[HELP] NC snap behind reverse proxy error

Quentin-ctrL · April 30, 2025, 6:01pm

The Basics

Nextcloud Server version (e.g., 29.x.x):
- 31.0.4snap1
Operating system and version (e.g., Ubuntu 24.04):
- Debian 12 (bookworm)
Web server and version (e.g, Apache 2.4.25):
- apache
Reverse proxy and version _(e.g. nginx 1.27.2)
- Apache/2.4.62 (Debian)
PHP version (e.g, 8.3):
- 8.3.19
Is this the first time you’ve seen this error? (Yes / No):
- yes
When did this problem seem to first start?
- april 2025
Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
- snap
Are you using CloudfIare, mod_security, or similar? (Yes / No)
- no

Summary of the issue you are facing:

NC is working great after a fresh restart but unreachable after hours.
For example, NC server was KO before the last upgrade ( refresh-date: 2 days ago, at 03:27 CEST). After automatic, the server was reachable. Again, the server was KO today.
Nextcloud hang after several hours > error 502
No connection via browser, app, etc

In administration overview I have error regarding reverse proxy.
testing :

NC snap is behind apache and the config has not been updated from months. Not sure it’s related to my error but it needs to fix it

Steps to replicate it (hint: details matter!):

start snap NC
wait few hours
NC unreachable

Log entries

no logs in

snap logs -f nextcloud.mysql
snap logs -f nextcloud.php-fpm
snap logs -f nextcloud.apache
snap logs -f nextcloud.nextcloud-fixer
nextcloud.occ log:watch

Nextcloud

Il y a quelques erreurs concernant votre configuration.

    La configuration des entêtes du reverse proxy est incorrecte. C'est un problème de sécurité, qui peut permettre à un attaquant d'usurper l'adresse IP affichée à Nextcloud. Pour plus d’information, voir la documentation ↗.

    Votre serveur web n’est pas configuré correctement pour résoudre les URL `.well-known`, a échoué sur : `/.well-known/caldav` Pour plus d’information, voir la documentation ↗.
    58 erreurs dans les journaux depuis 23 avril 2025, 18:57:25

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

PASTE HERE

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

nextcloud.occ  config:list system
{
    "system": {
        "apps_paths": [
            {
                "path": "\/snap\/nextcloud\/current\/htdocs\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/snap\/nextcloud\/current\/nextcloud\/extra-apps",
                "url": "\/extra-apps",
                "writable": true
            }
        ],
        "supportedDatabases": [
            "mysql"
        ],
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0
        },
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "brixs.local",
            "192.168.0.41",
            "sub.domain.xyz"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/brixs.local",
        "dbtype": "mysql",
        "version": "31.0.4.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_smtpmode": "php",
        "mail_smtpauthtype": "LOGIN",
        "maintenance": false,
        "loglevel": 0,
        "overwritehost": "",
        "overwriteprotocol": "https",
        "app_install_overwrite": [
            "radio",
            "keeweb"
        ],
        "theme": "",
        "maintenance_window_start": 1
    }
}

Apps

The output of occ app:list (if possible).

Enabled:
  - activity: 4.0.0
  - app_api: 5.0.2
  - audioplayer: 3.4.1
  - bookmarks: 15.1.0
  - bruteforcesettings: 4.0.0
  - calendar: 5.2.2
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contacts: 7.0.6
  - cookbook: 0.11.3
  - dav: 1.33.0
  - federatedfilesharing: 1.21.0
  - files: 2.3.1
  - files_downloadlimit: 4.0.0
  - files_external: 1.23.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - nextcloud_announcements: 3.0.0
  - notes: 4.12.0
  - notifications: 4.0.0
  - oauth2: 1.19.1
  - password_policy: 3.0.0
  - photos: 4.0.0-dev.1
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - recommendations: 4.0.0
  - related_resources: 2.0.0
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - suspicious_login: 9.0.1
  - tasks: 0.16.1
  - text: 5.0.0
  - theming: 2.6.1
  - twofactor_backupcodes: 1.20.0
  - twofactor_totp: 13.0.0-dev.0
  - viewer: 4.0.0
  - webhook_listeners: 1.2.0
  - workflowengine: 2.13.0
Disabled:
  - admin_audit: 1.21.0
  - contactsinteraction: 1.12.0 (installed 1.8.0)
  - dashboard: 7.11.0 (installed 7.1.0)
  - encryption: 2.19.0
  - federation: 1.21.0 (installed 1.21.0)
  - files_rightclick: 0.15.1 (installed 1.6.0)
  - firstrunwizard: 4.0.0 (installed 4.0.0)
  - keeweb: 0.6.21 (installed 0.6.21)
  - mail: 5.0.3 (installed 5.0.3)
  - news: 25.3.1 (installed 25.3.1)
  - richdocuments: 8.6.4 (installed 8.6.4)
  - richdocumentscode: 24.4.1303 (installed 24.4.1303)
  - sharebymail: 1.21.0 (installed 1.11.0)
  - spreed: 21.0.4 (installed 21.0.4)
  - support: 3.0.0 (installed 1.3.0)
  - survey_client: 3.0.0 (installed 1.8.0)
  - systemtags: 1.21.1 (installed 1.21.1)
  - twofactor_nextcloud_notification: 5.0.0
  - user_ldap: 1.22.0
  - user_status: 1.11.0 (installed 1.1.1)
  - weather_status: 1.11.0 (installed 1.1.0)

wwe · April 30, 2025, 8:12pm

Hello @Quentin-ctrL, welcome to the Nextcloud community!

I can’t imagine the problem is related to the setup_warning_wellknown - likely this warning is unrelated to the 502 issue.

from your description it is not clear if there is a reverse proxy in front of the system but as 502 is not just a “network timeout” when the system is completely unreachable - this is an “active” error generated by some system. I would follow the chain from your browser (using F12 tools check which IP it connects to) to the optional reverse proxy and later to the application. in some log you must see where the connection is successful and which system finally generates the 502 error… sometime you must increase logs verbosity to see access logs (but errors mostly logged by default)… if there is a reverse proxy in place this one could have lost connection to backend for some reason…

scubamuc · April 30, 2025, 8:20pm

see Reverse proxy configuration

personally I use NPM see NGINX proxy manager reverse proxy with termination

scubamuc · April 30, 2025, 8:39pm

when this happens, is the snap still running?

show output of: sudo snap services nextcloud

should look something like this;

can you reach the nextcloud locally: brixs.local or nextcloud.local
also try http://your.server.ip.address

this doesn’t look right… it should be "overwrite.cli.url": "https://your.domain.tld",

see also

Quentin-ctrL · April 30, 2025, 10:22pm

I use NC snap (nectcloud.apache enable) and on my system apache as reverse proxy for NC and other sites

I see what you mean and I’ll check step by step to see where the connection is lost

yes, that was the first check.

I didn’t check nextcloud.local or your.server.ip.address before restarting NC.

ok, I’ll try that.

I checked there but no example for apache there.
I’ll stick to apache because I have other sites and fixing this will be more productive than switching to nginx.

the config isn’t perfect but it worked till now. I dont know if something changed recently.

I was thinking that recently I restarted an old smartphone connected to NC (NC client, talk, caldav and cardav) to test apps.
The smaprtphone is off now and I removed the connection via the security panel.
The period is corresponding and after the test I shutdown the phone to save battery.
Do you think that is possible that this device could mess with the server ?

Thanks for your help

Quentin-ctrL · May 2, 2025, 11:59am

For information I checked with this command and only warnings.
NC still working without issue.

nextcloud.occ setupchecks -v
	dav:
		✓ DAV system address book: No outstanding DAV system address book sync.
	network:
		✓ WebDAV endpoint: Your web server is properly set up to allow file synchronization over WebDAV.
		✓ Data directory protected
		✓ Internet connectivity
		✓ JavaScript source map support
		✓ JavaScript modules support
		✓ OCS provider resolving
		⚠ .well-known URLs: Your web server is not properly set up to resolve `.well-known` URLs, failed on:
`/.well-known/caldav`
		✓ Font file loading
	system:
		✓ Files reminder: This files_reminder can work properly.
		⚠ Errors in the log: 58 errors in the logs since April 23, 2025, 11:25:05 PM
		✓ Allowed admin IP ranges: Admin IP filtering isn't applied.
		ℹ Brute-force Throttle: Your remote address could not be determined.
		✓ Cron errors: The last cron job ran without errors.
		✓ Cron last run: Last background job execution ran 3 minutes ago.
		✓ Debug mode: Debug mode is disabled.
		✓ Transactional File Locking
		✓ Maintenance window start: Maintenance window to execute heavy background jobs is between 1:00 UTC and 7:00 UTC
		✓ Memcache: Configured
		✓ Mimetype migrations available: None
		✓ Architecture: 64-bit
		✓ Temporary space available: Temporary directory is correctly configured:
- 0.9 GiB available in /tmp (PHP temporary directory)
		✓ Push service: Free push service
	notifications:
		✓ Push notifications - Fair use policy
	security:
		✓ App directories owner: App directories have the correct owner "root"
		✓ Old administration imported certificates
		✓ Code integrity: No altered files
		ℹ Forwarded for headers: Your remote address could not be determined.
		✓ HTTPS access and URLs: You are accessing your instance over a secure connection, and your instance is generating secure URLs.
		✓ Old server-side-encryption: Disabled
		✓ PHP version: You are currently running PHP 8.3.19.
		✓ Random generator: Secure
		✓ HTTP headers: Your server is correctly configured to send security headers.
	database:
		✓ Database missing columns: None
		✓ Database missing indices: None
		✓ Database missing primary keys: None
		✓ Database pending bigint migrations: None
		✓ MySQL row format: None of your tables use ROW_FORMAT=Compressed
		✓ MySQL Unicode support: MySQL is used as database and does support 4-byte characters
		✓ Scheduling objects table size: Scheduling objects table size is within acceptable range.
		✓ Database version: 8.0.42
		✓ Database transaction isolation level: Read committed
	config:
		ℹ Default phone region: Your installation has no default phone region set. This is required to validate phone numbers in the profile settings without a country code. To allow numbers without a country code, please add "default_phone_region" with the respective ISO 3166-1 code of the region to your config file.
		ℹ Email test: You have not set or verified your email server configuration, yet. Please head over to the "Basic settings" in order to set them. Afterwards, use the "Send email" button below the form to verify your settings.
		✓ Overwrite CLI URL: The "overwrite.cli.url" option in your config.php is set to "https://brixs.local" which is a correct URL. Suggested URL is "https://localhost".
		✓ Configuration file access rights: Nextcloud configuration file is writable
	php:
		✓ PHP default charset: UTF-8
		✓ PHP set_time_limit: The function is available.
		✓ Freetype: Supported
		✓ PHP APCu configuration
		✓ PHP getenv
		✓ PHP memory limit: 512 MB
		✓ PHP modules
		✓ PHP opcache: Checking from CLI, OPcache checks have been skipped.
		✓ PHP "output_buffering" option: Disabled
		ℹ PHP Imagick module: The PHP module "imagick" is not enabled although the theming app is. For favicon generation to work correctly, you need to install and enable this module.

scubamuc · May 2, 2025, 12:24pm

Quentin-ctrL:

ℹ Default phone region: Your installation has no default phone region set. This is required to validate phone numbers in the profile settings without a country code. To allow numbers without a country code, please add "default_phone_region" with the respective ISO 3166-1 code of the region to your config file.
ℹ Email test: You have not set or verified your email server configura

for these two issues;

this is a reverse proxy issue, see Reverse proxy — Nextcloud latest Administration Manual latest documentation

Hendrik · May 7, 2025, 1:09am

Check if IPv6 is enabled.
Proxy works for IPv4 but not for IPv6. That is a direct forward to the machine.
Maybe IPv6 is also prefered on your network.