Docker AIO - listening on :80: listen tcp :80: bind: permission denied

I tried to run the docker aio based on the github documentation using a reverse proxy.
This is the startup command:

sudo docker run 
--sig-proxy=false 
--name nextcloud-aio-mastercontainer 
--restart always 
--publish 8080:8080 
-e APACHE_PORT=11000 
-e APACHE_IP_BINDING=127.0.0.1 
-e NEXTCLOUD_DATADIR="/volume1/docker/nextcloud_aio/data" 
-e NEXTCLOUD_MOUNT="/volume1/external_test" 
-e NEXTCLOUD_MEMORY_LIMIT=2G 
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config 
--volume /var/run/docker.sock:/var/run/docker.sock:ro 
nextcloud/all-in-one:latest

The container starts but repeats following log output:

2022-11-22T16:27:04.741626867Z,stderr,Error: loading initial config: loading new config: http app module: start: listening on :80: listen tcp :80: bind: permission denied

2022-11-22T16:27:04.741475266Z,stderr,"{\"level\":\"info\",\"ts\":1669134424.7411804,\"logger\":\"tls.cache.maintenance\",\"msg\":\"stopped background certificate maintenance\",\"cache\":\"0xc0004cd7a0\"}
"
2022-11-22T16:27:04.740653388Z,stderr,"{\"level\":\"warn\",\"ts\":1669134424.7404296,\"logger\":\"tls\",\"msg\":\"YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place\",\"docs\":\"https://caddyserver.com/docs/automatic-https#on-demand-tls\"}
"
2022-11-22T16:27:04.739981077Z,stderr,"{\"level\":\"info\",\"ts\":1669134424.7397861,\"logger\":\"tls.cache.maintenance\",\"msg\":\"started background certificate maintenance\",\"cache\":\"0xc0004cd7a0\"}
"
2022-11-22T16:27:04.739817250Z,stderr,"{\"level\":\"warn\",\"ts\":1669134424.7394106,\"logger\":\"http\",\"msg\":\"automatic HTTP->HTTPS redirects are disabled\",\"server_name\":\"srv1\"}
"
2022-11-22T16:27:04.739622536Z,stderr,"{\"level\":\"warn\",\"ts\":1669134424.7393675,\"logger\":\"http\",\"msg\":\"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server\",\"server_name\":\"srv0\",\"http_port\":80}
"
2022-11-22T16:27:04.738674287Z,stderr,"{\"level\":\"info\",\"ts\":1669134424.738365,\"logger\":\"admin\",\"msg\":\"admin endpoint started\",\"address\":\"localhost:2019\",\"enforce_origin\":false,\"origins\":[\"//localhost:2019\",\"//[::1]:2019\",\"//127.0.0.1:2019\"]}
"
2022-11-22T16:27:04.736849689Z,stderr,"{\"level\":\"warn\",\"ts\":1669134424.736496,\"msg\":\"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies\",\"adapter\":\"caddyfile\",\"file\":\"/Caddyfile\",\"line\":2}
"
2022-11-22T16:27:04.733843215Z,stderr,"{\"level\":\"info\",\"ts\":1669134424.733408,\"msg\":\"using provided configuration\",\"config_file\":\"/Caddyfile\",\"config_adapter\":\"\"}
"
2022-11-22T16:27:03.687131515Z,stderr,[Tue Nov 22 16:27:03.684942 2022] [core:notice] [pid 95] AH00094: Command line: 'apache2 -D FOREGROUND'

2022-11-22T16:27:03.686857350Z,stderr,[Tue Nov 22 16:27:03.684903 2022] [mpm_prefork:notice] [pid 95] AH00163: Apache/2.4.54 (Debian) PHP/8.0.25 OpenSSL/1.1.1n configured -- resuming normal operations

2022-11-22T16:27:03.684359684Z,stderr,[Tue Nov 22 16:27:03.680329 2022] [ssl:warn] [pid 95] AH01909: 172.18.0.2:8080:0 server certificate does NOT include an ID which matches the server name

2022-11-22T16:27:03.682930297Z,stderr,[Tue Nov 22 16:27:03.680298 2022] [ssl:warn] [pid 95] AH01906: 172.18.0.2:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

2022-11-22T16:27:03.625133716Z,stderr,"AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.2. Set the 'ServerName' directive globally to suppress this message
"
2022-11-22T16:27:03.583698917Z,stderr,[Tue Nov 22 16:27:03.581138 2022] [ssl:warn] [pid 95] AH01909: 172.18.0.2:8080:0 server certificate does NOT include an ID which matches the server name

2022-11-22T16:27:03.582896991Z,stderr,[Tue Nov 22 16:27:03.580699 2022] [ssl:warn] [pid 95] AH01906: 172.18.0.2:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

2022-11-22T16:27:03.577096301Z,stderr,"AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.2. Set the 'ServerName' directive globally to suppress this message
"
2022-11-22T16:27:03.522878079Z,stderr,Error: loading initial config: loading new config: http app module: start: listening on :80: listen tcp :80: bind: permission denied

2022-11-22T16:27:03.520056519Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.5198145,\"logger\":\"tls.cache.maintenance\",\"msg\":\"stopped background certificate maintenance\",\"cache\":\"0xc000182ee0\"}
"
2022-11-22T16:27:03.518951596Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.5186913,\"logger\":\"http.log\",\"msg\":\"server running\",\"name\":\"srv1\",\"protocols\":[\"h1\",\"h2\",\"h3\"]}
"
2022-11-22T16:27:03.517883223Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.517677,\"msg\":\"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details.\"}
"
2022-11-22T16:27:03.517651773Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.5165832,\"logger\":\"tls\",\"msg\":\"finished cleaning storage units\"}
"
2022-11-22T16:27:03.516729505Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.5157094,\"logger\":\"tls\",\"msg\":\"cleaning storage unit\",\"description\":\"FileStorage:/mnt/docker-aio-config/caddy/\"}
"
2022-11-22T16:27:03.515963610Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.5157094,\"logger\":\"http\",\"msg\":\"enabling HTTP/3 listener\",\"addr\":\":8443\"}
"
2022-11-22T16:27:03.515016032Z,stderr,"{\"level\":\"warn\",\"ts\":1669134423.5147154,\"logger\":\"tls\",\"msg\":\"YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place\",\"docs\":\"https://caddyserver.com/docs/automatic-https#on-demand-tls\"}
"
2022-11-22T16:27:03.514105215Z,stderr,"{\"level\":\"warn\",\"ts\":1669134423.5136123,\"logger\":\"http\",\"msg\":\"automatic HTTP->HTTPS redirects are disabled\",\"server_name\":\"srv1\"}
"
2022-11-22T16:27:03.513099747Z,stderr,"{\"level\":\"warn\",\"ts\":1669134423.5128827,\"logger\":\"http\",\"msg\":\"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server\",\"server_name\":\"srv0\",\"http_port\":80}
"
2022-11-22T16:27:03.512280194Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.5120091,\"logger\":\"tls.cache.maintenance\",\"msg\":\"started background certificate maintenance\",\"cache\":\"0xc000182ee0\"}
"
2022-11-22T16:27:03.511004252Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.5106463,\"logger\":\"admin\",\"msg\":\"admin endpoint started\",\"address\":\"localhost:2019\",\"enforce_origin\":false,\"origins\":[\"//localhost:2019\",\"//[::1]:2019\",\"//127.0.0.1:2019\"]}
"
2022-11-22T16:27:03.508721577Z,stderr,"{\"level\":\"warn\",\"ts\":1669134423.508379,\"msg\":\"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies\",\"adapter\":\"caddyfile\",\"file\":\"/Caddyfile\",\"line\":2}
"
2022-11-22T16:27:03.505160411Z,stderr,"{\"level\":\"info\",\"ts\":1669134423.5046253,\"msg\":\"using provided configuration\",\"config_file\":\"/Caddyfile\",\"config_adapter\":\"\"}

Hi, this reminds me of Apache cannot start because listen tcp :443: bind: permission denied · Discussion #1267 · nextcloud/all-in-one · GitHub

Hm couldn’t find that when I was looking for a solution.

I’m running Docker on a Synology NAS so there might be the chance, docker is not up to date.
Still strange as the AIO documentation explicitly lists Synologys rev proxy setup.

Doesn’t Synology already use that port for its own interface?

Yes but who wants to use port 80? Everything runs in a container in a bridge network the container uses 8080 and I added the env car to tell apache to use 11000 as in the how to stated.

Basically you will need Kernel 4.11 or higher as AIO will not work otherwise.

My DS218+ with DSM 7.1 has Kernel 4.4.180 so yeah that seems the issue.

Wow, do they really ship so outdated kernels?

At least they did in the past. Could only find a reposted statement where they are “not worried of EOL because they handle it internally” whatever this means.

1 Like