Good evening from Germany 
I was trying to run Nextcloud-AIO without exposing the nextcloud-aio-mastercontainer with a self-signed certificate on <HOST_IP>:8080.
By default, nextcloud-aio-mastercontainer exposes port 8080 to be available at the initial setup:
$ docker ps -f name=nextcloud-aio-mastercontainer
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a1f6cb51bb98 nextcloud/all-in-one:latest "/start.sh" 2 minutes ago Up 2 minutes (healthy) 80/tcp, 8443/tcp, 9000/tcp, 0.0.0.0:8080->8080/tcp nextcloud-aio-mastercontainer
So far, so good.
I want to deploy Nextcloud via my own domain, a valid SSL certificate, and traefik (v3.6) as my reverse proxy.
I would like to show you how I was able to set up Nextcloud in this way.
Nextcloud-AIO docker-compose.yml
---
services:
nextcloud-aio-mastercontainer:
container_name: nextcloud-aio-mastercontainer
environment:
APACHE_ADDITIONAL_NETWORK: traefik_ext # Add external Traefik network to 'nextcloud-aio-apache'
APACHE_IP_BINDING: "127.0.0.1" # Prevent 'nextcloud-aio-apache' to expose APACHE_PORT globally
APACHE_PORT: 11000
image: nextcloud/all-in-one:latest
init: true
labels: # Enable Traefik
- "traefik.enable=true"
networks:
- traefik_ext # Add external Traefik network
restart: unless-stopped
volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
traefik_ext: # Add external Traefik network
external: true
volumes:
nextcloud_aio_mastercontainer:
name: nextcloud_aio_mastercontainer
Traefik dynamic config for nc-aio-mastercontainer and nc-aio-apache
root@nextcloud:/opt/docker-traefik# cat conf/dynamic/container_nextcloud-aio.yml
---
http:
routers:
nextcloud:
entrypoints:
- websecure
middlewares:
- default
# rule: 'Host(`your.nextcloud.domain.tld`)' # Nextcloud Domain name directly
rule: 'Host(`{{ env "DOMAIN_NEXTCLOUD" }}`)' # DOMAIN_NEXTCLOUD is defined in traefik's .env file
service: nextcloud
tls:
certresolver: cloudflare # or any certresolver of your choice
nextcloud-mc:
entrypoints:
- websecure
middlewares:
- default
# rule: 'Host(`your.mastercontainer.domain.tld`)' # Mastercontainer Domain name directly
rule: 'Host(`{{ env "DOMAIN_NEXTCLOUD_MC" }}`)' # DOMAIN_NEXTCLOUD_MC is defined in traefik's .env file
service: nextcloud-mc
tls:
certresolver: cloudflare # or any certresolver of your choice
serversTransports:
skip-insecure-ssl-nextcloud-mc: # Required to ignore mastercontainer's self-sigend certificate error
insecureSkipVerify: true
serverName: "nextcloud-aio-mastercontainer"
services:
nextcloud:
loadBalancer:
servers:
- url: "http://nextcloud-aio-apache:11000" # 11000 should match 'APACHE_PORT'
nextcloud-mc:
loadBalancer:
servers:
- url: "https://nextcloud-aio-mastercontainer:8080"
serversTransport: skip-insecure-ssl-nextcloud-mc # references serversTransports rule
Result
This configuration means that no ports other than port 80, 443 (exposed by Traefik), and the ports required by Nextcloud Talk are exposed.
Even the Open Nextcloud AIO Interface button under settings/admin/overview works as expected: How to easily log in to the AIO interface
I couldn’t find any productive examples, documentation, or forum threads describing such a configuration, so I hope I haven’t forgotten anything.
Feedback is welcome.