Issues with Caddy Reverse Proxy, NAT Loopback, and DNS Configuration for Nextcloud AIO Setup

Hi Nextcloud Community,

I am currently experiencing issues with my Nextcloud All-In-One (AIO) setup, particularly with my reverse proxy configuration and DNS resolution. I’m running the Nextcloud AIO using Docker with Caddy as the reverse proxy on a Raspberry Pi (Archer VR400 router). Here’s an overview of the setup and the issues I’m facing:
Setup Details:

Nextcloud AIO with Caddy as the reverse proxy
Docker containers for Caddy and Nextcloud AIO on a Raspberry Pi 4
Domain: thedogshouse.duckdns.org
Router: TP-Link Archer VR400
Local DNS: Managed by Pi-hole
Ports forwarded: 443, 80, 8443, 11000,8080

Issue 1: Reverse Proxy and Apache Communication

I’ve set up Caddy as the reverse proxy, and it is supposed to point to the Apache server running on port 11000 in the Nextcloud AIO master container. However, Caddy fails to connect to Apache, and I consistently receive connection refused errors when trying to reach http://nextcloud-aio-mastercontainer:11000. Here’s what I’ve done so far:

Verified that the Apache server is configured to listen on port 11000.
curl requests to localhost:11000 work from within the master container, but Caddy fails to connect from the other container.
The Caddyfile points to nextcloud-aio-mastercontainer:11000, but the connection is not established.

Issue 2: NAT Loopback and Internal DNS Resolution

My router, Archer VR400, does not support NAT Loopback, which causes issues when accessing Nextcloud using the external domain (thedogshouse.duckdns.org) from within my local network. To work around this:

I've set up local DNS resolution via Pi-hole to resolve thedogshouse.duckdns.org to the Raspberry Pi's internal IP (192.168.0.101).
This bypasses the NAT Loopback issue internally, but I’m not sure if this could be causing issues with my external requests and certificate generation via Let’s Encrypt.

What I’ve Tried:

Port Check: Verified that ports 443, 80, 8443 are open and reachable externally (successful tests).
Router Configuration: Checked for any firewalls or security features that could be blocking ports (none found). SPI Firewall temporarily disabled for testing.
DNS Propagation: Confirmed that thedogshouse.duckdns.org resolves correctly externally to my public IP.
Docker Network: Checked Docker network connections, and Caddy and Nextcloud AIO containers can ping each other.
Caddyfile Configuration: The extra_hosts section and upstreams in the Caddyfile point correctly to the Nextcloud AIO container's internal IP, but the connection still fails.

Request:

I’m looking for guidance on:

Resolving the reverse proxy communication issue between Caddy and Apache (running on port 11000).
Ensuring my external DNS resolution setup and local DNS (via Pi-hole) is not interfering with the reverse proxy or Let’s Encrypt certificate generation.

Thanks for your help in advance! I’ve attached logs and relevant configuration files below for more details.

Log Files and Configurations:

Caddyfile:

thedogshouse.duckdns.org: {
    reverse_proxy 127.0.0.1:8080 {  # 172.21.0.2 is the IP of nextcloud-aio-mastercontainer (also tried using the raspberry ip, localhost and the container ip/name)
        transport http {
            tls_insecure_skip_verify
        }
    }
    tls {
        dns duckdns c8ab75e0-c9e1-4b91-96ab-9fc28c32565f  # Replace with your DuckDNS token
    }
}

Docker-compose snippet:

yaml

version: '3'

services:
  caddy:
    container_name: caddy
    build:
      context: ./caddy  # Assuming Dockerfile for Caddy is in ./caddy folder
    volumes:
      - /home/tal/nextcloud/Caddyfile:/etc/caddy/Caddyfile
      - /home/tal/nextcloud/data:/data
      - /var/lib/docker/volumes/nextcloud_aio_mastercontainer/_data/nextcloud-aio-config.php:/config/caddy
    networks:
      - nextcloud_network
    ports:
      - "80:80"
      - "443:443"
#    extra_hosts:
#      - "thedogshouse.duckdns.org:85.130.150.176"
    restart: unless-stopped

  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    container_name: nextcloud-aio-mastercontainer
    environment:
      - APACHE_PORT=11000  # Avoid port conflicts
      - NEXTCLOUD_DATADIR=/data
      - APACHE_IP_BINDING=0.0.0.0  # Bind to all IPs
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - nextcloud_network
    ports:
      - "8080:8080"
      - "8443:8443"
    restart: unless-stopped

volumes:
  nextcloud_aio_mastercontainer:
    external: true

networks:
  nextcloud_network:
    external: true

nextcloud aio mastercontainer logs -

docker logs nextcloud-aio-mastercontainer
Trying to fix docker.sock permissions internally...
Creating docker group internally with id 991
WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No memory limit support
WARNING: No swap limit support
Initial startup of Nextcloud All-in-One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080
⚠️ Important: do always use an ip-address if you access this port and not a domain as HSTS might block access to it later!

If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
https://your-domain-that-points-to-this-server.tld:8443
[Thu Oct 17 14:28:56.317106 2024] [mpm_event:notice] [pid 146:tid 146] AH00489: Apache/2.4.62 (Unix) OpenSSL/3.3.2 configured -- resuming normal operations
[Thu Oct 17 14:28:56.317302 2024] [core:notice] [pid 146:tid 146] AH00094: Command line: 'httpd -D FOREGROUND'
[17-Oct-2024 14:28:56] NOTICE: fpm is running, pid 152
[17-Oct-2024 14:28:56] NOTICE: ready to handle connections
{"level":"info","ts":1729175336.3821006,"msg":"using config from file","file":"/Caddyfile"}
{"level":"info","ts":1729175336.385486,"msg":"adapted config to JSON","adapter":"caddyfile"}
[Thu Oct 17 15:35:07.078996 2024] [core:error] [pid 167:tid 242] [client 179.43.168.146:59932] AH10244: invalid URI path (/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts)
WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No memory limit support
WARNING: No swap limit support
Initial startup of Nextcloud All-in-One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080
⚠️ Important: do always use an ip-address if you access this port and not a domain as HSTS might block access to it later!

If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
https://your-domain-that-points-to-this-server.tld:8443
[17-Oct-2024 12:07:40] NOTICE: fpm is running, pid 143
[17-Oct-2024 12:07:40] NOTICE: ready to handle connections
[Thu Oct 17 12:07:40.025186 2024] [mpm_event:notice] [pid 138:tid 138] AH00489: Apache/2.4.62 (Unix) OpenSSL/3.3.2 configured -- resuming normal operations
[Thu Oct 17 12:07:40.025906 2024] [core:notice] [pid 138:tid 138] AH00094: Command line: 'httpd -D FOREGROUND'
{"level":"info","ts":1729166860.0949974,"msg":"using config from file","file":"/Caddyfile"}
{"level":"info","ts":1729166860.0995822,"msg":"adapted config to JSON","adapter":"caddyfile"}
Deleting duplicate sessions
NOTICE: PHP message: It seems like the ip-address of thedogshouse.duckdns.org is set to an internal or reserved ip-address. (It was found to be set to '192.168.0.101')
NOTICE: PHP message: The response of the connection attempt to "https://thedogshouse.duckdns.org:443" was:
NOTICE: PHP message: Expected was: 40f87765ce871bea5cfa3f003c2689cb44a54151a7db8dcc
NOTICE: PHP message: The error message was:
NOTICE: PHP message: Please follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#6-how-to-debug-things in order to debug things!

additional errors -

The domain is not reachable on Port 443 from within this container. Have you opened port 443/tcp in your router/firewall? If yes is the problem most likely that the router or firewall forbids local access to your domain. You can work around that by setting up a local DNS-server.
Domain does not point to this server or the reverse proxy is not configured correctly. See the mastercontainer logs for more details. ('sudo docker logs -f nextcloud-aio-mastercontainer')
DNS config is not set for this domain or the domain is not a valid domain! (It was found to be set to '')

this just poped once i’ve tried different configurations

Let me know if you need further details!

Hi, can you follow all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub?

I’ve followed it step by step, still no luck.
tried a bunch of variations from different repo’s, none was able to solve the problem.