Can't reach dockerized Nextcloud instance when firewall is up (UFW)

Hello,

I recently reinstalled Nextcloud 16 using Docker (Apache version) and using an Nginx reverse proxy, everything went well until I enabled a firewall (using ufw) on my server. When the firewall is active I can’t reach my Nextcloud instance (504 error) despite having opened the ports (80 and 443, the ports for the reverse proxy). Several other apps on the server are configured the same way and work without issue when the firewall is up.

I really don’t understand why this is happening, Nextcloud runs in Docker, the internal 80 port is mapped and Nginx is configured to serve as a very basic reverse proxy (proxy-pass instruction) on a subdomain.

Here is the Nginx config:

# HTTP server, for HTTPS redirection
server {
  server_name REDACTED;
  listen 80;
  return 301 https://$host$request_uri;
}

# HTTPS server
server {
  server_name REDACTED;
  listen 443 ssl;

  # Reverse proxy
  location / {
    proxy_pass http://localhost:2010;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  # SSL certs
  REDACTED
}

And here is the error from Nginx:

==> error.log <==
2019/07/29 19:52:19 [error] 18497#18497: *31 upstream timed out (110: Connection timed out) while reading response header from upstream, client: <client IP, redacted>, server: <server url, redacted>, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:2010/", host: "<server url, redacted>"

==> access.log <==
83.194.79.67 - - [29/Jul/2019:19:52:19 +0200] "GET / HTTP/1.1" 504 183 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"

The logs make sense but I can’t figure out why it happens only when the firewall is up considering all the ports are opened. Of course it works fine when the firewall is down.

Thanks in advance!

I think this has to do with the way Docker handles networking. If you look at your interfaces, you’ll notice there are a lot of entries, and UFW is probably applying to those interfaces as well.

The error indicates the nginx proxy was unable to connect to the Nextcloud container’s Apache.

Look in your syslog for the UFW block and see if you can find out exactly what’s getting dropped. I think you’ll need to open the Nextcloud container’s exposes port in UFW (2010 above?) but I’m not sure about the source and destination IPs that will be needed.

I have a hunch the winner will end up being something like this, where serverip is your server’s IP on the normal eth interface: ufw allow in from serverip to serverip The syslog will shed some light on what IPs specifically. If you see a 172.16.0.0/12 address from one of the Docker interfaces in there, you may need to know block the whole /12 because those container IPs can change.

Got it! UFW blocked the requests from the Nextcloud container to the PostgreSQL container. I wouldn’t have suspected that given that other containers are configured the same way and are working but whatever, I added a rule to fix it and it works now.

Thank you very much for your help!

Hello,

Could you please indicate the exact solution you used to fix this? I can’t figure it out even with KarlF12 tips. (I tried the ufw rule 172.16.0.0/12 ALLOW 172.16.0.0/12)

Thanks

EDIT: got it working with ufw allow in from 172.16.0.0/12 to any