Cannot make https work properly with Docker + Traefik v.2

floatingpurr · July 29, 2020, 3:34pm

I’m working with Traefik v.2.2.1 and I’m just trying to properly install Nextcloud 19.0.1.

This is my configuration

docker-compose.yml

version: '3.8'

services:


  # The main app
  nextcloud:
    image: nextcloud
    networks:
      - default
      - proxy
    volumes:
      # Main folder, needed for updating
      - html:/var/www/html
      # installed / modified apps
      - custom_apps:/var/www/html/custom_apps
      # local configuration
      - config:/var/www/html/config
      # actual data of your Nextcloud!!!!
      - data:/var/www/html/data
      # Themes and branding
      - themes:/var/www/html/themes/
    restart: always
    depends_on:
      - db
      - redis
    environment:
      - POSTGRES_HOST=${POSTGRES_HOST}
      - POSTGRES_DB=${POSTGRES_DB}
      - POSTGRES_USER=${POSTGRES_USER}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
      # - NEXTCLOUD_ADMIN_USER=${NEXTCLOUD_ADMIN_USER}
      # - NEXTCLOUD_ADMIN_PASSWORD=${NEXTCLOUD_ADMIN_PASSWORD}
      - REDIS_HOST=${REDIS_HOST}
      - REDIS_HOST_PORT=${REDIS_HOST_PORT}
      - REDIS_HOST_PASSWORD=${REDIS_HOST_PASSWORD}
      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.example.org
      - OVERWRITEPROTOCOL=https
      
    labels:
      traefik.enable: true
      traefik.http.routers.nextcloud.rule: Host(`nextcloud.example.org`)
      traefik.http.routers.nextcloud.entrypoints: websecure
      traefik.http.routers.nextcloud.tls.certresolver: tlsleresolver
      traefik.http.routers.nextcloud.middlewares: nextcloud-redirectregex,nc-header

      # Custom middleware for Cal/Cardav routing
      traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.permanent: true
      traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.regex: https://(.*)/.well-known/(card|cal)dav
      traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.replacement: https://$${1}/remote.php/dav/

      # Custom middleware for headers
      traefik.http.middlewares.nc-header.headers.stsSeconds: 15552001
 
  # nextcloud is backed by postgres
  db:
    image: postgres
    networks:
      - default
    restart: always
    volumes:
      - dbdata:/var/lib/postgresql/data/
    environment:
      - POSTGRES_HOST=${POSTGRES_HOST}
      - POSTGRES_DB=${POSTGRES_DB}
      - POSTGRES_USER=${POSTGRES_USER}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}


  # Redis is used to prevent file locking problems
  redis:
    image: redis:alpine
    networks:
      - default
    command: redis-server --requirepass ${REDIS_HOST_PASSWORD}
    volumes:
      - redisdata:/data


volumes:
  html:
  custom_apps:
  config:
  data:
  themes:
  dbdata:
  redisdata:


networks:
  proxy:
    external: true

This is the resulting config.php

config.php

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'redis',
    'password' => 'nextcloud',
    'port' => 6379,
  ),
  'overwriteprotocol' => 'https',
  'instanceid' => 'oc9vg2zt2yoi',
  'passwordsalt' => 'XXX/XXX/XX',
  'secret' => XXX',
  'trusted_domains' =>
  array (
    0 => 'nextcloud.example.org',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'pgsql',
  'version' => '19.0.1.1',
  'overwrite.cli.url' => 'https://nextcloud.example.org',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_admin',
  'dbpassword' => 'XXX',
  'installed' => true,
);

After the installation, I can get the installation page at https://nextcloud.example.org. When I sign-up with the admin account, I install default apps.

Now, if I try to load a MS Word document and then to open in up with the app Collabora Online, I get:

Connection to server lost

Looking into it, it seems like the problem is related to an HTTP GET to the URL http://nextcloud.example.org/custom_apps/richdocumentscode/proxy.php?status that is blocked because it does not use https (even if I set OVERWRITEPROTOCOL=https)

Why does this happen and how can I fix it up?

Chartman123 · July 29, 2020, 6:49pm

Hi

We also use traefik and docker. I have added the following traefik label in our docker-compose.yml:

- "traefik.http.middlewares.nc-header.headers.customRequestHeaders.X-Forwarded-Proto=https"

And in the config.php, I’ve also added some values regarding reverse proxies:

  'forwarded_for_headers' => 
  array (
    1 => 'HTTP_X_FORWARDED',
    2 => 'HTTP_FORWARDED_FOR',
    3 => 'HTTP_FORWARDED',
    0 => 'HTTP_X_FORWARDED_FOR',
  ),
  'trusted_proxies' => 
  array (
    0 => '10.0.0.0/8',
  ),

I think that I got the params for the config from the docs… Perhaps this helps you

Best regards

floatingpurr · July 30, 2020, 8:04am

Hello @Chartman123 and thanks for your suggestions. I tried but it did not fix the issue. I’m afraid that the problem does not lie in the headers but is caused by an http (instead of https) request coming from the Nextcloud or the Collabora Online codebase

Chartman123 · July 30, 2020, 8:43am

OK, I see… I found some issues over on Github that might be related to your problems:

As you’ve got an Docker environment you could also try to run your own CODE container. This works fine for me in our environment.

floatingpurr · July 30, 2020, 9:36am

Hey @Chartman123 thanks once again. It looks like the problem is related to the built-in CODE server that I installed via the nextcloud’s apps menu. I’ll try to run it in a separate container and I’ll let you know. Do you have any working example of this configuration?

Thanx!

floatingpurr · July 30, 2020, 9:41am

Oh, I was forgetting! Side question since you’re already using it: do you have any limit on the number concurrent users in collabora?

Chartman123 · July 30, 2020, 10:04am

Yes, but not right now. I’ll get back to you in the evening.

Regarding the limitation: We haven’t faced it until now

Reiner_Nippes · July 30, 2020, 12:02pm

yes. should work.

https://github.com/ReinerNippes/nextcloud_on_docker

6liph · November 15, 2020, 10:27am

Should some poor soul still need help with this I’ll give my solution. Snap Nextcloud install behind apache reverse proxy with SSL. Had to manually install libcorefonts.

After implementing all the solutions I could find I realized chartman123 was getting at a solution that would work for me. In /var/snap/nextcloud/current/nextcloud/extra-apps/richdocumentscode/proxy.php

// URL into this server of the proxy script.
if (isset($_SERVER['HTTPS'])) {
    $proxyURL = "https://";
} else {
    $proxyURL = "http://";
}

turns into

// URL into this server of the proxy script.
    $proxyURL = "https://";

THEN COLLABORA MUST BE STARTED MANUALLY by calling the appimage like so:

/var/snap/nextcloud/current/nextcloud/extra-apps/richdocumentscode/collabora/Collabora_Online.AppImage

I use tmux so appimage execution doesn’t block my ssh session.

Hope this helps.