Help - docker install with reverse proxy on different server

antevim1 · August 25, 2024, 11:03am

Hey everyone,

would really appreciate if someone could help me on this, I can’t get out of this loophole while installing nextcloud AIO.

My config is as follows:

server A, handles nginx and VPN exclusively.
Server B, beefier, with a mirrored zfs pool specifically for nextcloud.

I have a domain purchased on namecheam, and configured it through cloudflare, let’s call it example.com. I pointed it at my fixed internal ip address of server B.

i cannot, no matter how hard I tried, get nextcloud AIO to do a domain check and, well, work, through the reverse proxy mentioned above.
Could anyone help me please? I’m a semi-noob on these things, and while I know my way around linux, i don’t exactly get how i’m supposed to configure this.

Aside for the fact that I cannot get past the domain check, another problem is that when I try to connect through my reverse proxy, nextcloud refuses with the error " untrusted domain", even if that same ip is inserted in the config below.

Could someone explain, in simple terms, how can I get this to work? I would like to avoid having 2 reverse proxies in my network.
Many thanks

My example docker compose file>

ervices:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution wi>
      - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If a>
    network_mode: bridge # add to the same network as docker run would do
    ports:
      # 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://git>
      - 8500:8080
      # 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https:/>
    environment: # Is needed when using any of the options below
      # AIO_DISABLE_BACKUP_SECTION: false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/ne>
      - APACHE_PORT:12000
      - APACHE_DISABLE_REWRITE_IP:1
      - NEXTCLOUD_TRUSTED_DOMAINS:nextcloud.example.com(purchased domain):ip_of_reverse_proxy_server_A;ip_of_server_B
      - TRUSTED_PROXIES:server_A;127.0.0.1
      # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextc>
 #   - APACHE_IP_BINDING:127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and el>
      # BORG_RETENTION_POLICY: --keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com>
      # COLLABORA_SECCOMP_DISABLED: false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/a>
      - NEXTCLOUD_DATADIR:/main/nextcloud # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value>
      # NEXTCLOUD_MOUNT: /mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-i>
      # NEXTCLOUD_UPLOAD_LIMIT: 10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit>
      # NEXTCLOUD_MAX_TIME: 3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-t>
      # NEXTCLOUD_MEMORY_LIMIT: 512M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory->
      # NEXTCLOUD_TRUSTED_CACERTS_DIR: /path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container>
      # NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on star>
      # NEXTCLOUD_ADDITIONAL_APKS: imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagema>
      # NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick # This allows to add additional php extensions to the Nextcloud container permanently. Defaul>
      # NEXTCLOUD_ENABLE_DRI_DEVICE: true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if >
      # NEXTCLOUD_KEEP_DISABLED_APPS: false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninsta>
      # TALK_PORT: 3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adju>
      # WATCHTOWER_DOCKER_SOCKET_PATH: /var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default>
    # security_opt: ["label:disable"] # Is needed when using SELinux

  # # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
  # # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588


volumes: # If you want to store the data on a different drive, see https://github.com/nextcloud/all-in-one#how-to-store-the-filesinstallation-on-a>
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work```

szaimen · August 25, 2024, 11:07am

Hi, can you follow all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub?

wwe · August 25, 2024, 11:15am

hi @antevim1 welcome to the community

I’m not deep into AiO but it sounds you are using unsupported NEXTCLOUD_TRUSTED_DOMAINS variable

"The environmental variable NEXTCLOUD_TRUSTED_DOMAINS has been set which is not supported by AIO.

did you carefully work through AiO reverse proxy ?

antevim1 · August 25, 2024, 1:13pm

Thank you.

So, I removed the trusted domains variable.

1. Configure the reverse proxy
Adapting the sample web server configurations below
Replace <your-nc-domain> with the domain on which you want to run Nextcloud.

Adjust the port 11000 to match your chosen APACHE_PORT.

Adjust localhost or 127.0.0.1 to point to the Nextcloud server IP or domain depending on where the reverse proxy is running. See the following options.

On the same server without a container
On the same server in a Docker container
On a different server (in container or not)
Use the private ip-address of the host that shall be running AIO. So e.g. private.ip.address.of.aio.server:$APACHE_PORT instead of localhost:$APACHE_PORT.

If you are not sure how to retrieve that, you can run: ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||' on the server that shall be running AIO (the commands only work on Linux).

Should I just add this to the variables in the docker compose file?
Could someone please clarify this for me? I would prefer using docker compose also because I can change the data directory to be on the zfs pool.

Also, just below, it says that nginx is not preferable

Thank you

antevim1 · August 31, 2024, 8:54pm

I want to post the answer here in case someone manage to have my same problem.

I added the SKIP_DOMAIN_VALIDATION=1 to the compose file, under all the other variables in the AIO config, and that was it.
Changed the apache port to a custom one, and also the AIO porto to a custom one as well.

I did set the apache_ip_binding=ip of the nextcloud server and let the rest sit the way it is.

As a domain, I simply went into nginx proxy and created a new proxy host that points to the apache port ( via HTTP not HTTPS), with the options of websocket support and common exploits enabled. I already had a certificate for a domain I own into nginx, so I simply created a subdomain from that.
You can do this even when not owning a domain, by simply using a dynamic dns service, like duckdns. I created a new subdomain in duckdns like example.duckdns.org and put the ip of the reverse proxy in there. By opening port 443 on the router the validation works and you can create unlimited subdomainds in nginx. I closed the ports on the router shortly after. I can always request a renewal and reopen the ports manually when I need.

I know it isn’t ideal, and “wrong”, but my use case was very simple: a nextcloud instance accessible through https only in my internal network.
I did not want the added risk of exposing my home network to the whole world, even if properly firewalled. I don’t know why nextcloud doesn’t allow you to do that in a more simple way. When not give the user a simple reliable way of having a instance run locally?
Thanks to everyone anyway.