Can't get AIO to show up on the correct container port

Nextcloud version: latest (8.1.0?)
Operating system and version : Debian 12.5
nginx version: 1.22.1

The issue you are facing:

I’ve tried setting up Nextcloud AIO according to all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub

I initially had it working and I could open the page for the initial setup but I then faced an issue similar to this one where clicking the Open Nextcloud button would just redirect me back to the same page.

I tried applying the fix suggested in that post by changing my nginx proxy_pass from proxy_pass https://127.0.0.1:8080$request_uri; to proxy_pass http://127.0.0.1:11000$request_uri; but that didn’t help.

I then noticed that the original poster was also passing the environment variable APACHE_IP_BINDING=127.0.0.1 which I wasn’t, so I added that in my docker compose file.

Regardless of what I do, I just can’t seem to get the service running in the container to be available through port 11000:

# nc -z 127.0.0.1 11000; echo $?
1

I’ve also tried resetting everything according to this guidance and recreated everything from scratch.

This is my docker-compose file:

services:
  nextcloud:
    container_name: nextcloud-aio-mastercontainer
    image: nextcloud/all-in-one:latest
    restart: always
    ports:
      - 8080:8080
    environment:
      - APACHE_PORT=11000
      - APACHE_IP_BINDING=127.0.0.1
      - SKIP_DOMAIN_VALIDATION=true
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

I also tried setting APACHE_IP_BINDING=0.0.0.0 but it didn’t help.

This is my nginx config, with nginx running on the host machine:

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {
    listen 80;
    listen [::]:80;            # comment to disable IPv6

    if ($scheme = "http") {
        return 301 https://$host$request_uri;
    }

    listen 443 ssl http2;      # for nginx versions below v1.25.1
    listen [::]:443 ssl http2; # for nginx versions below v1.25.1 - comment to disable IPv6

    # listen 443 ssl;      # for nginx v1.25.1+
    # listen [::]:443 ssl; # for nginx v1.25.1+ - keep comment to disable IPv6
	
    # http2 on;                                 # uncomment to enable HTTP/2        - supported on nginx v1.25.1+
    # http3 on;                                 # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
    # quic_retry on;                            # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
    # add_header Alt-Svc 'h3=":443"; ma=86400'; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
    # listen 443 quic reuseport;       # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport
    # listen [::]:443 quic reuseport;  # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport - keep comment to disable IPv6

    server_name redacted.net;

    location / {
        proxy_pass http://127.0.0.1:11000$request_uri;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Host $host;
    
        client_body_buffer_size 512k;
        proxy_read_timeout 86400s;
        client_max_body_size 0;

        # Websocket
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    # If running nginx on a subdomain (eg. nextcloud.example.com) of a domain that already has an wildcard ssl certificate from certbot on this machine, 
    # the <your-nc-domain> in the below lines should be replaced with just the domain (eg. example.com), not the subdomain. 
    # In this case the subdomain should already be secured without additional actions
    ssl_certificate /etc/letsencrypt/live/redacted.net/fullchain.pem;   # managed by certbot on host machine
    ssl_certificate_key /etc/letsencrypt/live/redacted.net/privkey.pem; # managed by certbot on host machine

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers on;
}

These are the container logs:

Trying to fix docker.sock permissions internally...
Creating docker group internally with id 109
Initial startup of Nextcloud All-in-One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080
⚠️ Important: do always use an ip-address if you access this port and not a domain as HSTS might block access to it later!

If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
https://your-domain-that-points-to-this-server.tld:8443
[07-Apr-2024 21:07:39] NOTICE: fpm is running, pid 112
[07-Apr-2024 21:07:39] NOTICE: ready to handle connections
[Sun Apr 07 21:07:39.663739 2024] [mpm_event:notice] [pid 107:tid 281472958975232] AH00489: Apache/2.4.58 (Unix) OpenSSL/3.1.4 configured -- resuming normal operations
[Sun Apr 07 21:07:39.663785 2024] [core:notice] [pid 107:tid 281472958975232] AH00094: Command line: 'httpd -D FOREGROUND'
{"level":"info","ts":1712524059.6670475,"msg":"using provided configuration","config_file":"/Caddyfile","config_adapter":""}

I’m not sure what else to try.

Any help would be appreciated. Thanks!

Hi @trodrigues, can you follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#6-how-to-debug-things?

Yeah, I’d already been through these steps as well and it didn’t really help.

As the other poster suggested (not sure why they deleted their answer) I did try adjusting the port mapping in my docker-compose file to match the port exposed and it does seem to expose the port correctly:

    ports:
      - 11000:11000

Now running netcat:

# nc -z 127.0.0.1 11000; echo $?
0

The reason why I hadn’t done this before is that all the pieces of documentation I found, including the suggested start command and other docker-compose file examples all seem to have this mismatch between the port mapping and the APACHE_PORT env var.

I’ll be happy to contribute a doc fix where I’ve seen this if this is actually an oversight.

Anyway, even after trying all of this and while I can see the port being exposed with the netcat command, I still get a 502 bad gateway from nginx.

Another thing I also tried from here was using the extra hosts domain mapping, as well as the network_mode: host and none of these helped either.

I’m actually not 100% sure what address I should use with network_mode: host but from my past experience with this I assume it would still be 127.0.0.1?

So yeah, I’m still at a loss.

And yes, this is indeed correct

So how does this work? If we’re asking the Apache in the container to use port 11000 but we don’t map that in the container, how does the port get exposed outside of the container?

AIO spawns another container that uses the given port

Oh, I see.

And that maybe gives me a hint at what’s going on.

This is what I see on the nginx logs:

2024/04/08 10:08:04 [error] 182216#182216: *1 connect() failed (111: Connection refused) while connecting to upstream, client: [REDACTED], server: redacted.net, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:11000/", host: "redacted.net"

And checking the running containers:

6c8728beec0f   nextcloud/all-in-one:latest   "/start.sh"              4 minutes ago   Up 4 minutes (healthy)   80/tcp, 8443/tcp, 9000/tcp, 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp   nextcloud-aio-mastercontainer

I then checked the container logs:

# docker logs nextcloud-aio-mastercontainer
Trying to fix docker.sock permissions internally...
Creating docker group internally with id 109
Initial startup of Nextcloud All-in-One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080
⚠️ Important: do always use an ip-address if you access this port and not a domain as HSTS might block access to it later!

If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
https://your-domain-that-points-to-this-server.tld:8443
[Mon Apr 08 10:05:07.748424 2024] [mpm_event:notice] [pid 108:tid 281473806093568] AH00489: Apache/2.4.58 (Unix) OpenSSL/3.1.4 configured -- resuming normal operations
[Mon Apr 08 10:05:07.748481 2024] [core:notice] [pid 108:tid 281473806093568] AH00094: Command line: 'httpd -D FOREGROUND'
[08-Apr-2024 10:05:07] NOTICE: fpm is running, pid 113
[08-Apr-2024 10:05:07] NOTICE: ready to handle connections
{"level":"info","ts":1712570707.7634997,"msg":"using provided configuration","config_file":"/Caddyfile","config_adapter":""}

And it still doesn’t give me a hint at what might be wrong.

And without that port mapping to 11000 it does show that this port isn’t accessible:

# nc -v 127.0.0.1 11000
localhost [127.0.0.1] 11000 (?) : Connection refused

So it does seem like AIO isn’t able to start the other containers, even though /var/run/docker.sock is accessible and mapped in the docker-compose file. I’ve already followed the steps for a full reset multiple times and it didn’t help as well.

Did you already open the AIO interface and entered your domain?

I had been able to do that before, but then I ran into the issue I initially described here where clicking the Open Nextcloud button would just redirect me back to the same page.

And after because I found the other post of someone with the same issue I tried changing the proxy_pass directive to proxy_pass http://127.0.0.1:11000$request_uri; and it’s since that point that I’m on the current situation.

I now can’t access the AIO interface at all because of this issue.

So you cannot access port 8080?

I can access port 8080.

But if I set proxy pass to

proxy_pass http://127.0.0.1:8080$request_uri;

I see this when opening my domain in the browser:

Bad Request

Your browser sent a request that this server could not understand.
Reason: You’re speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

If I set it to

proxy_pass https://127.0.0.1:8080$request_uri;

I can access the AIO setup:

3298250d0381541ab466410c0842675ba0ae7a40_2_1380x624973×438 48.4 KB

And I can setup the containers. But then once I see:

9abaa0191410fa448eb058c4f3e51ddb17d860a1_2_1380x536892×361 20.4 KB

And click that Open your Nextcloud button, it just reopens the same page in a new tab.

This is what I was trying to fix by applying the solution you had suggested in this other post (I also realized I had linked the wrong post at the start of my thread here).

Oh! Immediately after my last post I think I figured it out.

After doing all of that and having the AIO setup page create the containers I went back to my nginx config and set the proxy pass again to:

proxy_pass http://127.0.0.1:11000$request_uri;

And while I still had the AIO page open I now pressed the Open your Nextcloud button again and it worked as expected.