I am using the standard docker-compose file from openmediavault: [How-To] Nextcloud with Letsencrypt using OMV and docker-compose - Guides - openmediavault and of course I configured nginx proxy for the subdirectory as well as nextcloud config.php file for trusted domains.
This is working fine but is of course not safe as trusted domain contain a star instead of IPs or a domain name
<?php $CONFIG = array ( 'memcache.local' => '\\OC\\Memcache\\APCu', 'datadirectory' => '/data', 'instanceid' => 'ocapj1ywa0lp', 'passwordsalt' => 'XXX', 'secret' => 'XXX', 'trusted_domains' => array ( 0 => '192.168.1.80', ), 'dbtype' => 'mysql', 'version' => '188.8.131.52', 'dbname' => 'nextcloud', 'dbhost' => 'nextclouddb', 'dbport' => '', 'dbtableprefix' => 'oc_', 'mysql.utf8mb4' => true, 'dbuser' => 'oc_admin', 'dbpassword' => 'apo3Y6kXTPkvguOTqyl9gBSjokWYDD', 'installed' => true, 'trusted_proxies' => array ( 0 => 'swag', ), 'overwritewebroot' => '/nextcloud', 'overwrite.cli.url' => 'https://mycustomdomain.dyndns.org/nextcloud', 'trusted_domains' => array ( 0 => '*', ), );
But if I replace it with
'trusted_domains' => array ( 0 => 'mycustomdomain.dyndns.org', ),
Note: yes, trusted_domains are defined two time, but I can also merge it in a single entry with 0=> and 1=> but it has no impact at all on the final behavior.
Then I cannot log to nextcloud with the famous error “Access through untrusted domain”. I am looking for any log file where I can understand why the incoming request is rejected. It must have something to do with the use of swag as nextcloud works with a direct https access (and thus an untrusted certificate) or with that star.
But I can’t find any technical log explaining why it is rejected and how to solve it.
Here is the full docker-compose config, just in case:
version: "2" services: nextcloud: image: ghcr.io/linuxserver/nextcloud container_name: nextcloud environment: - PUID=998 - PGID=100 - TZ=Europe/Paris #change Time Zone if needed volumes: - /srv/dev-disk-by-uuid/appdata/nextcloud/config:/config - /srv/dev-disk-by-uuid/appdata/nextcloud/data:/data depends_on: - mariadb ports: # uncomment this and the next line if you want to bypass the proxy - 450:443 restart: unless-stopped mariadb: image: ghcr.io/linuxserver/mariadb container_name: nextclouddb environment: - PUID=998 - PGID=100 - MYSQL_ROOT_PASSWORD=mariadbpassword #change password - TZ=Europe/Paris #Change Time Zone if needed volumes: - /srv/dev-disk-by-uuid/appdata/nextclouddb:/config restart: unless-stopped swag: image: linuxserver/swag #swag is the replacement for letsencrypt (see link below) container_name: swag cap_add: - NET_ADMIN environment: - PUID=998 - PGID=100 - TZ=Europe/Paris - URL=mycustomdomain.duckdns.org #insert your domain name - yourdomain.url - SUBDOMAINS=www, - VALIDATION=http - EMAILfirstname.lastname@example.org volumes: - /srv/dev-disk-by-uuid/appdata/swag:/config ports: - 10443:443 - 10080:80 restart: unless-stopped
As it works well by disabling the trusted_domains, I hope it is quite easy to fix !