Correct way to change the URL path using AIO and nginx

yuges32 · May 17, 2025, 12:25pm

The Basics

Nextcloud Server version (e.g., 29.x.x):
- 10.14.0
Operating system and version (e.g., Ubuntu 24.04):
- Ubuntu 24.04
Web server and version (e.g, Apache 2.4.25):
- nginx 1.24.0
Reverse proxy and version _(e.g. nginx 1.27.2)
- nginx 1.24.0
PHP version (e.g, 8.3):
- 8.3
Is this the first time you’ve seen this error? (Yes / No):
- yes
When did this problem seem to first start?
- immediately
Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
- AOI
Are you using CloudfIare, mod_security, or similar? (Yes / No)
- no

Summary of the issue you are facing:

When the AOI installation wizard ask to validate the domain it fails:

Domain does not point to this server or the reverse proxy is not configured correctly.

Steps to replicate it (hint: details matter!):

Follow the instructions here:

github.com/nextcloud/all-in-one

reverse-proxy.md

main

# Reverse Proxy Documentation

> [!NOTE]
> Please note that AIO comes secured with TLS out-of-the-box. So you don't need to necessarily set up your own reverse proxy if you only want to run Nextcloud AIO which is much easier. See [the normal readme](https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-use-this) in that case. However if port 443 should already be used because you already run a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else), you need to follow this reverse proxy documentation to set up Nextcloud AIO.

> [!TIP]
> If you don't have a domain yet, [Tailscale is recommended](https://github.com/nextcloud/all-in-one/discussions/5439). If you don't have a reverse proxy yet, [Caddy is recommended](https://github.com/nextcloud/all-in-one/discussions/575).

## Introduction
In order to run Nextcloud behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else), you need to:
1. add a specific config to your web server or reverse proxy. [See the documentation below.](#1-configure-the-reverse-proxy)
2. specify the port that AIO's integrated Apache container shall use via the environmental variable `APACHE_PORT` (that runs inside its own container and published this port on the host) and adjust the `docker run` command of AIO. [See the documentation below.](#2-use-this-startup-command).
3. Open the AIO interface at port `8080` and type in and validate your domain. [See the documentation below.](#4-open-the-aio-interface)

Here one example with all reverse proxy settings for Linux:
```
sudo docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \

Questo file è stato troncato. mostra originale

I kept all the default configuration for nginx and nextcloud
the only differences are: the location for nginx is location /nextcloud since on the root I have another service running

Log entries

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

NOTICE: PHP message: The response of the connection attempt to "https://app.example.org:443" was: My other service
NOTICE: PHP message: Expected was: a72a923bc071457204ca3915264ab2cad7edf39d0d66af91

I understand why it does not work: it looks for that code at root (example.org) instead of example.org/nextcloud.

I tried to adapt this long thread:

removing all the containers (otherwise it does not allow me to change the command line arguments) adding a new env variable:

--env OVERWRITEWEBROOT="/nextcloud" \

but it still fails with the same error. Actually it seems it ignores this variable, since it tried to read again from the root and not from the given path.

Perhaps this is addressed in the documentation, but I cannot find where.
What I have to change in order to use NextCloud from example.org/nextcloud?

vawaver · May 17, 2025, 12:47pm

Here you can find my configuration Nextcloud AIO + Nginx Proxy Manager.
Maybe it helps you.

yuges32 · May 17, 2025, 12:52pm

I thank you very much, but I don’t see where you configured NextCloud and nginx to listen on a different route (instead of the default root main path).

vawaver · May 17, 2025, 1:20pm

You’re correct — in my earlier post (Testing large file synchronization with Nextcloud AIO and NGINX Proxy), the setup runs Nextcloud AIO behind NGINX Proxy Manager on the root path (/). It does not demonstrate how to run AIO under a subpath like /nextcloud.

From my own tests and confirmation in the official documentation, Nextcloud AIO cannot be deployed in a subdirectory. Even if you try setting OVERWRITEWEBROOT=/nextcloud, the AIO setup container performs domain validation on the root path (/) only. This causes the setup to fail when served under a subpath.

This is explicitly mentioned in the official documentation:

GitHub README – “Can I run Nextcloud in a subdirectory on my domain?”
→ https://github.com/nextcloud/all-in-one?tab=readme-ov-file#can-i-run-nextcloud-in-a-subdirectory-on-my-domain

Answer from the official docs:
“This is not possible as the AIO interface needs to be reachable through the domain without any subpath. Using a subdomain like nextcloud.example.com works fine though.”

Additionally, here are two community discussions confirming this limitation:

So, to clarify:
My shared setup was focused on performance and large file sync behind a reverse proxy.
It was not meant to demonstrate AIO running under a path like /nextcloud — which is not supported by AIO.

If you must run Nextcloud under a subpath, you should use the standard Nextcloud installation instead of AIO.
For simplicity and full compatibility, the recommended approach is to use a dedicated subdomain, like nextcloud.example.com.

Note: This post was written with the help of an AI assistant as a writing aid only. The opinions, solutions, and technical recommendations are fully based on my personal experience.
More about how and why I use AI to write forum posts:
Is there limitations to installing Nextcloud via CT template on Proxmox - #4 by vawaver

yuges32 · May 17, 2025, 1:30pm

This is a huge limitation: NextCloud is just a software and on my server I want to run also other applications! It’s not fair that NextCloud wants to run only from root.

I’ve already set up a subdomain, but since I have only one server I cannot use different subdomains (i.e. all will point to the same server).

First I tried the standard installation but it seems more complex than AIO.
I’m going to purge everything and try again.

yuges32 · May 17, 2025, 1:41pm

Anyway, I don’t understand what the domain verification expects.
Now I left only the nextcloud nginx configuration:

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {
    listen 80;
    listen [::]:80;            # comment to disable IPv6

    if ($scheme = "http") {
        return 301 https://$host$request_uri;
    }
    if ($http_x_forwarded_proto = "http") {
        return 301 https://$host$request_uri;
    }

    listen 443 ssl http2;      # for nginx versions below v1.25.1
    listen [::]:443 ssl http2; # for nginx versions below v1.25.1 - comment to disable IPv6

    # listen 443 ssl;      # for nginx v1.25.1+
    # listen [::]:443 ssl; # for nginx v1.25.1+ - keep comment to disable IPv6
    # http2 on;            # uncomment to enable HTTP/2 - supported on nginx v1.25.1+

    # listen 443 quic reuseport;       # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport
    # listen [::]:443 quic reuseport;  # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport - keep comment to disable IPv6
    # http3 on;                                 # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
    # quic_gso on;                              # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
    # quic_retry on;                            # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
    # quic_bpf on;                              # improves  HTTP/3 / QUIC - supported on nginx v1.25.0+, if nginx runs as a docker container you need to give it privileged permission to use this option
    # add_header Alt-Svc 'h3=":443"; ma=86400'; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+

    proxy_buffering off;
    proxy_request_buffering off;

    client_max_body_size 0;
    client_body_buffer_size 512k;
    # http3_stream_buffer_size 512k; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
    proxy_read_timeout 86400s;

    server_name app.example.org;

    location / {
        proxy_pass http://localhost:11000$request_uri; # Adjust to match APACHE_PORT and APACHE_IP_BINDING. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header Early-Data $ssl_early_data;

        # Websocket
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    # If running nginx on a subdomain (eg. nextcloud.example.com) of a domain that already has an wildcard ssl certificate from certbot on this machine, 
    # the <your-nc-domain> in the below lines should be replaced with just the domain (eg. example.com), not the subdomain. 
    # In this case the subdomain should already be secured without additional actions
    ssl_certificate /etc/letsencrypt/live/app.example.org/fullchain.pem;   # managed by certbot on host machine
    ssl_certificate_key /etc/letsencrypt/live/app.example.org/privkey.pem; # managed by certbot on host machine

    #ssl_dhparam /etc/dhparam; # curl -L https://ssl-config.mozilla.org/ffdhe2048.txt -o /etc/dhparam

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



    #ssl_early_data on;
    #ssl_session_timeout 1d;
    #ssl_session_cache shared:SSL:10m;

    #ssl_protocols TLSv1.2 TLSv1.3;
    #ssl_ecdh_curve x25519:x448:secp521r1:secp384r1:secp256r1;

    #ssl_prefer_server_ciphers on;
    #ssl_conf_command Options PrioritizeChaCha;
    #ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256;
}

and I checked nothing answers on app.example.org.
Still the domain verification fails:

NOTICE: PHP message: Expected was: e9b9803de193f63289f7feab231c78574eddda2cb1a3e04f
NOTICE: PHP message: The error message was:

Here the docker command:

sudo docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8080:8080 \
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING=127.0.0.1 \
--env APACHE_ADDITIONAL_NETWORK="" \
--env SKIP_DOMAIN_VALIDATION=false \
--env NEXTCLOUD_DATADIR="/home/user/nextcloud-data" \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
ghcr.io/nextcloud-releases/all-in-one:latest

I tried to follow the debug steps but I didn’t find the culprit:

done, two times
APACHE_PORT seems correct
APACHE_IP_BINDING should be correct since I’m not reaching the container elsewhere than localhost
this is above and seems correct
done
here the logs:

[Sat May 17 13:31:13.029758 2025] [mpm_event:notice] [pid 125:tid 125] AH00489: Apache/2.4.62 (Unix) OpenSSL/3.3.3 configured -- resuming normal operations
[Sat May 17 13:31:13.029860 2025] [core:notice] [pid 125:tid 125] AH00094: Command line: 'httpd -D FOREGROUND'
[17-May-2025 13:31:13] NOTICE: fpm is running, pid 131
[17-May-2025 13:31:13] NOTICE: ready to handle connections
{"level":"info","ts":1747488673.1197202,"msg":"maxprocs: Leaving GOMAXPROCS=1: CPU quota undefined"}
{"level":"info","ts":1747488673.120049,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":907477401,"previous":9223372036854775807}
{"level":"info","ts":1747488673.1201324,"msg":"using config from file","file":"/Caddyfile"}
{"level":"info","ts":1747488673.1232712,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"info","ts":1747488673.126566,"msg":"serving initial configuration"}
</html>nter>nginx/1.24.0 (Ubuntu)</center>>nnection attempt to "https://app.example.org:443" was: <html>
NOTICE: PHP message: Expected was: e9b9803de193f63289f7feab231c78574eddda2cb1a3e04f
NOTICE: PHP message: The error message was: 
NOTICE: PHP message: Please follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#6-how-to-debug-things in order to debug things!

result is 0
I’m not behind CGNAT
I’m not using Cloudflare
firewall ports are opened:

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
Nginx Full                 ALLOW       Anywhere                  
3000                       ALLOW       Anywhere                  
3001                       ALLOW       Anywhere                  
443                        ALLOW       Anywhere                  
8443                       ALLOW       Anywhere                  
8080                       ALLOW       Anywhere                  
3478                       ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
Nginx Full (v6)            ALLOW       Anywhere (v6)             
3000 (v6)                  ALLOW       Anywhere (v6)             
3001 (v6)                  ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6)             
8443 (v6)                  ALLOW       Anywhere (v6)             
8080 (v6)                  ALLOW       Anywhere (v6)             
3478 (v6)                  ALLOW       Anywhere (v6)

yes, I have a public ipv4 address
I’m not able to do this
done, three times
I don’t want to disable the domain validation… I just want to learn how to fix it!

Thanks for the patience!

vawaver · May 17, 2025, 1:44pm

You’re right that it’s a limitation of AIO that it requires the root path, and I understand the frustration.

However, I want to address this part of your comment:

“Since I have only one server I cannot use different subdomains (i.e. all will point to the same server)”

This is actually a misunderstanding. Having a single server is not a limitation at all — subdomains are specifically designed to point to the same server IP. The important part is how you route the incoming traffic, and that’s exactly what a reverse proxy like NGINX Proxy Manager is made for.

In my setup, I run Nextcloud AIO on a single server, and on that same machine I also host:

Plex
Jellyfin
Audiobookshelf
Mattermost
Handbrake
Paperless-ngx
TinyMediaManager

All of these services are running as Docker containers, and with NGINX Proxy Manager it’s very straightforward to assign each one its own subdomain and let the proxy forward requests to the right container — all on the same machine and IP address.

So yes, it’s entirely possible (and common) to run many subdomains and services on one physical server — as long as you use a reverse proxy.
Just sharing this from experience to clear up the confusion.

yuges32 · May 17, 2025, 4:21pm

The solution was to add:

resolver 127.0.0.53;

in the nginx configuration.
Perhaps I didn’t look well at the documentation, but I didn’t find it!

daks · May 29, 2025, 9:16am

linking to Nextcloud AIO interface behind Nginx in a subfolder and Add the possibility to host the AIO admin interface behind a reverse proxy (Nginx) but in a subfolder/subdirectory · nextcloud/all-in-one · Discussion #5480 · GitHub and allow to run it in a subdirectory with reverse proxy · nextcloud/all-in-one · Discussion #839 · GitHub