Information

I’m running Nextcloud in k3s with the official helm chart and the default Traefik installation that it provide with some minor tweak (check the file below). Even if I have HTTPS redirection for all domain, Nextcloud is warning me that my instance support unsecured URL. I don’t really know how to fix this error

I already search for help online like this forum post about running Nextcloud + Docker + Traefik and I also try everything that the doc is recommending about running Nextcloud behind a reverse proxy, but this is still not working

Help me please

Is this the first time you’ve seen this error? (Y/N): Y

Configuration files

My Helm value

image:
    repository: nextcloud
    tag: 23.0.2-apache
    pullPolicy: IfNotPresent
    pullSecrets: []
replicaCount: 1
nextcloud:
    host: cloud.exemple.com
    username: alexo
    password: STRONGPASSWORD
    mail:
        enabled: false
    datadir: /var/www/html/data
    extraEnv:
        - name: OVERWRITEPROTOCOL
          value: https
        - name: OVERWRITECLIURL
          value: https://cloud.exemple.com
        - name: OVERWRITECONDADDR
          value: ^10\.43\.68\.233$
        - name: OVERWRITEHOST
          value: cloud.exemple.com
        - name: overwrite.cli.url
          value: https://${cloud.exemple.com}
        # This is the Cluster Ip of the loadbalancer
        - name: TRUSTED_PROXIES
          value: 10.43.68.233
        - name: APACHE_DISABLE_REWRITE_IP
          value: "1"
    phpConfigs:
        opcache.interned_strings_buffer: "10"
       
internalDatabase:
    enabled: false

mariadb:
    ## Whether to deploy a mariadb server to satisfy the applications database requirements. To use an external database set this to false and configure the externalDatabase parameters
    enabled: true
    auth:
        database: nextcloud
        username: nextcloud
        password: STRONGPASSWORD
        rootPassword: STRONGPASSWORD
    primary:
        extraEnvVars:
            - name: BITNAMI_DEBUG
              value: "true"
        persistence:
            enabled: true
            storageClass: longhorn-fast-durable
            accessMode: ReadWriteOnce
            size: 8Gi

persistence:
    # Nextcloud Data (/var/www/html)
    enabled: true
    existingClaim: nextcloud-data

livenessProbe:
    enabled: false
    initialDelaySeconds: 360

readinessProbe:
    enabled: false
    initialDelaySeconds: 360

## Prometheus Exporter / Metrics
##
metrics:
    enabled: true
    # resources: {}
    service:
        type: ClusterIP
        annotations:
            prometheus.io/scrape: "true"
            prometheus.io/port: "9205"

The output of your Nextcloud log in Admin > Logging:
No relevant logs, just about calendar/device error

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'passwordsalt' => 'SALT',
  'secret' => 'SECRET',
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'cloud.exemple.com',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '23.0.2.1',
  'overwrite.cli.url' => 'https://cloud.exemple.com',
  'dbname' => 'nextcloud',
  'dbhost' => 'nextcloud-mariadb',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'STRONGPASSWORD'',
  'installed' => true',
  'instanceid' => 'ID',
  'loglevel' => 2,
  'maintenance' => false,
  'overwritehost' => 'cloud.exemple.com',
  'overwriteprotocol' => 'https',
  'overwritecondaddr' => '^10\\.43\\.68\\.233$',
  'trusted_proxies' =>
  array (
    0 => '10.43.68.233',
  ),
);

Traefik ingress route

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: nextcloud
  namespace: nextcloud
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`cloud.exemple.com`)
      middlewares:
        - name: nextcloud-middleware-headers
        - name: nextcloud-middleware-regex
      services:
        - name: nextcloud
          port: 8080

  tls:
    certResolver: letsencrypt-prod
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: nextcloud-http
  namespace: nextcloud
spec:
  entryPoints:
    - web
  routes:
    - kind: Rule
      match: Host(`cloud.exemple.com`)
      middlewares:
        - name: nextcloud-middleware-https
      services:
        - name: nextcloud
          port: 8080
--- # This need to be deployed in the same namespace as the running nextcloud instance
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: nextcloud-middleware-headers
spec:
  headers:
    stsSeconds: 31536000
    stsIncludeSubdomains: true
    stsPreload: true
    sslRedirect: true
--- # This need to be deployed in the same namespace as the running nextcloud instance
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: nextcloud-middleware-regex
spec:
  redirectRegex:
    permanent: true
    regex: "https://(.*)/.well-known/(card|cal)dav"
    replacement: "https://${1}/remote.php/dav/"
--- # This need to be deployed in the same namespace as the running nextcloud instance
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: nextcloud-middleware-https
spec:
  redirectScheme:
    scheme: https
    permanent: true

Traefik helm value

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    additionalArguments:
      - --certificatesresolvers.letsencrypt-prod.acme.tlschallenge=false
      - --certificatesresolvers.letsencrypt-prod.acme.dnschallenge=true
      - --certificatesresolvers.letsencrypt-prod.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.letsencrypt-prod.acme.email=admin@exemple.com
      - --certificatesresolvers.letsencrypt-prod.acme.storage=/data/cloudlfare-acme.json
      - --certificatesresolvers.letsencrypt-prod.acme.caserver=https://acme-v02.api.letsencrypt.org/directory

    env:
      - name: CLOUDFLARE_DNS_API_TOKEN
        valueFrom:
          secretKeyRef:
            key: cf-token-dns
            name: cloudflare-api-token
    
      - name: CLOUDFLARE_ZONE_API_TOKEN
        valueFrom:
          secretKeyRef:
            key: cf-token-zone
            name: cloudflare-api-token
    
    ports:
      web:
        redirectTo: websecure
        scheme: https
    
      websecure:
        tls:
          certResolver: letsencrypt-prod
    
    logs:
      general:
        level: DEBUG
      access:
        enabled: true

    persistence:
      enabled: true
      existingClaim: traefik-data-pvc
      path: /data

Nextcloud / System Information

Nextcloud version: 23.0.2
Operating system and version: debian bullseye
Docker container tag: nextcloud:23.0.2-apache
PHP version: 8.0.16
Traefik version: 2.5.6
K3S version: v1.22.6+k3s1

I’m running my system with docker but is should be the same… what I have in my docker-compose.yml:

# docker name of the reverse proxy container (space separated list of fqdns/ips)
TRUSTED_PROXIES="traefik 172.16.0.0/12 192.168.0.0/16 10.0.0.0/8"
# reverse proxy config
OVERWRITEHOST=cloud.example.com
OVERWRITEPROTOCOL=https
overwrite.cli.url=https://cloud.example.com
APACHE_DISABLE_REWRITE_IP=1

I see some confusion in your config: e.g. OVERWRITECLIURL and overwrite.cli.url I agree the first variant of the variable looks more consistent but the second one is right. And don’t forget to create the container from scratch - variables often apply when container is build…

is there a reason you have different values in the variables? https://cloud.exemple.com vs https://${cloud.exemple.com}

I bet you are looking for

    extraEnv:
        - name: overwrite.cli.url
          value: https://cloud.exemple.com

Hi, thanks for your answer, you were right, when I correctly set up my overwrite.cli.url that was badly tweaked and update all my other env as the one in your docker-compose.yml, everything start working perfectly. Also, I don’t know why the official doc doesn’t mention this overwrite.cli.url env.
Thanks a lot

If anyone need it, here is my Helm charts value after the fix.

image:
    repository: nextcloud
    tag: 23.0.2-apache
    pullPolicy: IfNotPresent
    pullSecrets: []
replicaCount: 1
nextcloud:
    host: cloud.example.org
    username: alexo
    password: STRONGPASSWORD
    mail:
        enabled: false
    datadir: /var/www/html/data
    extraEnv:
        - name: OVERWRITEPROTOCOL
          value: https
        - name: OVERWRITEHOST
          value: cloud.example.org
        - name: overwrite.cli.url
          value: https://cloud.example.org
        # This is the Cluster Ip of the loadbalancer
        - name: TRUSTED_PROXIES
          value: 10.43.68.233
        - name: APACHE_DISABLE_REWRITE_IP
          value: "1"
    phpConfigs:
        opcache.interned_strings_buffer: "10"
       
internalDatabase:
    enabled: false

mariadb:
    enabled: true
    auth:
        database: nextcloud
        username: nextcloud
        password: STRONGPASSWORD
        rootPassword: STRONGPASSWORD
    primary:
        extraEnvVars:
            - name: BITNAMI_DEBUG
              value: "true"
        persistence:
            enabled: true
            existingClaim: "nextcloud-db-data"

persistence:
    # Nextcloud Data (/var/www/html)
    enabled: true
    existingClaim: nextcloud-data

livenessProbe:
    enabled: false
    initialDelaySeconds: 360
readinessProbe:
    enabled: false
    initialDelaySeconds: 360

## Prometheus Exporter / Metrics
##
metrics:
    enabled: true
    # resources: {}
    service:
        type: ClusterIP
        annotations:
            prometheus.io/scrape: "true"
            prometheus.io/port: "9205"