Error "access through untrusted domain" after migrating to a new server

Here is my situation :

  • I had a Nextcloud instance configured and working properly
  • I changed host and backed up everything to the new one.

Here is my setup:

  • Nextcloud runs in a Docker container
  • behind an Apache2 reverse proxy
  • that config is a bit specific but it worker very well previously
  • docker configuration is the same obviously, Apache2 configuration is the same too (i checked that the same modules were enabled etc)
  • I switched from Ubuntu 18.04 to Debian 10
  • PHP7.3 to PHP7.4

After running docker-compose up -d. i end up with the infamous “access through untrusted domain” error on my nextcloud domain.

The config.php is the same and has not changed.

The only thing is that when switching from the previous host to the new I transfered some files from the docker volume and I suspect some permissions could have changed inside the nextcloud folder. I did not find info on how those should be set.

Or is the IP to be set somewhere I did not know? or internal host IP? At this point I’m not sure of anything.

I tried several things and don’t see what could make this setup that worked before to not work anymore. If you have any idea, help welcome.

Note that I have other docker apps running behind the same config of apache2 reverse proxy and that work without problem since the migration. Nextcloud is the only one to seem to have problems.

I’m having the same issue too. I used to have a server running for years, then I stopped when I had hardware issues. Years later I wanted to see how nextcloud have progressed, so I downloaded a virtual machine image of nextcloud. I installed it on VirtualBox. I can access NC through LAN IP address. But when I exposed it to wan and pointed a hostname to it, I cannot access it from outside.

I checked the virtual hosts logs and i get this error… I don’t understand what is happening though :frowning:

[Fri May 14 19:05:13.478331 2021] [proxy_http:error] [pid 7634] (104)Connection reset by peer: [client 82.65.1.189:43742] AH01102: error reading status line from remote server 127.0.0.1:8083
[Fri May 14 19:05:13.498247 2021] [proxy:error] [pid 7634] [client 82.65.1.189:43742] AH00898: Error reading from remote server returned by /
[Fri May 14 19:05:13.683314 2021] [proxy_http:error] [pid 7634] (104)Connection reset by peer: [client 82.65.1.189:43742] AH01102: error reading status line from remote server 127.0.0.1:8083, referer: https://mydomain.fr/
[Fri May 14 19:05:13.734965 2021] [proxy_http:error] [pid 7645] (104)Connection reset by peer: [client 82.65.1.189:43744] AH01102: error reading status line from remote server 127.0.0.1:8083, referer: https://mydomain.fr/
[Fri May 14 19:05:13.735044 2021] [proxy:error] [pid 7645] [client 82.65.1.189:43744] AH00898: Error reading from remote server returned by /favicon.ico, referer: https://mydomain.fr/
[Fri May 14 19:05:14.625707 2021] [proxy_http:error] [pid 8365] (104)Connection reset by peer: [client 82.65.1.189:43746] AH01102: error reading status line from remote server 127.0.0.1:8083
[Fri May 14 19:05:14.625785 2021] [proxy:error] [pid 8365] [client 82.65.1.189:43746] AH00898: Error reading from remote server returned by /

That’s why it’s not working. You need to update the domain and IP address in config.php.

Hi @sanook thanks for answering.

In fact my config.php file in the previous server did not contain the IP address. I don’t understand why it should have changed after I change hosting server.

Here is the config that worked previously:

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => 'ocx3skz6pr7t',
  'passwordsalt' => '{private}',
  'secret' => '{private}',
  'trusted_domains' =>  array (
     0 => 'mydomain.fr',
  ),
  'datadirectory' => '/var/www/html/data',
  'overwrite.cli.url' => 'http://mydomain.fr',
  'overwriteprotocol' => 'https',
  // added the following to debug 
  'forwarded_for_headers' =>
    array (
    0 => 'X-Forwarded-For',
    1 => 'HTTP_X_FORWARDED_FOR'
    ),
  'trusted_proxies' => array (
    0 => '127.0.0.1',
    1 => 'mydomain.fr',
    ),
  'dbtype' => 'mysql',
  'version' => '21.0.0.18',
  'dbname' => 'cloud_db',
  'dbhost' => 'cloud-db',
  'dbport' => '',
  'dbtableprefix' => '',
  'mysql.utf8mb4' => true,
  'dbuser' => 'cloud_user',
  'dbpassword' => '{private}',
  'installed' => true,
  'maintenance' => false,
  'updater.secret' => '{private}',
  'loglevel' => 0,
  'mail_from_address' => '{private}',
  'mail_smtpmode' => 'smtp',
  'mail_domain' => '{private}',
  'mail_smtphost' => '{private}',
  'mail_smtpport' => '{private}',
  'mail_smtpsecure' => '{private}',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtpname' => '{private}',
  'mail_smtppassword' => '{private}',
  'theme' => '',
  'default_phone_region' => 'ISO 3166-2:FR',
  'filelocking.enabled' => true,
  'loglevel' => 0,
  'log_rotate_size' => 10000000,
);

Here is my apache2 config file /etc/apache2/sites-enabled/mydomain.fr.conf

<VirtualHost *:80>

       ServerAdmin {private}
       ServerName mydomain.fr
       ProxyPreserveHost On

       ProxyPass / http://127.0.0.1:8083/
       ProxyPassReverse / http://127.0.0.1:8083/
       ProxyPassReverseCookieDomain 127.0.01 mydomain.fr


       ErrorLog /srv/logs/error/mydomain.fr.log
       CustomLog /srv/logs/access/mydomain.fr.log combined


RewriteEngine on
RewriteCond %{SERVER_NAME} =mydomain.fr
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

RewriteRule ^/\.well-known/carddav http://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/caldav http://%{SERVER_NAME}/remote.php/dav/ [R=301,L]

</VirtualHost>

And here is /etc/apache2/sites-enabled/mydomain.fr-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>

       ServerAdmin {private}
       ServerName mydomain.fr
       ProxyPreserveHost On

       SSLEngine On
       SSLProxyVerify none
       SSLProxyCheckPeerCN off
       SSLProxyCheckPeerName off
       SSLProxyCheckPeerExpire off

       ProxyPass / http://127.0.0.1:8083/
       ProxyPassReverse / http://127.0.0.1:8083/
       ProxyPassReverseCookieDomain 127.0.0.1 mydomain.fr

       ErrorLog /srv/logs/error/mydomain.fr.log
       CustomLog /srv/logs/access/mydomain.fr.log combined

       Include /etc/letsencrypt/options-ssl-apache.conf

       RewriteEngine On
       RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
       RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>

SSLCertificateFile /etc/letsencrypt/live/mydomain.fr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.fr/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>

       ServerAdmin {private}
       ServerName mydomain.fr
       ProxyPreserveHost On

       ProxyPass / http://127.0.0.1:8083/
       ProxyPassReverse / http://127.0.0.1:8083/
       ProxyPassReverseCookieDomain 127.0.01 mydomain.fr


       ErrorLog /srv/logs/error/mydomain.fr.log
       CustomLog /srv/logs/access/mydomain.fr.log combined

RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =mydomain.fr
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

RewriteRule ^/\.well-known/carddav http://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/caldav http://%{SERVER_NAME}/remote.php/dav/ [R=301,L]


</VirtualHost>

Here is the ouput of the screenfetch command also for more details about my config:

         _,met$$$$$gg.           {private}@{private}
      ,g$$$$$$$$$$$$$$$P.        OS: Debian 10 buster
    ,g$$P""       """Y$$.".      Kernel: x86_64 Linux 4.19.0-16-amd64
   ,$$P'              `$$$.      Uptime: 4d 15h 10m
  ',$$P       ,ggs.     `$$b:    Packages: 547
  `d$$'     ,$P"'   .    $$$     Shell: bash 5.0.3
   $$P      d$'     ,    $$P     CPU: Intel Atom C2350 @ 2x 1.746GHz [22.0°C]
   $$:      $$.   -    ,d$$'     GPU: 
   $$\;      Y$b._   _,d$P'      RAM: 1448MiB / 3908MiB
   Y$$.    `.`"Y$$$$P"'         
   `$$b      "-.__              
    `Y$$                        
     `Y$$.                      
       `$$b.                    
         `Y$$b.                 
            `"Y$b._             
                `""""           
                            

Docker version: Docker version 20.10.6, build 370c289

Finally here is the docker-compose file with which I launched the containers:

version: '3'

services:
   cloud-db:
     container_name: ${DB_CONTAINER_NAME}
     image: mariadb:latest
     restart: unless-stopped
     volumes:
        - ${LOCAL_DB_DIR}:/var/lib/mysql
     environment:
       MYSQL_DATABASE: ${MYSQL_DATABASE}
       MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
       MYSQL_USER: ${MYSQL_USER}
       MYSQL_PASSWORD: ${MYSQL_PASSWORD}

   cloud-app:
     depends_on:
       - cloud-db
     container_name: ${APP_CONTAINER_NAME}
     image: nextcloud:latest
     ports:
       - "8083:80"
     restart: unless-stopped
     volumes:
       - ${LOCAL_DATA_DIR}:/var/www/html
       - ${LOCAL_CONF_DIR}:/var/www/html/config
       - ${LOCAL_APPS_DIR}:/var/www/html/apps
       - ./config/vhost.conf:/etc/apache2/sites-enabled/vhost-ssl.conf
       - /etc/letsencrypt:/etc/letsencrypt:ro
     environment:
       NEXTCLOUD_ADMIN_USER: ${NEXTCLOUD_ADMIN_USER}
       NEXTCLOUD_ADMIN_PASSWORD: ${NEXTCLOUD_ADMIN_PASSWORD}
       NEXTCLOUD_DATA_DIR: ${NEXTCLOUD_DATA_DIR}
       NEXTCLOUD_TABLE_PREFIX: ${NEXTCLOUD_TABLE_PREFIX}
       VIRTUAL_HOST: ${VIRTUAL_HOST}
       MYSQL_DATABASE: ${MYSQL_DATABASE}
       MYSQL_USER: ${MYSQL_USER}
       MYSQL_PASSWORD: ${MYSQL_PASSWORD}
       MYSQL_HOST: ${MYSQL_HOST}

I launched an “empty” instance with default parameters and it worked.

So I checked everything and it seems that permissions where the culprit somehow. I think I forgot to add -p to the tar command when I archived my instance, so the permissions were not preserved.

I replicated by hand the permissions from the test instance folders and files to the real instance, stopped and deleted the containers to switch back to my real instance folder and it worked!

Maybe people having the same issue will find help with this very specific case of mine ^^’