Connection timed out when trying to access AIO behind Traefik

Iā€™ve recently migrated to Traefik from Nginx Proxy Manager, but have been having issues accessing the AIO container behind Traefik. Iā€™ve done my best to follow the instructions on the GitHub page (link) and these community posts (1, 2, 3, 4, 5, 6), but havenā€™t been able to get things set up. Iā€™ve included my config files below. Would love some help getting this working, as Iā€™ve been banging my head against this for a couple days now.

## nextcloud compose.yaml

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: unless-stopped
    container_name: nextcloud-aio-mastercontainer
    ports:
      - 16001:8080
      # have also tried with the following:
      # - 16000:80
      # - 16002:8443
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      APACHE_PORT: 11000
      # have not tried setting APACHE_BIND_IP_ADDRESS, see provided config files in link #4
    networks:
      - proxy

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer
    external: true

networks:
  proxy:
    external: true
## traefik compose.yaml

services:
  traefik:
    container_name: traefik
    image: traefik:v3.1
    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
    volumes:
      - ./static.yaml:/etc/traefik/traefik.yaml
      - ./dynamic:/etc/traefik/dynamic
      - ./letsencrypt:/letsencrypt
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.[my-domain].com`)"
      - "traefik.http.routers.dashboard.tls.certresolver=cloudflare"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.middlewares=traefik_auth"
      - "traefik.http.middlewares.traefik_auth.digestauth.users=justin:traefik:[password hash]"
    environment:
      CF_DNS_API_TOKEN_FILE: /run/secrets/cf_dns_api
    secrets:
      - "cf_dns_api"

networks:
  proxy:
    external: true

secrets:
  cf_dns_api:
    file: ./secrets/cf_dns_api.secret
## traefik static.yaml

global:
  checkNewVersion: true
  sendAnonymousUsage: true

entryPoints:
  http:
    address: :80
  https:
    address: :443

log:
  level: DEBUG

api:
  insecure: false
  dashboard: true

providers:
  docker:
    # from traefik documentation
    endpoint: tcp://socket-proxy:2375
    watch: true
    exposedByDefault: false
  file:
    directory: /etc/traefik/dynamic/
    watch: true

certificatesresolvers:
  cloudflare:
    acme:
      dnschallenge:
        provider: cloudflare
      email: justin@[my-domain].com
      storage: /letsencrypt/acme.json
## nextcloud dynamic config (dynamic/nextcloud.yaml)

http:
  routers:
    nextcloud:
      rule: "Host(`cloud.[my-domain].com`)"
      entrypoints:
        - "https"
      service: nextcloud
      middlewares:
        - nextcloud-chain
      tls:
        certresolver: "cloudflare"

  services:
    nextcloud:
      loadBalancer:
        servers:
          # have tried localhost, 0.0.0.0
          - url: "http://[VPS IP]:11000" # Use the host's IP address if Traefik runs outside the host network

  middlewares:
    nextcloud-secure-headers:
      headers:
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        referrerPolicy: "same-origin"

    https-redirect:
      redirectscheme:
        scheme: https

    nextcloud-chain:
      chain:
        middlewares:
          # - ... (e.g. rate limiting middleware)
          - https-redirect
          - nextcloud-secure-headers

Hi, does this video help maybe to make it work?

Iā€™m a bit further along now, I could access the AIO interface and start all the containers, but trying to access Nextcloud from cloud.[my-domain].com gives ā€œ502 Bad Gatewayā€. Traefik logs say ā€œno route to hostā€. Iā€™ve added the new config files Iā€™m using below. Iā€™ve also lost access to the dashboard at traefik.[my-domain].com because of the changes and would like to avoid that if possible.

## nextcloud compose.yaml

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: unless-stopped
    container_name: nextcloud-aio-mastercontainer
    ports:
      - 8080:8080
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      APACHE_PORT: 11000
    networks:
      - proxy

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer
    external: true

networks:
  proxy:
    external: true
## traefik compose.yaml

services:
  traefik:
    container_name: traefik
    image: traefik:v3.1
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./static.yaml:/etc/traefik/traefik.yaml
      - ./dynamic:/etc/traefik/dynamic
      - ./letsencrypt:/letsencrypt
      - /etc/localtime:/etc/localtime:ro
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.tls=true"
      - "traefik.http.routers.dashboard.tls.certresolver=cloudflare"
      - "traefik.http.routers.dashboard.tls.domains[0].main=[my-domain]"
      - "traefik.http.routers.dashboard.tls.domains[0].sans=*.[my-domain]"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.middlewares=traefik_auth"
      - "traefik.http.middlewares.traefik_auth.digestauth.users=justin:traefik:[password hash]"
    environment:
      CF_DNS_API_TOKEN_FILE: /run/secrets/cf_dns_api
    secrets:
      - "cf_dns_api"

networks:
  proxy:
    external: true

secrets:
  cf_dns_api:
    file: ./secrets/cf_dns_api.secret
## traefik static.yaml

global:
  checkNewVersion: true
  sendAnonymousUsage: true

entryPoints:
  http:
    address: :80
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: :443

# not a fan of this
serversTransport:
  insecureSkipVerify: true

log:
  level: DEBUG

api:
  insecure: false
  dashboard: true

providers:
  docker:
    endpoint: tcp://socket-proxy:2375
    watch: true
    exposedByDefault: false
  file:
    directory: /etc/traefik/dynamic/
    watch: true

certificatesresolvers:
  cloudflare:
    acme:
      dnschallenge:
        provider: cloudflare
      email: justin@[my-domain].com
      storage: /letsencrypt/acme.json
http:
  routers:
    nextcloud:
      rule: "Host(`cloud.[my-domain].com`)"
      entrypoints:
        - "https"
      service: nextcloud
      middlewares:
        - nextcloud-chain
      tls:
        domains:
          - main: "cloud.[my-domain].com"
        certresolver: "cloudflare"

  services:
    nextcloud:
      loadBalancer:
        servers:
          # from hostname -I
          - url: "http://10.0.0.93:11000" # Use the host's IP address if Traefik runs outside the host network
        passHostHeader: true

  middlewares:
    nextcloud-secure-headers:
      headers:
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        referrerPolicy: "same-origin"
        customResponseHeaders:
          X-Robots-Tag: "none"

    https-redirect:
      redirectscheme:
        scheme: https
        permanent: true

    nextcloud-chain:
      chain:
        middlewares:
          # - ... (e.g. rate limiting middleware)
          - https-redirect
          - nextcloud-secure-headers

I managed to get it working by changing the dynamic config to use my VPSā€™ server IP (i.e., the public facing IP address for the server).