Issues with Caddy Reverse Proxy, NAT Loopback, and DNS Configuration for Nextcloud AIO Setup

Tal_Yahav_Badishi · October 17, 2024, 4:38pm

Hi Nextcloud Community,

I am currently experiencing issues with my Nextcloud All-In-One (AIO) setup, particularly with my reverse proxy configuration and DNS resolution. I’m running the Nextcloud AIO using Docker with Caddy as the reverse proxy on a Raspberry Pi (Archer VR400 router). Here’s an overview of the setup and the issues I’m facing:
Setup Details:

Nextcloud AIO with Caddy as the reverse proxy
Docker containers for Caddy and Nextcloud AIO on a Raspberry Pi 4
Domain: thedogshouse.duckdns.org
Router: TP-Link Archer VR400
Local DNS: Managed by Pi-hole
Ports forwarded: 443, 80, 8443, 11000,8080

Issue 1: Reverse Proxy and Apache Communication

I’ve set up Caddy as the reverse proxy, and it is supposed to point to the Apache server running on port 11000 in the Nextcloud AIO master container. However, Caddy fails to connect to Apache, and I consistently receive connection refused errors when trying to reach http://nextcloud-aio-mastercontainer:11000. Here’s what I’ve done so far:

Verified that the Apache server is configured to listen on port 11000.
curl requests to localhost:11000 work from within the master container, but Caddy fails to connect from the other container.
The Caddyfile points to nextcloud-aio-mastercontainer:11000, but the connection is not established.

Issue 2: NAT Loopback and Internal DNS Resolution

My router, Archer VR400, does not support NAT Loopback, which causes issues when accessing Nextcloud using the external domain (thedogshouse.duckdns.org) from within my local network. To work around this:

I've set up local DNS resolution via Pi-hole to resolve thedogshouse.duckdns.org to the Raspberry Pi's internal IP (192.168.0.101).
This bypasses the NAT Loopback issue internally, but I’m not sure if this could be causing issues with my external requests and certificate generation via Let’s Encrypt.

What I’ve Tried:

Port Check: Verified that ports 443, 80, 8443 are open and reachable externally (successful tests).
Router Configuration: Checked for any firewalls or security features that could be blocking ports (none found). SPI Firewall temporarily disabled for testing.
DNS Propagation: Confirmed that thedogshouse.duckdns.org resolves correctly externally to my public IP.
Docker Network: Checked Docker network connections, and Caddy and Nextcloud AIO containers can ping each other.
Caddyfile Configuration: The extra_hosts section and upstreams in the Caddyfile point correctly to the Nextcloud AIO container's internal IP, but the connection still fails.

Request:

I’m looking for guidance on:

Resolving the reverse proxy communication issue between Caddy and Apache (running on port 11000).
Ensuring my external DNS resolution setup and local DNS (via Pi-hole) is not interfering with the reverse proxy or Let’s Encrypt certificate generation.

Thanks for your help in advance! I’ve attached logs and relevant configuration files below for more details.

Log Files and Configurations:

Caddyfile:


thedogshouse.duckdns.org: {
    reverse_proxy 127.0.0.1:8080 {  # 172.21.0.2 is the IP of nextcloud-aio-mastercontainer (also tried using the raspberry ip, localhost and the container ip/name)
        transport http {
            tls_insecure_skip_verify
        }
    }
    tls {
        dns duckdns c8ab75e0-c9e1-4b91-96ab-9fc28c32565f  # Replace with your DuckDNS token
    }
}

Docker-compose snippet:

yaml

version: '3'

services:
  caddy:
    container_name: caddy
    build:
      context: ./caddy  # Assuming Dockerfile for Caddy is in ./caddy folder
    volumes:
      - /home/tal/nextcloud/Caddyfile:/etc/caddy/Caddyfile
      - /home/tal/nextcloud/data:/data
      - /var/lib/docker/volumes/nextcloud_aio_mastercontainer/_data/nextcloud-aio-config.php:/config/caddy
    networks:
      - nextcloud_network
    ports:
      - "80:80"
      - "443:443"
#    extra_hosts:
#      - "thedogshouse.duckdns.org:85.130.150.176"
    restart: unless-stopped

  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    container_name: nextcloud-aio-mastercontainer
    environment:
      - APACHE_PORT=11000  # Avoid port conflicts
      - NEXTCLOUD_DATADIR=/data
      - APACHE_IP_BINDING=0.0.0.0  # Bind to all IPs
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - nextcloud_network
    ports:
      - "8080:8080"
      - "8443:8443"
    restart: unless-stopped

volumes:
  nextcloud_aio_mastercontainer:
    external: true

networks:
  nextcloud_network:
    external: true

nextcloud aio mastercontainer logs -

docker logs nextcloud-aio-mastercontainer
Trying to fix docker.sock permissions internally...
Creating docker group internally with id 991
WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No memory limit support
WARNING: No swap limit support
Initial startup of Nextcloud All-in-One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080
⚠️ Important: do always use an ip-address if you access this port and not a domain as HSTS might block access to it later!

If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
https://your-domain-that-points-to-this-server.tld:8443
[Thu Oct 17 14:28:56.317106 2024] [mpm_event:notice] [pid 146:tid 146] AH00489: Apache/2.4.62 (Unix) OpenSSL/3.3.2 configured -- resuming normal operations
[Thu Oct 17 14:28:56.317302 2024] [core:notice] [pid 146:tid 146] AH00094: Command line: 'httpd -D FOREGROUND'
[17-Oct-2024 14:28:56] NOTICE: fpm is running, pid 152
[17-Oct-2024 14:28:56] NOTICE: ready to handle connections
{"level":"info","ts":1729175336.3821006,"msg":"using config from file","file":"/Caddyfile"}
{"level":"info","ts":1729175336.385486,"msg":"adapted config to JSON","adapter":"caddyfile"}
[Thu Oct 17 15:35:07.078996 2024] [core:error] [pid 167:tid 242] [client 179.43.168.146:59932] AH10244: invalid URI path (/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts)

WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No memory limit support
WARNING: No swap limit support
Initial startup of Nextcloud All-in-One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080
⚠️ Important: do always use an ip-address if you access this port and not a domain as HSTS might block access to it later!

If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
https://your-domain-that-points-to-this-server.tld:8443
[17-Oct-2024 12:07:40] NOTICE: fpm is running, pid 143
[17-Oct-2024 12:07:40] NOTICE: ready to handle connections
[Thu Oct 17 12:07:40.025186 2024] [mpm_event:notice] [pid 138:tid 138] AH00489: Apache/2.4.62 (Unix) OpenSSL/3.3.2 configured -- resuming normal operations
[Thu Oct 17 12:07:40.025906 2024] [core:notice] [pid 138:tid 138] AH00094: Command line: 'httpd -D FOREGROUND'
{"level":"info","ts":1729166860.0949974,"msg":"using config from file","file":"/Caddyfile"}
{"level":"info","ts":1729166860.0995822,"msg":"adapted config to JSON","adapter":"caddyfile"}
Deleting duplicate sessions
NOTICE: PHP message: It seems like the ip-address of thedogshouse.duckdns.org is set to an internal or reserved ip-address. (It was found to be set to '192.168.0.101')
NOTICE: PHP message: The response of the connection attempt to "https://thedogshouse.duckdns.org:443" was:
NOTICE: PHP message: Expected was: 40f87765ce871bea5cfa3f003c2689cb44a54151a7db8dcc
NOTICE: PHP message: The error message was:
NOTICE: PHP message: Please follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#6-how-to-debug-things in order to debug things!

additional errors -

The domain is not reachable on Port 443 from within this container. Have you opened port 443/tcp in your router/firewall? If yes is the problem most likely that the router or firewall forbids local access to your domain. You can work around that by setting up a local DNS-server.
Domain does not point to this server or the reverse proxy is not configured correctly. See the mastercontainer logs for more details. ('sudo docker logs -f nextcloud-aio-mastercontainer')
DNS config is not set for this domain or the domain is not a valid domain! (It was found to be set to '')

this just poped once i’ve tried different configurations

Let me know if you need further details!

szaimen · October 17, 2024, 6:10pm

Hi, can you follow all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub?

Tal_Yahav_Badishi · October 17, 2024, 6:23pm

I’ve followed it step by step, still no luck.
tried a bunch of variations from different repo’s, none was able to solve the problem.

Gork-us · January 3, 2025, 10:55am

Hello,

Working off my phone while traveling but the AIO configuration with a reverse proxy will have port 11000 on the Nextcloud-AIO-Apache container (if that’s the port you selected) and port 8080 on the Nextcloud-AIO-mastercontainer which hosts the AIO container stop/start & install options menu.

You’ll want to have your Caddyfile forward the port 443 requests from the Internet facing side to the Apache container port 11000. I

don’t forward to port 8080 on the master container from the Internet as I access that only via LAN.

In AIO the Apache container is running caddy as part of the AIO install to proxy collabora requests (I’m still trying to get that to work) but it’s transparent to your Caddy setup.

Setting up your caddyfile for 443 to 11000 makes for a very streamlined caddyfile. I’ll send an example tomorrow, added benefit is caddy supports lets encrypt when used with your domain name.

gp3 · January 3, 2025, 2:28pm

Samply caddyfile:

[->hostname.domainname.com<-] {
reverse_proxy 127.0.0.1:11000
log {
output file /var/log/caddy/[->hostname<-].log
format json
}
encode gzip
header {
Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”
Referrer-Policy “no-referrer”
X-Content-Type-Options “nosniff”
X-Frame-Options “SAMEORIGIN”
X-XSS-Protection “1; mode=block”
Permissions-Policy “interest-cohort=()”
}
}

gp3 · January 7, 2025, 6:46pm

Hi Tal,

Not sure if you had this sorted or not but take a look at NAT Hairpinning and how your internet facing connections (caddy 443) are NAT’d by the router.

NextCloud expects to be able to see its own IP as its externally resolved IP/DNS to pass things like domain checking and office server integrations.

If you don’t have this set up or set up correctly it can impact your installation. While domaincheck may work at one point office may never work, etc.

You want to make sure your NAT loopback is pointing to the caddy proxy for 443. That is both the connection for nextcloud and the internal caddy-proxied office traffic (if it’s being used). I’ve found my curl errors have gone away (policy routing was intercepting hairpin NAT on my firewall) once the hairpin for the nextcloud hust (not just the client network) was set up.

In my firewall port forwarding was required, not so bad as it limits the ports that can be used to connect to the system in addition to firewall rules.

Why you may need “Hairpin NAT” (NAT Reflection, NAT Loopback) for AIO/NC - Support - Nextcloud community