Error 502: Connection refused - Docker AIO - nginx + Cloudflare tunnel

Hi,

I am trying to setup Nextcloud AIO Docker container publicly on my domain behind Nginx and Cloudflare Zero Trust tunnel.
I successfully set up Jellyfin, but can’t seem to figure out how to correctly configure Nextcloud.

The Cloudflare tunnel is configured to redirect https://nextcloud.mydomain to http://nginx:80.
The docker compose file looks like this:

networks:
  media_network:
    driver: bridge

services:

  jellyfin:
    image: lscr.io/linuxserver/jellyfin:latest
    container_name: jellyfin
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Prague
    volumes:
      - ./jellyfin/config:/config
      - /mnt/primary/media/movies:/media/movies
      - /mnt/primary/media/shows:/media/shows
    ports:
      - 8096:8096
      - 8920:8920 #optional
      - 7359:7359/udp #optional
      - 1900:1900/udp #optional
    restart: unless-stopped
    networks:
      - media_network

  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    restart: unless-stopped
    command: tunnel --no-autoupdate run --token xxx
    networks:
      - media_network

  nginx:
    image: nginx:latest
    container_name: nginx
    restart: unless-stopped
    networks:
      - media_network
    volumes:
      - ./nginx/conf.d:/etc/nginx/conf.d:ro

  nextcloud-aio-mastercontainer:
    image: ghcr.io/nextcloud-releases/all-in-one:latest
    init: true
    container_name: nextcloud-aio-mastercontainer
    restart: always
    ports:
      - 8080:8080 # AIO management interface (use only locally)
    environment:
      - APACHE_PORT=11000
      - APACHE_IP_BINDING=0.0.0.0
      - APACHE_ADDITIONAL_NETWORK=media_network
      - TZ=Europe/Prague
      - SKIP_DOMAIN_VALIDATION=true  # Needed because of Cloudflare tunnel!
      - NEXTCLOUD_DATADIR=/mnt/nextcloud/data
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /mnt/primary/nextcloud/data:/mnt/nextcloud/data
    networks:
      - media_network

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

My nginx config file for Nextcloud looks like this:

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {

    listen 80;
    listen [::]:80;            # comment to disable IPv6

    proxy_buffering off;
    proxy_request_buffering off;

    client_max_body_size 0;
    client_body_buffer_size 512k;
    proxy_read_timeout 86400s;

    server_name nextcloud.mydomain.com;

    location / {
        proxy_pass http://127.0.0.1:11000$request_uri; 

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header Early-Data $ssl_early_data;

        # Websocket
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

I was able to go through the setup in web UI, but that was using the internal IP address.
When I try to visit the nextcloud subdomain I get Cloudflares Error 502 site.
Docker logs for nginx look like this:

2025/07/22 17:11:45 [error] 20#20: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 172.18.0.13, server: nextcloud.mydomain.com, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:11000/", host: "nextcloud.mydomain.com"
172.18.0.13 - - [22/Jul/2025:17:11:45 +0000] "GET / HTTP/1.1" 502 157 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0" "185.47.220.46"
172.18.0.13 - - [22/Jul/2025:17:11:46 +0000] "GET /favicon.ico HTTP/1.1" 502 157 "https://nextcloud.mydomain.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0" "185.47.220.46"
2025/07/22 17:11:46 [error] 20#20: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 172.18.0.13, server: nextcloud.mydomain.com, request: "GET /favicon.ico HTTP/1.1", upstream: "http://127.0.0.1:11000/favicon.ico", host: "nextcloud.mydomain.com", referrer: "https://nextcloud.mydomain.com/"

I tried to debug it, but couldn’t figure out, how to fix this.
Does anybody know what am I doing wrong and how can I fix this?
Thank you very much!

I figured it out.
In the nextcloud config for nextcloud, there was missing this line: resolver 127.0.0.11 valid=30s; which adds the Docker’s internal DNS resolver because without that the containers weren’t able to communicate with each other.
Now the whole file looks like this and it is working:

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {

    listen 80;
    listen [::]:80;            # comment to disable IPv6

    # Add Docker's internal DNS resolver
    resolver 127.0.0.11 valid=30s;

    proxy_buffering off;
    proxy_request_buffering off;

    client_max_body_size 0;
    client_body_buffer_size 512k;
    proxy_read_timeout 86400s;

    server_name nextcloud.mydomain.com;

    location / {
        proxy_pass http://nextcloud-aio-apache:11000$request_uri; 

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header Early-Data $ssl_early_data;

        # Websocket
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.