AIO Docker cant connect to itself with Caddy Reverse Proxy on OPNsense

The Basics

  • Nextcloud Server version:
    • Nextcloud AIO 30.0.5
  • Operating system and version:
    • Debian 12.9
  • Web server and version :
    • Apache 2.4.62 (Unix)
  • Reverse proxy and version:
    • Caddy 1.8.0_1 installed on OPNsense 24.7.12_2 amd64
  • PHP version :
    • 8.3.15
  • Is this the first time you’ve seen this error?):
    • yes
  • When did this problem seem to first start?
    • after installation
  • Installation method:
    • AIO Docker
  • Are you using CloudfIare, mod_security, or similar?
    • No

Hello community,

I really hope that you guys can help me. I went throught the palast of my brain, old forum posts, documentations, chatgpt etc. but I cant solve the problem! I really cant wrap my head around that…
You would really help me out because I tried so many hours and I wont be the last human beeing that will be running into that problem. :wink:
And I just bought new hardware so I really really want to use my new baby asap.

I tried to structure this text a little bit, so you have a easier time reading it.
I know its a long post, but I wanted to include everything, so that you can read that in one time and not have to ask for every detail :)))
So thanks community and lets begin:

I installed a Debian VM on my Proxmox 8.3.2, where I installed Docker version 27.5.0, build a187fa5.
I installed the caddy reverse proxy plugin on my OPNsense Firewall.

Here are the screenshots:

MY PROBLEM:

I set up Nextcloud with the Docker command provided by Nextcloud for reverse proxy enviroments here, here is the Docker command:

sudo docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8080:8080 \
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING=0.0.0.0 \
--env APACHE_ADDITIONAL_NETWORK="" \
--env SKIP_DOMAIN_VALIDATION=false \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
nextcloud/all-in-one:latest

This is my config.php:

<?php
$CONFIG = array (
  'one-click-instance' => true,
  'one-click-instance.user-limit' => 100,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'check_data_directory_permissions' => false,
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'nextcloud-aio-redis',
    'password' => '2cf7e112bade65d0a3b9a0dcb550390909b64ecab1b31600',
    'port' => 6379,
  ),
  'overwritehost' => 'cloud.domain.com',
  'overwriteprotocol' => 'https',
  'passwordsalt' => 'CyCcgjUrP4F80UEWofzEJYFnf8G1Je',
  'secret' => '35BkGXtkaCI+qSjzj39Zs8UCKIzAHufnW4XulcOUBi6JfB61',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'cloud.domain.com',
    2 => '192.168.27.6',
    3 => '192.168.27.99',
  ),
  'datadirectory' => '/mnt/ncdata',
  'dbtype' => 'pgsql',
  'version' => '30.0.5.1',
  'overwrite.cli.url' => 'https://cloud.domain.com/',
  'dbname' => 'nextcloud_database',
  'dbhost' => 'nextcloud-aio-database:5432',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_nextcloud',
  'dbpassword' => 'b112f1afaa939f998f968cfa6f3efc5f0e484cd04ef71891',
  'installed' => true,
  'instanceid' => 'oc4iy40xvou5',
  'maintenance' => false,
  'loglevel' => 2,
  'log_type' => 'file',
  'logfile' => '/var/www/html/data/nextcloud.log',
  'log_rotate_size' => 10485760,
  'log.condition' => 
  array (
    'apps' => 
    array (
      0 => 'admin_audit',
    ),
  ),
  'preview_max_x' => 2048,
  'preview_max_y' => 2048,
  'jpeg_quality' => 60,
  'enabledPreviewProviders' => 
  array (
    1 => 'OC\\Preview\\Image',
    2 => 'OC\\Preview\\MarkDown',
    3 => 'OC\\Preview\\MP3',
    4 => 'OC\\Preview\\TXT',
    5 => 'OC\\Preview\\OpenDocument',
    6 => 'OC\\Preview\\Movie',
    7 => 'OC\\Preview\\Krita',
    0 => 'OC\\Preview\\Imaginary',
    23 => 'OC\\Preview\\ImaginaryPDF',
  ),
  'enable_previews' => true,
  'upgrade.disable-web' => true,
  'mail_smtpmode' => 'smtp',
  'trashbin_retention_obligation' => 'auto, 30',
  'versions_retention_obligation' => 'auto, 30',
  'activity_expire_days' => 30,
  'simpleSignUpLink.shown' => false,
  'share_folder' => '/Shared',
  'one-click-instance.link' => 'https://nextcloud.com/all-in-one/',
  'upgrade.cli-upgrade-link' => 'https://github.com/nextcloud/all-in-one/discussions/2726',
  'updatedirectory' => '/nc-updater',
  'maintenance_window_start' => 100,
  'allow_local_remote_servers' => true,
  'davstorage.request_timeout' => 3600,
  'documentation_url.server_logs' => 'https://github.com/nextcloud/all-in-one/discussions/5425',
  'htaccess.RewriteBase' => '/',
  'dbpersistent' => false,
  'auth.bruteforce.protection.enabled' => true,
  'ratelimit.protection.enabled' => true,
  'files_external_allow_create_new_local' => false,
  'trusted_proxies' => 
  array (
    0 => '127.0.0.1',
    1 => '::1',
    10 => '172.18.0.0/16',
2 => '192.168.27.99',
  ),
  'preview_imaginary_url' => 'http://nextcloud-aio-imaginary:9000',
  'preview_imaginary_key' => 'cc59674791be6949019a46b5c5bf2d66cef505da285083ff',
);

192.168.27.6 is the NC VM IP, 192.168.27.99 is the Gateway=FW=ReverseProxy

maybe I shouldnt add the reverse proxy ip in the trusted domains?

Some ressources told me, that I should try
curl -v IP/HOSTNAME

When I try the following:

curl -v 127.0.0.1
curl -v https://127.0.0.1
curl -v 192.168.27.6
curl -v https://192.168.27.6
curl -v cloud.domain.com
curl -v https://cloud.domain.com

then I get this:

*   Trying LOCALIP:443... *(or 80 when I dont use https:// )*
* connect to 192.168.27.6 port 443 failed: Connection refused
* Failed to connect to 192.168.27.6 port 443 after 0 ms: Couldn't connect to server
* Closing connection 0
curl: (7) Failed to connect to 192.168.27.6 port 443 *(or 80)*  after 0 ms: Couldn't connect to server

Buuuuut here it gets interesting I would say:
Info: Port 11000 is the port which talks with the reverse proxy

sshman@cloud:~$ curl -v cloud.domain.com:11000
*   Trying 192.168.27.6:11000...
* Connected to cloud.domain.com (192.168.27.6) port 11000 (#0)
> GET / HTTP/1.1
> Host: cloud.domain.com:11000
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 302 Found
< Content-Length: 0
< Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-ZwDCwYvHxoyzfgY2vWNRqZPq1edRqsjg1BsZC6RRnvQ='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< Content-Type: text/html; charset=UTF-8
< Date: Thu, 23 Jan 2025 23:19:00 GMT
< Location: https://cloud.domain.com/login
< Referrer-Policy: no-referrer
< Set-Cookie: oc_sessionPassphrase=N6f6K1dJpMi2n422RML5uRTNDyHYnZDV9CFT9r9awMLe34ieY%2FnyX5B9vLVMLxYv1hesAFHDq8iWNzBDr%2BstEuASf7p%2FurEJsJk3KKxPV8kcliny35HgfL0qT7%2BGIeIW; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Set-Cookie: oc4iy40xvou5=4c568da1e62006f0199e6295a824a6bb; path=/; secure; HttpOnly; SameSite=Lax
< Strict-Transport-Security: max-age=31536000;
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: noindex, nofollow
< X-Xss-Protection: 1; mode=block
< 
* Connection #0 to host cloud.domain.com left intact

sshman@cloud:~$ curl -v https://cloud.domain.com:11000
*   Trying 192.168.27.6:11000...
* Connected to cloud.domain.com (192.168.27.6) port 11000 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* OpenSSL/3.0.15: error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) OpenSSL/3.0.15: error:0A00010B:SSL routines::wrong version number

sshman@cloud:~$ curl -v 127.0.0.1:11000
*   Trying 127.0.0.1:11000...
* Connected to 127.0.0.1 (127.0.0.1) port 11000 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:11000
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 302 Found
< Content-Length: 0
< Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-Xc6NxpZ3jkmqJ6DgQRkzhBdjDyWL2z70vRw4h4RnvGE='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< Content-Type: text/html; charset=UTF-8
< Date: Thu, 23 Jan 2025 23:19:36 GMT
< Location: https://cloud.domain.com/login
< Referrer-Policy: no-referrer
< Set-Cookie: oc_sessionPassphrase=1FK9rj%2BIs5bOQl07UQPyOOSvnscGdTQWID2ybIbmvTtE01RB61iolwctzVtcatIb6r3leqVwSaElroJCc3aR85wz%2Fz%2BCzoWrOjs5z%2BHs%2B53x6aeT8stZRLzX5gVIug03; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Set-Cookie: oc4iy40xvou5=2a7089c59523c2db14ebb826bc7e5907; path=/; secure; HttpOnly; SameSite=Lax
< Strict-Transport-Security: max-age=31536000;
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: noindex, nofollow
< X-Xss-Protection: 1; mode=block
< 
* Connection #0 to host 127.0.0.1 left intact

sshman@cloud:~$ curl -v https://127.0.0.1:11000
*   Trying 127.0.0.1:11000...
* Connected to 127.0.0.1 (127.0.0.1) port 11000 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* OpenSSL/3.0.15: error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) OpenSSL/3.0.15: error:0A00010B:SSL routines::wrong version number

sshman@cloud:~$ curl -v 192.168.27.6:11000
*   Trying 192.168.27.6:11000...
* Connected to 192.168.27.6 (192.168.27.6) port 11000 (#0)
> GET / HTTP/1.1
> Host: 192.168.27.6:11000
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 302 Found
< Content-Length: 0
< Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-135xUuMkBGXlLBJSTE2dqiH1Exn3aC5S/8zZGXpxlAI='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< Content-Type: text/html; charset=UTF-8
< Date: Thu, 23 Jan 2025 23:20:48 GMT
< Location: https://cloud.domain.com/login
< Referrer-Policy: no-referrer
< Set-Cookie: oc_sessionPassphrase=JXLyrilLgnwm2jprbCie4wXBGUvEhi8ycRLKvQG3GOAB3khFrLfhE%2BQZQsSttIBVPuQ48k1K%2FqoAjwzN%2BqNBzrgiUimkHLziCdOWchYzKmKi7rMBm5R0vg%2FKQcDXtxki; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Set-Cookie: oc4iy40xvou5=e936d691b5340258aa8becef6a2e063e; path=/; secure; HttpOnly; SameSite=Lax
< Strict-Transport-Security: max-age=31536000;
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: noindex, nofollow
< X-Xss-Protection: 1; mode=block
< 
* Connection #0 to host 192.168.27.6 left intact

sshman@cloud:~$ curl -v https://192.168.27.6:11000
*   Trying 192.168.27.6:11000...
* Connected to 192.168.27.6 (192.168.27.6) port 11000 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* OpenSSL/3.0.15: error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) OpenSSL/3.0.15: error:0A00010B:SSL routines::wrong version number


The DNS for the Nextcloud is a Pihole.
When I nslookup & ping cloud.domain.com then I get the private IP of the NC.

That is my /etc/hosts file in the NC:

127.0.0.1	localhost
192.168.27.6	cloud.domain.com	cloud

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

So I know thats quite some info now but thanks for sticking with me until here and please continue reading :slight_smile:

Here are my OPNsense and Caddy Settings:

As I mentioned, I installed the Caddy Plugin on OPNsense , because I tried to run my scenario with NGINX Proxy Manager, but i read that there can be problems with NAT Reflexion etc on the firewall so I set up the reverse proxy directly on the FW to avoid a NAT problem, like I read in a forum. (I have nothing configured in terms of NAT)
Hm doesnt work like a charm either :hot_face:

I cant access the NC via domain or private ip in my internal network MOST OF THE TIME.
I used to get Rebind DNS Attack Warnings in the past when accessing internally a internal server, but yesterday i turned dns rebind off in
the System → Settings "Disable DNS Rebinding Checks ". But on my old nextcloud, that was without reverse proxy, i often couldnt access it because of certificate issues (that you couldnt ignore), but sometimes it worked!
Now here i get a “unable to connect” message from my browser

So here are my Firewall Rules:

WAN Interface (WAN gets public IP from my modem)

Nextcloud VLAN
(the last rule is for testing not productive)

I have done it in my internal vlan too.

In the NAT section nothing was configured.

And now, coming to an end, here is the Caddy Configuration:

(i only used the GUI for configuration)
I am getting an Cetificate because Port 80 and 443 are open.


Here I unchecked HTTP3 because I had little problems when requesting the certificate and the http version on Port 80. I guess it helped, maybe it was another setting, but hey according to my knowledge, nextcloud only operates over 443 so ig its okay. pls correct me otherwise

Here are the settings of the https domain:

Here the Handler:

Here would be my caddyfile, but thats generated by the software, i didnt touch that


# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=root

# Global Options
{
        log {
                                                                                            output net unixgram//var/run/caddy/log.sock {
        }
        format json {
            time_format rfc3339
        }
            }

            
        
        
    servers {
        protocols h1 h2
                            }

    
                                                            
            
                    
            
        
        
                    email youarereadingverycarefulydamn@domain.com
                    grace_period 10s
    import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration




        







            # Reverse Proxy Domain: "1d7bac6d-823a-424b-943d-120ef39213a4"
        cloud.domain.com:443 {
                                                    

            
                                
                                
                                            handle  {
                
                                                        reverse_proxy 192.168.27.6:11000 {
                
                                                                                                                                }
            }

            
        }
                # Reverse Proxy Domain: "0cfcc2ee-a4cb-4e67-9347-575e8aadbc72"
        http://cloud.domain.com:80 {
                                                    

            
                                
                                
        
        }
    
import /usr/local/etc/caddy/caddy.d/*.conf

Under “Access” and “Headers” is nothing configured.
Do you need the Caddy log too? But the blog here is very long already.

Thank you for you all reading until here, i would be more than happy if that problem would be fixed, i really really cannot wrap my head around that!
Whats the problem? The NC? The FW? The Reverse Proxy? Or DNS? Layer 8?

Thanks!!! :heart:

Please set Caddy up according to the documentation:

https://docs.opnsense.org/manual/how-tos/caddy.html

Read it carefully and follow the steps outlined there.

I did it now 1:1 like in the documentation, but still that doesnt change my problem!
The only thing i like to mention:

When setting the Handler the option TLS Insecure Skip Verify was missing, even with advanced settings.

What should I try next?

Btw i read many of your comments in the opnsense forum, I appreciate your work you are like in every post :slight_smile:

You do not need to set that since the Upstream to 11000 is http://.

Please post your new Caddyfile. If it looks weirdly formatted like above then Caddy is not running.

here:

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=root

# Global Options
{
	log {
		output net unixgram//var/run/caddy/log.sock {
		}
		format json {
			time_format rfc3339
		}
	}

	servers {
		protocols h1 h2 h3
	}

	email email@provider.com
	grace_period 10s
	import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


# Reverse Proxy Domain: "1d7bac6d-823a-424b-943d-120ef39213a4"
cloud.domain.com {
	handle {
		reverse_proxy 192.168.27.6:11000 {
		}
	}
}

import /usr/local/etc/caddy/caddy.d/*.conf

Caddy looks correctly configured. I also tested it with Nextcloud AIO like 2 months ago and it was working.

You need to use logfiles of the nextcloud webserver and caddy to find out why some connections fail.

This was my config, but you do not necessarily need the redirects or the strict transport security header.

In Caddy set the log level on debug and check the requests. Here is some general troubleshooting help:
https://docs.opnsense.org/manual/how-tos/caddy.html#caddy-troubleshooting

I don’t know how to configure the Webserver that nextcloud uses in their AIO setup to get debug logs. hopefully someone from this community can help you there.

Thanks, I looked into the Caddy log and I always see a TLS error.
Do you have an idea?
Im new to caddy so I have no expierence in editing Caddy files and I think I cant do that directly in the OPNsense.
It would be awesome if I dont have to break down my Caddy and webserver haha, hope we can solve it without. :smiley:

2025-01-24T17:02:35	Debug	caddy	"debug","ts":"2025-01-24T16:02:35Z","logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.27.6:11000","duration":0.049630722,"request":{"remote_ip":"CLIENTPUBLICIP","remote_port":"52770","client_ip":"CLIENTPUBLICIP","proto":"HTTP/1.1","method":"HEAD","host":"cloud.domain.com","uri":"/login","headers":{"User-Agent":["Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Cache-Control":["no-cache"],"Accept-Encoding":["gzip, deflate"],"Cookie":["REDACTED"],"Accept-Language":["en-US,en;q=0.8"],"Referer":["https://cloud.domain.com"],"Content-Length":["0"],"X-Forwarded-For":["CLIENTPUBLICIP"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["cloud.domain.com"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"","server_name":"cloud.domain.com"}},"headers":{"Set-Cookie":["REDACTED"],"Strict-Transport-Security":["max-age=31536000;"],"X-Frame-Options":["SAMEORIGIN"],"X-Robots-Tag":["noindex, nofollow"],"Cache-Control":["no-cache, no-store, must-revalidate"],"Content-Security-Policy":["default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-Q0Z4cF/JSketR2Yjyi8BmRHXq+jZzehwDnZk54aWNGA=';script-src-elem 'strict-dynamic' 'nonce-Q0Z4cF/JSketR2Yjyi8BmRHXq+jZzehwDnZk54aWNGA=';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: https://*.tile.openstreetmap.org https://cloud.domain.com;font-src 'self' data:;connect-src 'self' wss://cloud.domain.com;media-src 'self';frame-src 'self' nc: https://cloud.domain.com;frame-ancestors 'self' https://cloud.domain.com;form-action 'self' https://cloud.domain.com"],"Date":["Fri, 24 Jan 2025 16:02:35 GMT"],"Feature-Policy":["autoplay 'self';camera 'none';fullscreen 'self' https://cloud.domain.com;geolocation 'none';microphone 'none';payment 'none'"],"X-Content-Type-Options":["nosniff"],"Content-Encoding":["gzip"],"Content-Type":["text/html; charset=UTF-8"],"Referrer-Policy":["no-referrer"],"X-Request-Id":["z55O0ZOkr7cfriFj2u3S"],"Content-Length":["7150"],"X-Permitted-Cross-Domain-Policies":["none"],"X-Xss-Protection":["1; mode=block"]},"status":200}	
2025-01-24T17:02:35	Debug	caddy	"debug","ts":"2025-01-24T16:02:35Z","logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.27.6:11000","total_upstreams":1}	
2025-01-24T17:02:34	Debug	caddy	"debug","ts":"2025-01-24T16:02:34Z","logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.27.6:11000","duration":0.035435041,"request":{"remote_ip":"CLIENTPUBLICIP","remote_port":"52758","client_ip":"CLIENTPUBLICIP","proto":"HTTP/1.1","method":"HEAD","host":"cloud.domain.com","uri":"/","headers":{"Cache-Control":["no-cache"],"X-Forwarded-For":["CLIENTPUBLICIP"],"Content-Length":["0"],"Accept-Language":["en-US,en;q=0.8"],"Referer":["https://cloud.domain.com"],"User-Agent":["Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["cloud.domain.com"],"Accept-Encoding":["gzip, deflate"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","server_name":"cloud.domain.com"}},"headers":{"Date":["Fri, 24 Jan 2025 16:02:34 GMT"],"X-Permitted-Cross-Domain-Policies":["none"],"Content-Type":["text/html; charset=UTF-8"],"Location":["https://cloud.domain.com/login"],"Set-Cookie":["REDACTED"],"X-Content-Type-Options":["nosniff"],"X-Robots-Tag":["noindex, nofollow"],"Content-Security-Policy":["default-src 'self'; script-src 'self' 'nonce-171V+QSUVY7FxB6g6+cSyQ/rAYMJ06CWPYhhdp9RQLs='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';"],"Referrer-Policy":["no-referrer"],"Strict-Transport-Security":["max-age=31536000;"],"X-Frame-Options":["SAMEORIGIN"],"X-Xss-Protection":["1; mode=block"]},"status":302}	
2025-01-24T17:02:34	Debug	caddy	"debug","ts":"2025-01-24T16:02:34Z","logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.27.6:11000","total_upstreams":1}	
2025-01-24T17:02:34	Debug	caddy	"debug","ts":"2025-01-24T16:02:34Z","logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"CLIENTPUBLICIP","remote_port":"52758","subjects":["cloud.domain.com"],"managed":true,"expiration":"2025-04-22T22:02:00Z","hash":"bce0b83cee466b30faac64c23d51c3ab485d37d4a68fd9a8cd3696311c79b3c7"}	
2025-01-24T17:02:34	Debug	caddy	"debug","ts":"2025-01-24T16:02:34Z","logger":"tls.handshake","msg":"default certificate selection results","identifier":"cloud.domain.com","subjects":["cloud.domain.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"bce0b83cee466b30faac64c23d51c3ab485d37d4a68fd9a8cd3696311c79b3c7"}	
2025-01-24T17:02:34	Debug	caddy	"debug","ts":"2025-01-24T16:02:34Z","logger":"tls.handshake","msg":"choosing certificate","identifier":"cloud.domain.com","num_choices":1}	
2025-01-24T17:02:34	Debug	caddy	"debug","ts":"2025-01-24T16:02:34Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"5e27d140-942a-44ea-b9f6-09a40c64d313","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49199,49195,49200,49196,158,49191,103,49192,107,163,159,52393,52392,52394,49327,49325,49315,49311,49245,49249,49239,49235,162,49326,49324,49314,49310,49244,49248,49238,49234,49188,106,49187,64,49162,49172,57,56,49161,49171,51,50,157,49313,49309,49233,156,49312,49308,49232,61,60,53,47,255],"ServerName":"cloud.domain.com","SupportedCurves":[29,23,30,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"CLIENTPUBLICIP","Port":52758,"Zone":""},"LocalAddr":{"IP":"PUBLICIP","Port":443,"Zone":""}}}}	
2025-01-24T17:01:41	Debug	caddy	"debug","ts":"2025-01-24T16:01:41Z","logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.27.6:11000","duration":0.052048177,"request":{"remote_ip":"CLIENTPUBLICIP","remote_port":"9058","client_ip":"CLIENTPUBLICIP","proto":"HTTP/1.1","method":"POST","host":"cloud.domain.com","uri":"/index.php/apps/phonetrack/log/traccar/8d64c4bde6877d3a28408df6573e46e0/CMFPhone1?id=390811&timestamp=1737572091&lat=48.1663304&lon=14.0397686&speed=0.0&bearing=0.0&altitude=364.20001220703125&accuracy=14.315999984741211&batt=13.0","headers":{"Accept-Encoding":["gzip"],"Content-Length":["0"],"Content-Type":["application/x-www-form-urlencoded"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["cloud.domain.com"],"User-Agent":["Dalvik/2.1.0 (Linux; U; Android 14; A015 Build/UP1A.231005.007)"],"X-Forwarded-For":["CLIENTPUBLICIP"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"http/1.1","server_name":"cloud.domain.com"}},"headers":{"Date":["Fri, 24 Jan 2025 16:01:41 GMT"],"X-Content-Type-Options":["nosniff"],"X-Permitted-Cross-Domain-Policies":["none"],"X-Robots-Tag":["noindex, nofollow"],"Content-Security-Policy":["default-src 'self'; script-src 'self' 'nonce-eHQyy99rhpsoRwATTVy5YYKXge8TikH4H/i0d9D/zqU='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';"],"Set-Cookie":["REDACTED"],"Strict-Transport-Security":["max-age=31536000;"],"X-Xss-Protection":["1; mode=block"],"Content-Type":["text/html; charset=UTF-8"],"Referrer-Policy":["no-referrer"],"X-Frame-Options":["SAMEORIGIN"]},"status":404}	
2025-01-24T17:01:41	Debug	caddy	"debug","ts":"2025-01-24T16:01:41Z","logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.27.6:11000","total_upstreams":1}	
2025-01-24T17:01:41	Debug	caddy	"debug","ts":"2025-01-24T16:01:41Z","logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"CLIENTPUBLICIP","remote_port":"9058","subjects":["cloud.domain.com"],"managed":true,"expiration":"2025-04-22T22:02:00Z","hash":"bce0b83cee466b30faac64c23d51c3ab485d37d4a68fd9a8cd3696311c79b3c7"}	
2025-01-24T17:01:41	Debug	caddy	"debug","ts":"2025-01-24T16:01:41Z","logger":"tls.handshake","msg":"default certificate selection results","identifier":"cloud.domain.com","subjects":["cloud.domain.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"bce0b83cee466b30faac64c23d51c3ab485d37d4a68fd9a8cd3696311c79b3c7"}	
2025-01-24T17:01:41	Debug	caddy	"debug","ts":"2025-01-24T16:01:41Z","logger":"tls.handshake","msg":"choosing certificate","identifier":"cloud.domain.com","num_choices":1}	
2025-01-24T17:01:41	Debug	caddy	"debug","ts":"2025-01-24T16:01:41Z","logger":"events","msg":"event","name":"tls_get_certificate","id":"887d5364-ed8b-4bc1-8a09-c8c55cce6037","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4866,4867,49195,49196,52393,49199,49200,52392,49161,49162,49171,49172,156,157,47,53],"ServerName":"cloud.domain.com","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"CLIENTPUBLICIP","Port":9058,"Zone":""},"LocalAddr":{"IP":"PUBLICIP","Port":443,"Zone":""}}}}	
2025-01-24T17:00:50	Informational	caddy	"info","ts":"2025-01-24T16:00:50Z","logger":"admin","msg":"stopped previous server","address":"unix//var/run/caddy/caddy.sock|0220"}	
2025-01-24T17:00:50	Informational	caddy	"info","ts":"2025-01-24T16:00:50Z","logger":"admin.api","msg":"load complete"}	
2025-01-24T17:00:50	Informational	caddy	"info","ts":"2025-01-24T16:00:50Z","msg":"autosaved config (load with --resume flag)","file":"/var/db/caddy/config/caddy/autosave.json"}	
2025-01-24T17:00:50	Informational	caddy	"info","ts":"2025-01-24T16:00:50Z","logger":"http","msg":"servers shutting down; grace period initiated","duration":10}	
2025-01-24T17:00:50	Informational	caddy	"info","ts":"2025-01-24T16:00:50Z","logger":"http","msg":"enabling automatic TLS certificate management","domains":["cloud.domain.com"]}	
2025-01-24T17:00:50	Informational	caddy	"info","ts":"2025-01-24T16:00:50Z","logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}	
2025-01-24T17:00:50	Warning	caddy	"warn","ts":"2025-01-24T16:00:50Z","logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}	
2025-01-24T17:00:50	Warning	caddy	"warn","ts":"2025-01-24T16:00:50Z","logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}	
2025-01-24T17:00:50	Debug	caddy	"debug","ts":"2025-01-24T16:00:50Z","logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}	
2025-01-24T17:00:50	Informational	caddy	"info","ts":"2025-01-24T16:00:50Z","logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}	
2025-01-24T17:00:50	Informational	caddy	"info","ts":"2025-01-24T16:00:50Z","logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}	
2025-01-24T17:00:50	Debug	caddy	"debug","ts":"2025-01-24T16:00:50Z","logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":false}	
2025-01-24T17:00:50	Debug	caddy	"debug","ts":"2025-01-24T16:00:50Z","logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["cloud.domain.com"]},{}]}},"http":{"grace_period":10000000000,"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.27.6:11000"}]}]}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{},"protocols":["h1","h2","h3"]}}}}	
2025-01-24T17:00:50	Informational	caddy	"info","ts":"2025-01-24T16:00:50Z","logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}	
2025-01-24T17:00:50	Informational	caddy	"info","ts":"2025-01-24T16:00:50Z","logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}	
2025-01-24T17:00:50	Informational	caddy	"info","ts":"2025-01-24T16:00:50Z","logger":"admin","msg":"admin endpoint started","address":"unix//var/run/caddy/caddy.sock|0220","enforce_origin":false,"origins":["","//127.0.0.1","//::1"]}	
2025-01-24T17:00:50	Informational	caddy	"info","ts":"2025-01-24T16:00:50Z","logger":"admin.api","msg":"received request","method":"POST","host":"127.0.0.1","uri":"/load","remote_ip":"","remote_port":"","headers":{"Accept-Encoding":["gzip"],"Cache-Control":["must-revalidate"],"Content-Length":["760"],"Content-Type":["application/json"],"User-Agent":["Go-http-client/1.1"]}}	
2025-01-24T17:00:47	Informational	caddy	"info","ts":"2025-01-24T16:00:47Z","logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0x86c1b5280"}	
2025-01-24T17:00:47	Debug	caddy	"debug","ts":"2025-01-24T16:00:47Z","logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["cloud.domain.com"]},{}]}},"http":{"grace_period":10000000000,"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.27.6:11000"}]}]}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{},"protocols":["h1","h2","h3"]}}}}	
2025-01-24T17:00:47	Informational	caddy	"info","ts":"2025-01-24T16:00:47Z","logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}	
2025-01-24T17:00:47	Informational	caddy	"info","ts":"2025-01-24T16:00:47Z","logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}	
2025-01-24T17:00:47	Informational	caddy	"info","ts":"2025-01-24T16:00:47Z","logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x86c1b5280"}

The logs look ok to me. The TLS error is unrelated. HTTP2 and 3 require TLS, but the upstream to 11000 is HTTP, so it must use HTTP1 which it does automatically.

Seems like everything works as expected. Caddy works, the Nextcloud works.

Also you do not need to edit the Caddyfile, everything I showed can always be configured from the GUI.

If the issues are just the Collabora Online server, use the integrated nextcloud plugin. It just works.

But the configs that you posted on github have to be edited in the caddy file right?
The most important error codes are on the overview that i posted.
I think there is a setting where I can skip the domain validation, they say its not recommended.
But I guess that will be the only way to go right? (If that would solve the problem)

You said that you are also hosting NC AIO behind Caddy right. Can your nextcloud curl itself?

I dont host AIO right now, but this issue looks like a DNS related issue.

All DNS Records should point to the OPNsense if you want to use it as reverse proxy.

That means cloud.domain.com should always point to either the OPNsense external or internal IP address.

In your example it points to the nextcloud itself, but there is no https on 443 on the nextcloud host itself (via hosts file), so curl fails. If it would point to the OPNsense, it would get the request since it listens on https:// 443 and then reverse proxy that request back to the nextcloud host on 11000.

I don’t know why you want to curl the AIO on 80 and 443 directly.

Oooh my god it works!!! I didnt know why I thought like that! Thanks you are the best man!
Tomorrow I will try if WEBDAV etc works and then imma close this here
Thanks again!!!

1 Like

Great, np.

To recreate the two redirects for webdav and cardav in the GUI, just create three handlers for the same domain. Two with type redir and one with type reverse_proxy. Just play around with it Im sure you’ll manage to make it look like the example on github. :slight_smile:

thanks but it worked without any further configuration ^^

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.