AppAPI - Register Daemon - HaRP shared key does not saved

Siassei · November 9, 2025, 9:52pm

Support intro

Sorry to hear you’re facing problems.

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

Official documentation (searchable and regularly updated)
How to topics and FAQs
Forum search

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

The Basics

Nextcloud Server version (e.g., 29.x.x):
- 32.0.1
Operating system and version (e.g., Ubuntu 24.04):
- Docker Container - Linux 6.12.48+deb13-amd64 x86_64
Web server and version (e.g, Apache 2.4.25):
- ?
Reverse proxy and version _(e.g. nginx 1.27.2)
- nginx 1.28.0
PHP version (e.g, 8.3):
- 8.3.27
Is this the first time you’ve seen this error? (Yes / No):
- Yes
When did this problem seem to first start?
- .
Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
- .
Are you using CloudfIare, mod_security, or similar? (Yes / No)
- No

Summary of the issue you are facing:

I had problems to setup a Deploy Daemon for AppAPI. I’m running nextcloud in a docker compose envorinment and will add a HaRP Proxy which also runs in the docker compose env. .

If I try to add the HaRP Proxy (Docker), I see the HaRP shared key is “dummySecret123”. If I change the value, save and reopen the dialog, the default HaRP shared key is displayed. Why is the shared key not saved?

Steps to replicate it (hint: details matter!):

Register Daemon (under AppAPI), HaRP Proxy (Docker)
change the HaRP shared key
Check connection is “green”
Click to save
re-open with “edit” the dialog and the default HaRP shared key is displayed

DaddyWarlock · November 11, 2025, 12:46am

Following… I’m having the same problem.

jtr · November 12, 2025, 5:40pm

I believe it’s always swapped with dummySecret123 for display purposes:

github.com/nextcloud/app_api

lib/Controller/DaemonConfigController.php

f9120f042


      
          		// Mask the password with "dummySecret123" if it is set
          		$updatedDeployConfig = $updatedDaemonConfig->getDeployConfig();
          		if (!empty($updatedDeployConfig['haproxy_password'] ?? null)) {
          			$updatedDeployConfig['haproxy_password'] = 'dummySecret123';
          			$updatedDaemonConfig->setDeployConfig($updatedDeployConfig);
          		}

Though since that’s also used to indicate when it hasn’t been setup yet (i.e. the default), perhaps a different replacement string would be clearer.

Siassei · November 12, 2025, 7:58pm

@jtr The question is than why the daemon does not work.

nginx.conf

server {
    if ($host = XXXX) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
        listen 80;
        listen [::]:80;
        server_name XXXX;
        return 301 https://$server_name$request_uri; 
}
server {
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;

        server_name XXXX;

        # ...

        gzip on;

        # ...

        location /exapps/ {
            proxy_pass http://127.0.0.1:8780;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
        
        location / {
                proxy_cookie_path / "/; secure; HttpOnly";                
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_redirect off;
                proxy_pass http://127.0.0.1:XXXX;
        }
}

My docker-compose.yml

services:
  db:
    image: postgres:...
    # ...

  redis:
    image: redis:....
    restart: unless-stopped

  appapi-harp:
    image: ghcr.io/nextcloud/nextcloud-appapi-harp:release
    ports:
      - 8780:8780
      - 8782:8782
    restart: unless-stopped
    volumes:
      - ./certs:/certs
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - HP_SHARED_KEY=my_key
      - NC_INSTANCE_URL=https://abc.dd

  nextcloud:
    image: nextcloud:32...
    depends_on:
      - redis
      - db
      - appapi-harp
    ports:
      - "127.0.0.1:XXXX:80"
    # ...
    environment:
      # ...
      - REDIS_HOST=redis

volumes:
  # ...

networks:
  default:
    name: nextcloud-network

Must I expose port 8781? Must I link nginx to 8781?

A url https request abc.dd/exapps I get an http 404 error code. The following log lines looks ok for me

appapi-harp-1  | [2025-11-12T19:53:07+0000] [ERROR] Invalid request path, cannot find AppID: /exapps/
appapi-harp-1  | [2025-11-12T19:53:07+0000] [WARNING] Recorded failure for IP 172.18.0.1. Failures in window: 2

Full appapi-harp log output

$ docker compose logs appapi-harp
appapi-harp-1  | INFO: Creating /haproxy.cfg from haproxy.cfg.template...
appapi-harp-1  | INFO: No /certs/cert.pem found, disabling HTTPS frontends...
appapi-harp-1  | INFO: Final /haproxy.cfg:
appapi-harp-1  | # SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
appapi-harp-1  | # SPDX-License-Identifier: AGPL-3.0-or-later
appapi-harp-1  | 
appapi-harp-1  | ###############################################################################
appapi-harp-1  | # haproxy.cfg.template
appapi-harp-1  | #
appapi-harp-1  | # This template is processed by envsubst in start.sh to replace variables:
appapi-harp-1  | #   HP_EXAPPS_ADDRESS,
appapi-harp-1  | #   HP_EXAPPS_HTTPS_ADDRESS,
appapi-harp-1  | #   HP_TIMEOUT_CONNECT,
appapi-harp-1  | #   HP_TIMEOUT_CLIENT,
appapi-harp-1  | #   HP_TIMEOUT_SERVER,
appapi-harp-1  | #
appapi-harp-1  | ## If /certs/cert.pem is not found, lines containing "_HTTPS_FRONTEND_" are
appapi-harp-1  | # commented out automatically in start.sh.
appapi-harp-1  | ###############################################################################
appapi-harp-1  | 
appapi-harp-1  | global
appapi-harp-1  |     log stdout local0 warning
appapi-harp-1  |     maxconn 8192
appapi-harp-1  |     ca-base /etc/ssl/certs
appapi-harp-1  | 
appapi-harp-1  | defaults
appapi-harp-1  |     log global
appapi-harp-1  |     option httplog
appapi-harp-1  |     option dontlognull
appapi-harp-1  |     timeout connect 30s
appapi-harp-1  |     timeout client 30s
appapi-harp-1  |     timeout server 1800s
appapi-harp-1  | 
appapi-harp-1  | 
appapi-harp-1  | ###############################################################################
appapi-harp-1  | # FRONTEND: ex_apps (HTTP)
appapi-harp-1  | ###############################################################################
appapi-harp-1  | frontend ex_apps
appapi-harp-1  |     mode http
appapi-harp-1  |     bind 0.0.0.0:8780
appapi-harp-1  | 
appapi-harp-1  |     filter spoe engine exapps-spoe config /etc/haproxy/spoe-agent.conf
appapi-harp-1  |     http-request silent-drop if { var(txn.exapps.bad_request) -m int eq 1 }
appapi-harp-1  |     http-request return status 401 content-type text/plain string "401 Unauthorized" if { var(txn.exapps.unauthorized) -m int eq 1 }
appapi-harp-1  |     http-request return status 403 content-type text/plain string "403 Forbidden" if { var(txn.exapps.forbidden) -m int eq 1 }
appapi-harp-1  |     http-request return status 404 content-type text/plain string "404 Not Found" if { var(txn.exapps.not_found) -m int eq 1 }
appapi-harp-1  |     use_backend %[var(txn.exapps.backend)]
appapi-harp-1  | 
appapi-harp-1  | ###############################################################################
appapi-harp-1  | # FRONTEND: ex_apps_https (only enabled if /certs/cert.pem exists)
appapi-harp-1  | ###############################################################################
appapi-harp-1  | #_HTTPS_FRONTEND_ frontend ex_apps_https
appapi-harp-1  | #_HTTPS_FRONTEND_     mode http
appapi-harp-1  | #_HTTPS_FRONTEND_     bind 0.0.0.0:8781 ssl crt /certs/cert.pem
appapi-harp-1  | 
appapi-harp-1  | #_HTTPS_FRONTEND_     filter spoe engine exapps-spoe config /etc/haproxy/spoe-agent.conf
appapi-harp-1  | #_HTTPS_FRONTEND_     http-request silent-drop if { var(txn.exapps.bad_request) -m int eq 1 }
appapi-harp-1  | #_HTTPS_FRONTEND_     http-request return status 401 content-type text/plain string "401 Unauthorized" if { var(txn.exapps.unauthorized) -m int eq 1 }
appapi-harp-1  | #_HTTPS_FRONTEND_     http-request return status 403 content-type text/plain string "403 Forbidden" if { var(txn.exapps.forbidden) -m int eq 1 }
appapi-harp-1  | #_HTTPS_FRONTEND_     http-request return status 404 content-type text/plain string "404 Not Found" if { var(txn.exapps.not_found) -m int eq 1 }
appapi-harp-1  | #_HTTPS_FRONTEND_     use_backend %[var(txn.exapps.backend)]
appapi-harp-1  | 
appapi-harp-1  | ###############################################################################
appapi-harp-1  | # BACKENDS: ex_apps & ex_apps_backend_w_bruteforce
appapi-harp-1  | ###############################################################################
appapi-harp-1  | backend ex_apps_backend
appapi-harp-1  |     mode http
appapi-harp-1  |     server frp_server 0.0.0.0
appapi-harp-1  |     http-request set-path %[var(txn.exapps.target_path)]
appapi-harp-1  |     http-request set-dst var(txn.exapps.target_ip)
appapi-harp-1  |     http-request set-dst-port var(txn.exapps.target_port)
appapi-harp-1  |     http-request set-header EX-APP-ID %[var(txn.exapps.exapp_id)]
appapi-harp-1  |     http-request set-header EX-APP-VERSION %[var(txn.exapps.exapp_version)]
appapi-harp-1  |     http-request set-header AUTHORIZATION-APP-API %[var(txn.exapps.exapp_token)]
appapi-harp-1  |     http-request set-header AA-VERSION "32"  # TO-DO: temporary, remove it after we update all ExApps.
appapi-harp-1  | 
appapi-harp-1  | backend ex_apps_backend_w_bruteforce
appapi-harp-1  |     mode http
appapi-harp-1  |     server frp_server 0.0.0.0
appapi-harp-1  |     http-request set-path %[var(txn.exapps.target_path)]
appapi-harp-1  |     http-request set-dst var(txn.exapps.target_ip)
appapi-harp-1  |     http-request set-dst-port var(txn.exapps.target_port)
appapi-harp-1  |     http-request set-header EX-APP-ID %[var(txn.exapps.exapp_id)]
appapi-harp-1  |     http-request set-header EX-APP-VERSION %[var(txn.exapps.exapp_version)]
appapi-harp-1  |     http-request set-header AUTHORIZATION-APP-API %[var(txn.exapps.exapp_token)]
appapi-harp-1  |     http-request set-header AA-VERSION "32"  # TO-DO: temporary, remove it after we update all ExApps.
appapi-harp-1  |     filter spoe engine exapps-bruteforce-protection-spoe config /etc/haproxy/spoe-agent.conf
appapi-harp-1  | 
appapi-harp-1  | ###############################################################################
appapi-harp-1  | # BACKEND: nextcloud_control (HTTP)
appapi-harp-1  | ###############################################################################
appapi-harp-1  | backend nextcloud_control_backend
appapi-harp-1  |     mode http
appapi-harp-1  |     server nextcloud_control 127.0.0.1:8200
appapi-harp-1  |     http-request set-path %[var(txn.exapps.target_path)]
appapi-harp-1  | 
appapi-harp-1  | ###############################################################################
appapi-harp-1  | # BACKEND: docker_engine (HTTP)
appapi-harp-1  | ###############################################################################
appapi-harp-1  | backend docker_engine_backend
appapi-harp-1  |     mode http
appapi-harp-1  |     server frp_server 127.0.0.1
appapi-harp-1  |     http-request set-dst-port var(txn.exapps.target_port)
appapi-harp-1  |     http-request set-path %[var(txn.exapps.target_path)]
appapi-harp-1  | 
appapi-harp-1  |     # docker system _ping
appapi-harp-1  |     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping$ } METH_GET
appapi-harp-1  |     # docker inspect image
appapi-harp-1  |     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/.*/json } METH_GET
appapi-harp-1  |     # container inspect: GET containers/%s/json
appapi-harp-1  |     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/json } METH_GET
appapi-harp-1  |     # container inspect: GET containers/%s/logs
appapi-harp-1  |     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/logs } METH_GET
appapi-harp-1  | 
appapi-harp-1  |     # image pull: POST images/create?fromImage=%s
appapi-harp-1  |     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/create } METH_POST
appapi-harp-1  |     http-request deny
appapi-harp-1  | 
appapi-harp-1  | 
appapi-harp-1  | backend agents
appapi-harp-1  |     mode tcp
appapi-harp-1  |     timeout connect 5s
appapi-harp-1  |     timeout server  3m
appapi-harp-1  |     option spop-check
appapi-harp-1  |     server agent1 127.0.0.1:9600 check
appapi-harp-1  | INFO: FRP server configuration generated at /frps.toml.
appapi-harp-1  | INFO: Detected /var/run/docker.sock, generating /frpc-docker.toml configuration file...
appapi-harp-1  | INFO: Starting Python HaProxy Agent on 127.0.0.1:8200 and 127.0.0.1:9600...
appapi-harp-1  | INFO: Starting FRP server on 0.0.0.0:8782...
appapi-harp-1  | INFO: Starting FRP client for Docker Engine...
appapi-harp-1  | INFO: Starting HAProxy...
appapi-harp-1  | 2025-11-09 20:20:02.161 [I] [sub/root.go:142] start frpc service for config file [/frpc-docker.toml]
appapi-harp-1  | 2025-11-09 20:20:02.161 [I] [client/service.go:295] try to connect to server...
appapi-harp-1  | [NOTICE]   (1) : Initializing new worker (35)
appapi-harp-1  | 2025-11-09 20:20:02.177 [I] [client/service.go:287] [1a31f64951b54d8c] login to server success, get run id [1a31f64951b54d8c]
appapi-harp-1  | 2025-11-09 20:20:02.177 [I] [proxy/proxy_manager.go:173] [1a31f64951b54d8c] proxy added: [bundled-deploy-daemon]
appapi-harp-1  | 2025-11-09 20:20:02.180 [I] [client/control.go:168] [1a31f64951b54d8c] [bundled-deploy-daemon] start proxy success
appapi-harp-1  | [NOTICE]   (1) : Loading success.
appapi-harp-1  | [2025-11-09T20:20:17+0000] [WARNING] Recorded failure for IP 172.18.0.5. Failures in window: 1
appapi-harp-1  | [2025-11-09T20:20:22+0000] [WARNING] Recorded failure for IP 172.18.0.5. Failures in window: 2
appapi-harp-1  | [2025-11-12T19:47:49+0000] [ERROR] Invalid request path, cannot find AppID: /exapps/
appapi-harp-1  | [2025-11-12T19:47:49+0000] [WARNING] Recorded failure for IP 172.18.0.1. Failures in window: 1
appapi-harp-1  | [2025-11-12T19:51:10+0000] [ERROR] Invalid request path, cannot find AppID: /exapps/
appapi-harp-1  | [2025-11-12T19:51:10+0000] [WARNING] Recorded failure for IP 172.18.0.1. Failures in window: 2
appapi-harp-1  | [2025-11-12T19:53:07+0000] [ERROR] Invalid request path, cannot find AppID: /exapps/
appapi-harp-1  | [2025-11-12T19:53:07+0000] [WARNING] Recorded failure for IP 172.18.0.1. Failures in window: 2

Siassei · November 12, 2025, 8:19pm

A “test deploy” ends at the Hearbeat. The counter is rising until maximum. Nextcloud logs

Error
app_api
ExApp test-deploy heartbeat check failed. Make sure that Nextcloud instance and ExApp can reach it other.

Nov 12, 2025, 9:15:19 PM

Error
app_api
Error executing occ command. Return code: 1, stdout: , stderr:

Nov 12, 2025, 9:15:19 PM

Error
app_api
ExApp test-deploy heartbeat check failed. Make sure that Nextcloud instance and ExApp can reach it other.

Nov 12, 2025, 9:15:19 PM

Warning
app_api
Failed heartbeat on https://abc.dd/exapps/test-deploy for 50 times. Most recent status=0, error: cURL error 7: Failed to connect to abc.dd port 443 after 0 ms: Could not connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://abc.dd/exapps/test-deploy/heartbeat

Nov 12, 2025, 9:15:15 PM

Warning
app_api
Failed heartbeat on https://abc.dd/exapps/test-deploy for 50 times. Most recent status=0, error: cURL error 7: Failed to connect to abc.dd port 443 after 0 ms: Could not connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://abc.dd/exapps/test-deploy/heartbeat

Nov 12, 2025, 9:15:15 PM

Warning
app_api
Failed heartbeat on https://abc.dd/exapps/test-deploy for 40 times. Most recent status=0, error: cURL error 7: Failed to connect to abc.dd port 443 after 0 ms: Could not connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://abc.dd/exapps/test-deploy/heartbeat

Nov 12, 2025, 9:15:05 PM

Warning
app_api
Failed heartbeat on https://abc.dd/exapps/test-deploy for 40 times. Most recent status=0, error: cURL error 7: Failed to connect to abc.dd port 443 after 0 ms: Could not connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://abc.dd/exapps/test-deploy/heartbeat

Nov 12, 2025, 9:15:05 PM

Warning
app_api
Failed heartbeat on https://abc.dd/exapps/test-deploy for 30 times. Most recent status=0, error: cURL error 7: Failed to connect to abc.dd port 443 after 0 ms: Could not connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://abc.dd/exapps/test-deploy/heartbeat

Nov 12, 2025, 9:14:55 PM

Warning
app_api
Failed heartbeat on https://abc.dd/exapps/test-deploy for 30 times. Most recent status=0, error: cURL error 7: Failed to connect to abc.dd port 443 after 0 ms: Could not connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://abc.dd/exapps/test-deploy/heartbeat

Nov 12, 2025, 9:14:55 PM

Warning
app_api
Failed heartbeat on https://abc.dd/exapps/test-deploy for 20 times. Most recent status=0, error: cURL error 7: Failed to connect to abc.dd port 443 after 0 ms: Could not connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://abc.dd/exapps/test-deploy/heartbeat

Nov 12, 2025, 9:14:45 PM

Warning
app_api
Failed heartbeat on https://abc.dd/exapps/test-deploy for 20 times. Most recent status=0, error: cURL error 7: Failed to connect to abc.dd port 443 after 0 ms: Could not connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://abc.dd/exapps/test-deploy/heartbeat

Nov 12, 2025, 9:14:45 PM

Warning
app_api
Failed heartbeat on https://abc.dd/exapps/test-deploy for 10 times. Most recent status=0, error: cURL error 7: Failed to connect to abc.dd port 443 after 0 ms: Could not connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://abc.dd/exapps/test-deploy/heartbeat

Nov 12, 2025, 9:14:35 PM

Warning
app_api
Failed heartbeat on https://abc.dd/exapps/test-deploy for 10 times. Most recent status=0, error: cURL error 7: Failed to connect to abc.dd port 443 after 0 ms: Could not connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://abc.dd/exapps/test-deploy/heartbeat

Nov 12, 2025, 9:14:35 PM

system · November 20, 2025, 8:19pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.