Docker AIO, reverse proxy, pfsense

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
, , , ,
1
Support intro

Sorry to hear you’re facing problems. :slightly_frowning_face:

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

  • Nextcloud Server version:
    • Latest Docker AIO
  • Operating system and version
    • Ubuntu 24.04
  • Running behind
    • a pfSense, with HA proxy, this HA handles the certificates for my other hosted services. (auto renew etc..)

I’ve got a NC instance running for years now, using the Hansson IT ovf template on my esxi server. This works like a charm, however updating this one is rather complicated.

So I’m trying to build my own docker instance of NC using the AIO.

I’ve put in quite some time a while ago in an attempt to get this running, but without succes, and now a new effort, but failing in every attempt.

I am able to build an more or less working AIO instance, but I have 2 issues which I cannot resolve:

-Domain validation, can’t get it to work, unless I disable it in the docker compose. My dns is hosted at cloudflare, but I am not using any tunnels or reverse proxy’s from them. Purely DNS. My cloud.domain.tld is a cname for home.domain.tld. This setup is identical to the working instance from Hansson IT.

-After successfully building an instance (with disabled validation), using cloud. mydomain.tld, I always get redirected to the setup pages when I try to login. (and telling me to stop the apache container), but that doesn’t work.

I think both of the above are a result of a bad configured reverse proxy. I have read many manuals/howto’s, but I’m confused in the terminology and which file to change where. I can’t seem to find a scenario in which the reverse proxy is running on a pfSense.

I don’t want to mess around with my HA config on my pfsense because this works. Preferably, I want to add a frontend redirect and create a new backend. Only by using the GUI of pfsense :slight_smile: . Also, the certificates for my running instances are handled by pfsense, I preferably would like it to keep this way, and not do this on the AIO instance.

I’ve changed a lot of things in the default docker compose yml which I pulled from github, but none of them seem to do the trick. I also cannot find a specific scenario which suits my environment, so I cannot compare this.

What am I missing and where ?

2

Can you post your Compose file and relevant HAProxy config?

I assume what you’re trying to do is adapt the documented AIO RP HAProxy config?

P.S. Make sure the HAProxy RP config is pointed at the AIO private IP and at the $APACHE_PORT, not the AIO mgmt port. See On a different server [here](all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub.

1 Like
3

The IP of the docker host is 192.168.10.47

Docker compose:

services:
  nextcloud-aio-mastercontainer:
    image: ghcr.io/nextcloud-releases/all-in-one:latest 
    init: true 
    restart: always
    container_name: nextcloud-aio-mastercontainer 
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config 
      - /var/run/docker.sock:/var/run/docker.sock:ro

    network_mode: bridge 
    ports:
      - 80:80 
      - 8080:8080
      - 8443:8443
    environment:
      APACHE_PORT: 11000
      APACHE_IP_BINDING: 192.168.10.47   
      APACHE_ADDITIONAL_NETWORK: ""
      SKIP_DOMAIN_VALIDATION: true 

volumes: 
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

HA Config which I pulled from pfsense, I removed the other services which are not relevant.

192.168.5.10 is the WAN ip from my pfsense box, since I’m behind a double NAT, and this is a limitation by the ISP.

Pooh is the temporary AIO instance :slight_smile:

# Automaticaly generated, dont edit manually.
# Generated on: 2025-09-29 17:38
global
	maxconn			500
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state

resolvers globalresolvers
	nameserver Cloudflare 1.1.1.1:53
	resolve_retries 3
	timeout retry 1s
	timeout resolve 10s

frontend Shared_Frontend
	bind			192.168.5.10:443 name 192.168.5.10:443   ssl crt-list /var/etc/haproxy/Shared_Frontend.crt_list  
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			Pooh	var(txn.txnhost) -m beg -i pooh.domain.tld
	http-request set-var(txn.txnhost) hdr(host)

	use_backend PoohBackend_ipvANY  if  Pooh 

backend PoohBackend_ipvANY
	mode			http
	id			108
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	server			pooh 192.168.10.47:11000 id 105 ssl  verify none resolvers globalresolvers

With this config I can setup a new instance, albeit without domain name verification, the containers are all starting, but when browsing to pooh.mydomain.tld, I get redirected to the setup login page instead of the real login page.

Initially I receive an error and the suggestion to stop the apache container, but that doesn’t solve the issue.

afbeelding
afbeelding787Ă—530 88.4 KB

4

This topic was automatically closed after 90 days. New replies are no longer allowed.