Domain Validation Issues - IP address resolution problem within docker?

🚧 Installation
, ,
1

Thanks for taking the time to read this and respond.
I cannot get my domain name to validate on an AIO installation. Here are the details:

  • nextcloud.myDomain.org has an A-record that points to my VPS.
    • I can successfully ping the subdomain
  • VPS is using nginx as a reverse proxy and wireguard as a tunnel to the server hosting the NextCloud install. Config files are posted at the end.
    • VPS has address 172.16.0.1 on the the WG network
    • NextCloud server has address 172.16.0.2 on the WG network
    • From the proxy server telnet can connect to 172.16.0.2:11000
    • From the NextCloud server, telnet can connect to 172.16.0.1:443
  • Per the debugging instructions, when I check IP addresses on the nextcloud server I get:
me@server:/etc/docker$ ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'
192.168.12.133
me@server:/etc/docker$ ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'
172.17.0.1

sudo docker logs -f --details nextcloud-aio-mastercontainer generates:

 Trying to fix docker.sock permissions internally...
 Creating docker group internally with id 996
 <security image>
 -----
 Initial startup of Nextcloud All-in-One complete!
 You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
 E.g. https://internal.ip.of.this.server:8080
 
 If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
 https://your-domain-that-points-to-this-server.tld:8443
 [Tue Aug 22 01:18:34 2023] PHP 8.2.8 Development Server (http://127.0.0.1:9876) started
 [22-Aug-2023 01:18:34] NOTICE: fpm is running, pid 116
 [22-Aug-2023 01:18:34] NOTICE: ready to handle connections
 {"level":"info","ts":1692667114.2722273,"msg":"using provided configuration","config_file":"/Caddyfile","config_adapter":""}
 [Tue Aug 22 01:18:34.387052 2023] [mpm_event:notice] [pid 110:tid 140219394067272] AH00489: Apache/2.4.57 (Unix) OpenSSL/3.1.2 configured -- resuming normal operations
 [Tue Aug 22 01:18:34.388291 2023] [core:notice] [pid 110:tid 140219394067272] AH00094: Command line: 'httpd -D FOREGROUND'
 NOTICE: PHP message: The response of the connection attempt to "https://nextcloud.myDomain.org:443" was: 
 NOTICE: PHP message: Expected was: <security-key-removed-but-this-is-just-a-string-of-random-characters>
 NOTICE: PHP message: The error message was: 
 NOTICE: PHP message: The response of the connection attempt to "https://nextcloud.myDomain.org:443" was: 
 NOTICE: PHP message: Expected was: <security-key-removed-but-this-is-just-a-string-of-random-characters>
 NOTICE: PHP message: The error message was: 
 NOTICE: PHP message: The response of the connection attempt to "https://nextcloud.myDomain.org:443" was: 
 NOTICE: PHP message: Expected was: <security-key-removed-but-this-is-just-a-string-of-random-characters>
 NOTICE: PHP message: The error message was: 
 Deleting duplicate sessions
</html>nter>nginx/1.18.0</center>/center>d>onnection attempt to "https://nextcloud.myDomain.org:443" was: <html>
 NOTICE: PHP message: Expected was: <security-key-removed-but-this-is-just-a-string-of-random-characters>
 NOTICE: PHP message: The error message was: 
</html>nter>nginx/1.18.0</center>/center>d>onnection attempt to "https://nextcloud.myDomain.org:443" was: <html>
 NOTICE: PHP message: Expected was: <security-key-removed-but-this-is-just-a-string-of-random-characters>
 NOTICE: PHP message: The error message was: 
</html>nter>nginx/1.18.0</center>/center>d>onnection attempt to "https://nextcloud.myDomain.org:443" was: <html>
 NOTICE: PHP message: Expected was: <security-key-removed-but-this-is-just-a-string-of-random-characters>
 NOTICE: PHP message: The error message was: 
</html>nter>nginx/1.18.0</center>/center>d>onnection attempt to "https://nextcloud.myDomain.org:443" was: <html>
 NOTICE: PHP message: Expected was: <security-key-removed-but-this-is-just-a-string-of-random-characters>
 NOTICE: PHP message: The error message was: 
</html>nter>nginx/1.18.0</center>/center>d>onnection attempt to "https://nextcloud.myDomain.org:443" was: <html>
 NOTICE: PHP message: Expected was: <security-key-removed-but-this-is-just-a-string-of-random-characters>
 NOTICE: PHP message: The error message was: 
</html>nter>nginx/1.18.0</center>/center>d>onnection attempt to "https://nextcloud.myDomain.org:443" was: <html>
 NOTICE: PHP message: Expected was: <security-key-removed-but-this-is-just-a-string-of-random-characters>
 NOTICE: PHP message: The error message was: 
 Total reclaimed space: 0B
 Total reclaimed space: 0B
 Total reclaimed space: 0B
 Deleting duplicate sessions
</html>nter>nginx/1.18.0</center>/center>d>onnection attempt to "https://nextcloud.myDomain.org:443" was: <html>
 NOTICE: PHP message: Expected was: <security-key-removed-but-this-is-just-a-string-of-random-characters>
 NOTICE: PHP message: The error message was: 
</html>nter>nginx/1.18.0</center>/center>d>onnection attempt to "https://nextcloud.myDomain.org:443" was: <html>
 NOTICE: PHP message: Expected was: <security-key-removed-but-this-is-just-a-string-of-random-characters>
 NOTICE: PHP message: The error message was: 
</html>nter>nginx/1.18.0</center>/center>d>onnection attempt to "https://nextcloud.myDomain.org:443" was: <html>
 NOTICE: PHP message: Expected was: <security-key-removed-but-this-is-just-a-string-of-random-characters>
 NOTICE: PHP message: The error message was: 
</html>nter>nginx/1.18.0</center>/center>d>onnection attempt to "https://nextcloud.myDomain.org:443" was: <html>
 NOTICE: PHP message: Expected was: <security-key-removed-but-this-is-just-a-string-of-random-characters>
 NOTICE: PHP message: The error message was:

nginx config:

 # Nextcloud configuration
        map $http_upgrade $connection_upgrade {
            default upgrade;
            '' close;
        }

        server {
                listen 80;

                if ($scheme = "http") {
                        return 301 https://$host$request_uri;
                }

                listen 443 ssl http2; # managed by Certbot
                server_name nextcloud.myDomain.org;

                location / {
                        proxy_pass https://172.16.0.2:11000$request_uri;

                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header X-Forwarded-Port $server_port;
                        proxy_set_header X-Forwarded-Scheme $scheme;
                        proxy_set_header X-Forwarded-Proto $scheme;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header Accept-Encoding "";
                        proxy_set_header Host $host;

                        client_body_buffer_size 512k;
                        proxy_read_timeout 86400s;
                        client_max_body_size 0;

                        # Websocket
                        proxy_http_version 1.1;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection $connection_upgrade;
                }

                ssl_certificate /etc/letsencrypt/live/nextcloud.myDomain.org/fullchain.pem; # managed by Certbot
                ssl_certificate_key /etc/letsencrypt/live/nextcloud.myDomain.org/privkey.pem; # managed by Certbot
                include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
                ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

                ssl_session_cache shared:MozSSL:10m; # about 40000 sessions

        }
2

Seams to me like a common problem. What you’d typicly like to do is when using a rev proxy this one has the open ports 80 and 443. What it does is taking the incoming traffic and routing it the needed container. So what you need to do is only giving the rev proxy the open ports 443 and 80 so it can optain certs and stuff. The other containers must use different ports. The usage of different port then the standard ones is covered by your rev proxy.

What I see here in your nc config is the usage of port 80 and 443. Which is correct without a rev proxy but a missconfig with an rev proxy.

3

I thought the rev proxy is configured to return 301 for all http requests on port 80 and forward all https traffic on port 443 to the nextcloud server at 172.16.0.2:11000. Is that not what’s happening?
As I was troubleshooting, you can see in the next cloud logs where I made a change to the current configuration. In the first 3 attempts, nothing was returned and all requests to https://nextcloud.myDomain.org returned 404. Then I “fixed” the nginx configuration. https://nextcloud.myDomain.org now gets a 502 and the installer is receiving <html> as a response.

4

Hi, can you follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#6-how-to-debug-things?

5

Would wireguard disrupt domain validation in the same way Cloudflare does? Using TCP dump, I can see packets being exchanged between my proxy server and the nc server:11000

6
  1. Follow instructions :heavy_check_mark:
  2. APACHE_PORT is 11000 :heavy_check_mark:
  3. APACHE_IP_BINDING = 0.0.0.0 :heavy_check_mark:
  4. Rev proxy points to 172.16.0.2:11000 :heavy_check_mark:
    a. I can see packet transmissions using tcpdump
  5. Rev Proxy is running on a different host
    a. See original post for IP addresses and ping results
  6. Master container was able to spawn nextcloud-aio-domaincheck :heavy_check_mark:
  7. Rev proxy is running on a different host.
  8. I am behind CGNAT, but that’s what Wireguard is for.
  9. Not using Cloudflare :heavy_check_mark:
  10. 443 and 80 are open. Other services are up :heavy_check_mark:
  11. Only using ipv4 :heavy_check_mark:
  12. Tore down and rebuilt the docker image. Same issue :heavy_check_mark:
  13. I am not completely sure I have correctly configured everything.
7

Update after more troubleshooting:

  • I tore everything down and just set up Apache2 on the nextcloud server. I enabled SSL and could access the landing page both on my local network (https://192.168.0.3) and via the proxy server (https://nextcoud.myDomain.org). At this point, I am fairly certain the proxy is set up correctly.
  • I attempted to disable domain authentication, but received the warning that containers were restarting. I tried this both with a time zone and with the default time zone.
8

In nginx.conf:
proxy_pass https://172.16.0.2:11000$request_uri; needs to be changed to proxy_pass http://172.16.0.2:11000$request_uri;
Figured that out when I could open 172.16.0.2:11000 with lynx from the VPS terminal, but https://172.16.0.2:11000 returned an error.

1 Like