27.99',
),
'preview_imaginary_url' => 'http://nextcloud-aio-imaginary:9000',
'preview_imaginary_key' => 'cc59674791be6949019a46b5c5bf2d66cef505da285083ff',
);
192.168.27.6 is the NC VM IP, 192.168.27.99 is the Gateway=FW=ReverseProxy
maybe I shouldnt add the reverse proxy ip in the trusted domains?
Some ressources told me, that I should try
curl -v IP/HOSTNAME
When I try the following:
curl -v 127.0.0.1
curl -v https://127.0.0.1
curl -v 192.168.27.6
curl -v https://192.168.27.6
curl -v cloud.domain.com
curl -v https://cloud.domain.com
then I get this:
* Trying LOCALIP:443... *(or 80 when I dont use https:// )*
* connect to 192.168.27.6 port 443 failed: Connection refused
* Failed to connect to 192.168.27.6 port 443 after 0 ms: Couldn't connect to server
* Closing connection 0
curl: (7) Failed to connect to 192.168.27.6 port 443 *(or 80)* after 0 ms: Couldn't connect to server
Buuuuut here it gets interesting I would say:
Info: Port 11000 is the port which talks with the reverse proxy
sshman@cloud:~$ curl -v cloud.domain.com:11000
* Trying 192.168.27.6:11000...
* Connected to cloud.domain.com (192.168.27.6) port 11000 (#0)
> GET / HTTP/1.1
> Host: cloud.domain.com:11000
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Content-Length: 0
< Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-ZwDCwYvHxoyzfgY2vWNRqZPq1edRqsjg1BsZC6RRnvQ='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< Content-Type: text/html; charset=UTF-8
< Date: Thu, 23 Jan 2025 23:19:00 GMT
< Location: https://cloud.domain.com/login
< Referrer-Policy: no-referrer
< Set-Cookie: oc_sessionPassphrase=N6f6K1dJpMi2n422RML5uRTNDyHYnZDV9CFT9r9awMLe34ieY%2FnyX5B9vLVMLxYv1hesAFHDq8iWNzBDr%2BstEuASf7p%2FurEJsJk3KKxPV8kcliny35HgfL0qT7%2BGIeIW; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Set-Cookie: oc4iy40xvou5=4c568da1e62006f0199e6295a824a6bb; path=/; secure; HttpOnly; SameSite=Lax
< Strict-Transport-Security: max-age=31536000;
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: noindex, nofollow
< X-Xss-Protection: 1; mode=block
<
* Connection #0 to host cloud.domain.com left intact
sshman@cloud:~$ curl -v https://cloud.domain.com:11000
* Trying 192.168.27.6:11000...
* Connected to cloud.domain.com (192.168.27.6) port 11000 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* OpenSSL/3.0.15: error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) OpenSSL/3.0.15: error:0A00010B:SSL routines::wrong version number
sshman@cloud:~$ curl -v 127.0.0.1:11000
* Trying 127.0.0.1:11000...
* Connected to 127.0.0.1 (127.0.0.1) port 11000 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:11000
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Content-Length: 0
< Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-Xc6NxpZ3jkmqJ6DgQRkzhBdjDyWL2z70vRw4h4RnvGE='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< Content-Type: text/html; charset=UTF-8
< Date: Thu, 23 Jan 2025 23:19:36 GMT
< Location: https://cloud.domain.com/login
< Referrer-Policy: no-referrer
< Set-Cookie: oc_sessionPassphrase=1FK9rj%2BIs5bOQl07UQPyOOSvnscGdTQWID2ybIbmvTtE01RB61iolwctzVtcatIb6r3leqVwSaElroJCc3aR85wz%2Fz%2BCzoWrOjs5z%2BHs%2B53x6aeT8stZRLzX5gVIug03; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Set-Cookie: oc4iy40xvou5=2a7089c59523c2db14ebb826bc7e5907; path=/; secure; HttpOnly; SameSite=Lax
< Strict-Transport-Security: max-age=31536000;
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: noindex, nofollow
< X-Xss-Protection: 1; mode=block
<
* Connection #0 to host 127.0.0.1 left intact
sshman@cloud:~$ curl -v https://127.0.0.1:11000
* Trying 127.0.0.1:11000...
* Connected to 127.0.0.1 (127.0.0.1) port 11000 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* OpenSSL/3.0.15: error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) OpenSSL/3.0.15: error:0A00010B:SSL routines::wrong version number
sshman@cloud:~$ curl -v 192.168.27.6:11000
* Trying 192.168.27.6:11000...
* Connected to 192.168.27.6 (192.168.27.6) port 11000 (#0)
> GET / HTTP/1.1
> Host: 192.168.27.6:11000
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Content-Length: 0
< Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-135xUuMkBGXlLBJSTE2dqiH1Exn3aC5S/8zZGXpxlAI='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< Content-Type: text/html; charset=UTF-8
< Date: Thu, 23 Jan 2025 23:20:48 GMT
< Location: https://cloud.domain.com/login
< Referrer-Policy: no-referrer
< Set-Cookie: oc_sessionPassphrase=JXLyrilLgnwm2jprbCie4wXBGUvEhi8ycRLKvQG3GOAB3khFrLfhE%2BQZQsSttIBVPuQ48k1K%2FqoAjwzN%2BqNBzrgiUimkHLziCdOWchYzKmKi7rMBm5R0vg%2FKQcDXtxki; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Set-Cookie: oc4iy40xvou5=e936d691b5340258aa8becef6a2e063e; path=/; secure; HttpOnly; SameSite=Lax
< Strict-Transport-Security: max-age=31536000;
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: noindex, nofollow
< X-Xss-Protection: 1; mode=block
<
* Connection #0 to host 192.168.27.6 left intact
sshman@cloud:~$ curl -v https://192.168.27.6:11000
* Trying 192.168.27.6:11000...
* Connected to 192.168.27.6 (192.168.27.6) port 11000 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* OpenSSL/3.0.15: error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) OpenSSL/3.0.15: error:0A00010B:SSL routines::wrong version number
The DNS for the Nextcloud is a Pihole.
When I nslookup & ping cloud.domain.com then I get the private IP of the NC.
That is my /etc/hosts file in the NC:
127.0.0.1 localhost
192.168.27.6 cloud.domain.com cloud
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
So I know thats quite some info now but thanks for sticking with me until here and please continue reading
Here are my OPNsense and Caddy Settings:
As I mentioned, I installed the Caddy Plugin on OPNsense , because I tried to run my scenario with NGINX Proxy Manager, but i read that there can be problems with NAT Reflexion etc on the firewall so I set up the reverse proxy directly on the FW to avoid a NAT problem, like I read in a forum. (I have nothing configured in terms of NAT)
Hm doesnt work like a charm either
I cant access the NC via domain or private ip in my internal network MOST OF THE TIME.
I used to get Rebind DNS Attack Warnings in the past when accessing internally a internal server, but yesterday i turned dns rebind off in
the System → Settings "Disable DNS Rebinding Checks ". But on my old nextcloud, that was without reverse proxy, i often couldnt access it because of certificate issues (that you couldnt ignore), but sometimes it worked!
Now here i get a “unable to connect” message from my browser
So here are my Firewall Rules:
WAN Interface (WAN gets public IP from my modem)
Nextcloud VLAN
(the last rule is for testing not productive)
I have done it in my internal vlan too.
In the NAT section nothing was configured.
And now, coming to an end, here is the Caddy Configuration:
(i only used the GUI for configuration)
I am getting an Cetificate because Port 80 and 443 are open.
Here I unchecked HTTP3 because I had little problems when requesting the certificate and the http version on Port 80. I guess it helped, maybe it was another setting, but hey according to my knowledge, nextcloud only operates over 443 so ig its okay. pls correct me otherwise
Here are the settings of the https domain:
Here the Handler:
Here would be my caddyfile, but thats generated by the software, i didnt touch that
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
# caddy_user=root
# Global Options
{
log {
output net unixgram//var/run/caddy/log.sock {
}
format json {
time_format rfc3339
}
}
servers {
protocols h1 h2
}
email youarereadingverycarefulydamn@domain.com
grace_period 10s
import /usr/local/etc/caddy/caddy.d/*.global
}
# Reverse Proxy Configuration
# Reverse Proxy Domain: "1d7bac6d-823a-424b-943d-120ef39213a4"
cloud.domain.com:443 {
handle {
reverse_proxy 192.168.27.6:11000 {
}
}
}
# Reverse Proxy Domain: "0cfcc2ee-a4cb-4e67-9347-575e8aadbc72"
http://cloud.domain.com:80 {
}
import /usr/local/etc/caddy/caddy.d/*.conf
Under “Access” and “Headers” is nothing configured.
Do you need the Caddy log too? But the blog here is very long already.
Thank you for you all reading until here, i would be more than happy if that problem would be fixed, i really really cannot wrap my head around that!
Whats the problem? The NC? The FW? The Reverse Proxy? Or DNS? Layer 8?
Thanks!!!