System details:

Linux 4.18.0-80.11.2.el8_0.x86_64 #1 SMP Tue Sep 24 11:32:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Docker image: nextcloud:17.0.1RC1
Docker version 19.03.4, build 9013bf583a
Apache/2.4.38 (Debian)
PHP 7.3.11 (cli) (built: Oct 25 2019 02:28:50) ( NTS )

The issue you are facing:
Fresh install and configuration of Nextcloud 17.0.1RC1, official nextcloud docker container, is stuck in 302 loop after webroot and rewritebase are configured in config.php.

Is this the first time you’ve seen this error? (Y/N): N - been an issue since first attempted to reverse proxy using path and not root address proxy in version 13.
Worked around by having softlink matching path name in www directory pointing at itself (a retarded ducttape solution).

Steps to replicate it:

1. Install nextcloud docker: docker run -d -v nextcloud:/var/www/html/config -p 8080:80 nextcloud:17.0.1RC1
2. Run install wizard via http://dockerhost:port
3. Add config.php settings:

'htaccess.RewriteBase' => '/',
'overwritewebroot' => 'cloud',

4. Update .htaccess: ./occ maintenance:update:htaccess
5. Attempt connection: http://dockerhost:port/cloud

Bundled apache2 config has not been adjusted in any way.

# cat /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

apache2 access.log (repeating):
[11/Nov/2019:17:57:04 +0200] "GET /cloud/login HTTP/1.0" 302 921 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"

EDIT: I’ve simplified the problem down a bit, by taking out the nginx reverse proxy from image, leaving overwritewebroot and htaccess.RewriteBase as the only changed settings.

Full description contains details of my entire setup, but it is largely irrelevant. Exact same redirect loop occurs without it.

nginx version: nginx/1.12.2

<?php
$CONFIG = array (
  'instanceid' => 'redacted',
  'passwordsalt' => 'redacted',
  'secret' => 'redacted',
  'trusted_domains' => 
  array (
    0 => 'dockerhost:port',
    1 => 'reverse.proxy.address',
    2 => 'public.domain.address',
  ),
  'trusted_proxies' => 
  array (
    0 => 'reverse.proxy.ip',
  ),
  'htaccess.RewriteBase' => '/',
  'overwritehost' => 'reverse.proxy.address',
  'overwriteprotocol' => 'https',
  'overwritewebroot' => 'cloud',
  'overwrite.cli.url' => 'https://reverse.proxy.address/cloud',
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '17.0.1.0',
  'dbname' => 'redacted',
  'dbhost' => 'redacted',
  'dbport' => 'redacted',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'redacted',
  'dbpassword' => 'redacted',
  'installed' => true,
  'maintenance' => false,
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'theme' => '',
  'loglevel' => 2,
);

nginx access.log (repeating):
[11/Nov/2019:17:57:04 +0200] "GET /cloud/login HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"

Am I misunderstanding the option functionality?
Should I move the nextcloud www-root directory to /var/www/html/cloud, while keeping apache root directory in /var/www/html instead to make it work?

In which case, are there any foxholes to be aware of, or should it work just by moving it?

yes. and no.

yes that would allow you access your nextcloud through http://dockerhost:port/cloud/

no because you use a docker image to run nextcloud. to achieve your goal you would have to build your own image.

it’s kind of “easy”. you git clone https://github.com/nextcloud/docker.git, change to directory 17.0/apache and modify the Dockerfile and entrypoint.sh. and finally run docker build -t mynextcloud . ; docker run ... mynextcloud.

to stay up to date you have to repeat this once in a while.

nevertheless that’s not the way docker should be used. if you want to run more then one service as containers on your host you put an ingress router aka reverse proxy in front of all. (look at traefik.io for a complex example.)

so why to you want to access nextcloud via http://dockerhost:port/cloud/?

Thanks for clarifying. I do have a reverse proxy, which is why I need it to work like this.
It’s explained in the “full description”, but I took it out from the headline question because it was not a relevant part of the problem.

ok.

and the reverse proxy is running on the same docker host or somewhere else?

On another machine, I like to keep the role on separate server, makes security management easier.
But back on the issue at hand: I modified and built the nextcloud container from git directly.
Nextcloud loads fine when apache is configured to run the site from /var/www/html/cloud and I am accessing http://dockerhost:port, however, as soon as I move the documentroot back to /var/www/html, I start getting 404:

[18/Nov/2019:13:52:26 +0200] "GET /cloud/login HTTP/1.1" 404 488 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"

EDIT: When I take down the entire instance, remove config.php and add CAN_INSTALL file, I can get to the landing page successfully using http://dockerhost:port/cloud, but as soon as I’ve finished setting admin credentials, I’m met with 404.

sure. but why do you want to lower your security level by building and maintaining your own image?

leave the image as it is - listening on port 80 - an build a docker overlay network between the two hosts.

e.g.

I feel like that is beside the point here.
It is running on separate machine for many reasons, and I wont go in to them more than I have to. But if moving part of the reverse proxy to docker ingress service would solve this problem, then I could look in to that - but as far as I can tell this would still be an issue with it.