Disabling docker userland-proxy

kiwichrish · July 14, 2022, 11:37pm

Nextcloud version: 24.0.2 nextcloud:latest docker container.
Operating system and version_: Ubuntu 22.04

The issue you are facing:

Disabling the docker userland proxy on the docker host running nextcloud makes nextcloud unresponsive to the local port of via the nginx reverse proxy (on another host).

Doing some tennable scans of some unrelated docker hosts I got the following recommendation:

Which makes good sense to remove the userland-proxy from the picture. So I thought I’d do that on my home-lab docker hosts…

The end result was that nextcloud broke when I put:

{
  "userland-proxy": false
}

in /etc/docker/daemon.json

To check it wasn’t a local docker issue I stopped docker, rm -rf /var/lib/docker and restarted / pulled the container and the issue persisted. Removing the daemon.json fixed it.

Talking to a friend who also runs a similar lab setup he didn’t see the problem so i wanted to just chuck this up here and see if this is unique to something I’ve done and that I should nuke and pave before I go too far down the rabbit hole.

Steps to replicate it:

Nextcloud in docer, on host ‘A’ nginx reverse proxy on ‘B’ All working fine…
Disable userland proxy on docker host A
nginx container

wwe · July 15, 2022, 10:18am

I don’t get the whole problem but it seems to be more Docker issue rather Nextcloud. This Stackoverflow post reports more or less the same issue. From there I get in a way that with disabled userland proxy you need to create iptables rules manually…

kiwichrish · July 16, 2022, 1:45am

Disabling the userland proxy on the current version of docker ce doesn’t affect iptables, so not 100% sure what that person was seeing 3 years ago.

I disabled the proxy on all of my docker VM’s and a couple of linode boxes that host wordpress and static websites using nginx/php-fpm and they all work fine, the only thing that broke is my home nextcloud.

Digging around a bit more I think a contributor might be that I’m running nextcloud in a subdirectory rather than root of the url but I need to do a bit more testing to figure out the root cause.

I’m going to sift through the docker docs site tonight and see if I can figure out what it actually does… The config switch does not really help much…

--userland-proxy    Use userland proxy for loopback traffic (default true)

Onwards…