How to Set Up Nextcloud AIO on Home Server with a VPS Relay via Tailscale?

locos · March 5, 2025, 6:39pm

Hi Nextcloud community,

I’m running Nextcloud AIO on my home server, and I want to use a VPS as a relay/reverse proxy so I can access Nextcloud through a domain without exposing my home IP or opening ports on my local network.

My Setup

Home Server: Running Nextcloud AIO in a Docker container.
VPS (Oracle Cloud): I want to use it as a relay to receive traffic and forward it to the Home Server.
Connection Between VPS and Home Server: I have Tailscale configured to create a private VPN between them.

What I Need to Know

How should I configure Nextcloud AIO to work properly with Tailscale?

Should I add the Tailscale domain or my domain?
Do I need to modify anything in Apache/Nginx inside Nextcloud AIO?

How do I configure the VPS as a reverse proxy?

Should I use Caddy or Nginx to forward requests from https://my-domain.com to the Tailscale IP of my Home Server?
Should I configure SSL on the VPS, or in local network?

Are there any known issues when using a VPS as a relay for Nextcloud AIO?

Will webhooks, Collabora, and other Nextcloud services work properly through this relay?

I’d appreciate any guidance or detailed steps on how to set this up correctly.
Thanks in advance!

denNorske · March 7, 2025, 8:21am

Hi Locos!

Here is what I would do:

I would not modify the AIO installation besides configuration (preference). That means, I would install tailscale on the host system, and then listen to the tailscale interface with the docker container. You also wonder about tailscale domain, but you need to imagine if you are on the public interenet, how do you access the service? You probably want to use your own domain, but if you want it behind a proxy, then tailscale domain is probably fine. I have written the rest with the assumption that you want it to be publicly exposed, not behind a VPN network.
The VPS (your proxy) will also need tailscale installed, and you would need to expect my-domain.com to be directed to your server tailscale IP. If you use Caddy or Nginx, that comes down to preference, but Caddy is lightweight and easy to use, so I would use that for this.
When it comes to terminating SSL, you would want to protect the connection between the Client and the next hop (which in your case will be the Proxy VPS server). So make sure that your reverse proxy expects and listens on HTTPS. Remember, you are protecting the client by using HTTPS. Tailscale is already encrypted, beacuse it is built on top of Wireguard.
The various services will continue to work as before, as long as the correct container receives the traffic as before. You are just adding a few extra hops in between. If there are other ports, you will need to manually forward these too.

While I have not made a guide directly for setting up a reverse proxy like this, I have made guides on how you can forward connections and even make remote network interfaces on an external VPS to protect your home IP. You can take a look at that if it is of interest for later.

locos · March 8, 2025, 2:48am

okey thanks, I installed nextcloud aio to work with tailscale, so when i enter from tailscale domain works perfectly but on the vps when I try to redirect with nginx proxy manager it returns “502 Bad Gateway”. So I’m trying to fix that.

denNorske · March 10, 2025, 8:09am

Bad gateway indicates that something is going wrong in the step where you are trying to forward the connection from the proxy to the server hosting the instance.

Maybe you can share your configuration and how things are sat up, and I can help you take a look if you still need help?

locos · March 11, 2025, 1:27am

yes, this is my configuration in nginx

if i put in shceme http, page load but return “Client sent an HTTP request to an HTTPS server.”

or if i use caddy

drive.domain.com {
    reverse_proxy https://nextcloud.tailc2d778.ts.net
}

the page goes blank

denNorske · March 11, 2025, 7:46am

Since your tailscale network is already behind closed doors, you do not need to worry that someone is doing “man in the middle” attacks, or snoops on the trafffic. Your requirements may be different, but to the looks of it, I do not see why you need to use SSL between nextcloud and the front facing server

That will allow you to send a http (not https) connection to the backend.

I recommend looking at what you have set APACHE_PORT to, and that you are pointing your reverse proxy to that port (Do not point it to 443, that requires a valid cert…)

There are someone who has a writeup here on how to enable communcation to the AIO setup with a sidecar container here.

Here is also a set of things that can help you debug the connection between the server and the reverse proxy:

github.com/nextcloud/all-in-one

reverse-proxy.md

main

# Reverse Proxy Documentation

> [!NOTE]
> Please note that AIO comes secured with TLS out-of-the-box. So you don't need to necessarily set up your own reverse proxy if you only want to run Nextcloud AIO which is much easier. See [the normal readme](https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-use-this) in that case. However if port 443 should already be used because you already run a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else), you need to follow this reverse proxy documentation to set up Nextcloud AIO.

> [!TIP]
> If you don't have a domain yet, [Tailscale is recommended](https://github.com/nextcloud/all-in-one/discussions/5439). If you don't have a reverse proxy yet, [Caddy is recommended](https://github.com/nextcloud/all-in-one/discussions/575).

## Introduction
In order to run Nextcloud behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else), you need to:
1. add a specific config to your web server or reverse proxy. [See the documentation below.](#1-configure-the-reverse-proxy)
2. specify the port that AIO's integrated Apache container shall use via the environmental variable `APACHE_PORT` (that runs inside its own container and published this port on the host) and adjust the `docker run` command of AIO. [See the documentation below.](#2-use-this-startup-command).
3. Open the AIO interface at port `8080` and type in and validate your domain. [See the documentation below.](#4-open-the-aio-interface)

Here one example with all reverse proxy settings for Linux:
```
sudo docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \

This file has been truncated. show original

locos · March 25, 2025, 6:18am

Thanks for your help! I was able to resolve it recently.

I had previously used this guide (the one you mentioned) to set it up with Tailscale, but I had to make these modifications to make it work.

Here are the steps I followed:

Home Server:

Change APACHE_IP_BINDING to 0.0.0.0
Modify Caddyfile (not sure if this is necessary), replacing LOCAL_SERVER_IP with the private IP (in my case, 192.168.0.5)

{
    layer4 {
        127.0.0.1:3478 {
            route {
                proxy {
                    upstream LOCAL_SERVER_IP:3478
                }
            }
        }
        127.0.0.1:3479 {
            route {
                proxy {
                    upstream LOCAL_SERVER_IP:3479
                }
            }
        }
    }
}
https://{$NC_DOMAIN} {
    reverse_proxy LOCAL_SERVER_IP:11000
}
http://{$NC_DOMAIN} {
    reverse_proxy LOCAL_SERVER_IP:11000
}

Configure Nextcloud with my domain and NOT with Tailscale’s domain.

VPS:

Insert the home server’s IP provided by Tailscale with port 11000 (in my case/default).
If you want to use Talk, enable Websockets Support.

Example:

Add SSL to use HTTPS (to avoid issues).
Disable Force SSL (Having it enabled at first didn’t cause me any problems, but later, it caused an infinite loop of redirects.)

Example:

This is it! I hope this helps someone so they don’t struggle like I did haha. Thanks for the help!

system · April 2, 2025, 6:18am

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.