Need assistance reverse proxying with Caddy (Docker)

ℹ️ Support
, , ,
1

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • latest
      I’m using the Nextcloud AIO Docker image.
  • Operating system and version (e.g., Ubuntu 24.04):
    • Debian 13 "Trixie"
  • Web server and version (e.g, Apache 2.4.25):
    • 2.4.65
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • Caddy v2.10.2
  • PHP version (e.g, 8.3):
    • N/A
      I don’t understand what this is pertaining to.
  • Is this the first time you’ve seen this error? (Yes / No):
    • No
      I have seen others with this same issue. I’ve tried to follow their
      solutions with no success.
  • When did this problem seem to first start?
    • During the installation of Nextcloud.
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • AIO
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • No

Summary of the issue you are facing:

I’m trying to proxy my Nextcloud instance to the Caddy reverse proxy, both running in a Docker container. I tried to follow the reverse proxy guide to the best of my ability and even tried the example shown there along with many others.
I can’t access Nextcloud at all, even when using the < IP >:< PORT > method to finish installation. Trying to do so will result in a 400 “Bad Request” error.

Bad Request

Your browser sent a request that this server could not understand.
Reason: You’re speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

I have opened all the necessary ports on the firewall (ufw) shown in the documentation for the reverse proxy. Ports including 80, 443, and 8080.

Steps to replicate it (hint: details matter!):

  1. Following the Nextcloud AIO installation instructions.
    I converted the docker command to a docker-compose.yml using Containerize.
    Instead of using a single docker-compose.yml, I use multiple as I have other services that also use a reverse proxy (e.g. Caddy).

  2. Follow the Nextcloud AIO reverse proxy documentation.

  3. Try to access Nextcloud, either via < IP>:< PORT > or via the reverse proxy.

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.
Output from docker logs nextcloud-aio-mastercontainer

Trying to fix docker.sock permissions internally...
Creating docker group internally with id 990
Initial startup of Nextcloud All-in-One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080
⚠ Important: do always use an ip-address if you access this port and not a domain as HSTS might block access to it later!

If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
https://your-domain-that-points-to-this-server.tld:8443
/usr/lib/python3.12/site-packages/supervisor/options.py:13: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
[Tue Nov 11 06:48:58.139700 2025] [mpm_event:notice] [pid 153:tid 153] AH00489: Apache/2.4.65 (Unix) OpenSSL/3.5.4 configured -- resuming normal operations
[Tue Nov 11 06:48:58.139771 2025] [core:notice] [pid 153:tid 153] AH00094: Command line: 'httpd -D FOREGROUND'
[11-Nov-2025 06:48:58] NOTICE: fpm is running, pid 159
[11-Nov-2025 06:48:58] NOTICE: ready to handle connections
{"level":"info","ts":1762843738.1905081,"msg":"maxprocs: Leaving GOMAXPROCS=10: CPU quota undefined"}
{"level":"info","ts":1762843738.190731,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":15066209894,"previous":9223372036854775807}
{"level":"info","ts":1762843738.1908114,"msg":"using config from file","file":"/Caddyfile"}
{"level":"info","ts":1762843738.1927395,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"info","ts":1762843738.195621,"msg":"serving initial configuration"}

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

Output from curl -vL nextcloud.example.com

* Host nextcloud.example.com:80 was resolved.
* IPv6: (none)
* IPv4: < Remote IP >
*   Trying < Remote IP >:80...
* Established connection to nextcloud.example.com (< Remote IP > port 80) from 192.168.1.235 port 44706 
* using HTTP/1.x
> GET / HTTP/1.1
> Host: nextcloud.example.com
> User-Agent: curl/8.17.0
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://nextcloud.example.com/
< Server: Caddy
< Date: Tue, 11 Nov 2025 18:52:50 GMT
< Content-Length: 0
< 
* shutting down connection #0
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://nextcloud.example.com/'
* Host nextcloud.example.com:443 was resolved.
* IPv6: (none)
* IPv4: < Remote IP >
*   Trying < Remote IP >:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust Anchors:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519MLKEM768 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*   subject: CN=nextcloud.example.com
*   start date: Nov 11 05:46:02 2025 GMT
*   expire date: Feb  9 05:46:01 2026 GMT
*   issuer: C=US; O=Let's Encrypt; CN=E8
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
*   subjectAltName: "nextcloud.example.com" matches cert's "nextcloud.example.com"
* SSL certificate verified via OpenSSL.
* Established connection to nextcloud.example.com (< Remote IP > port 443) from 192.168.1.235 port 56606 
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://nextcloud.example.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: nextcloud.example.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.17.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: nextcloud.example.com
> User-Agent: curl/8.17.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Request completely sent off
< HTTP/2 502 
< alt-svc: h3=":443"; ma=2592000
< server: Caddy
< strict-transport-security: max-age=31536000;
< content-length: 0
< date: Tue, 11 Nov 2025 18:52:50 GMT
< 
* Connection #1 to host nextcloud.example.com:443 left intact

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

{"level":"error","ts":1762844291.2667866,"logger":"http.log.error","msg":"dial
tcp [::1]:11000: connect: connection refused","request":{"remote_ip":"< Remote
IP Here >","remote_port":"48962","client_ip":"< Remote IP Here
>","proto":"HTTP/2.0","method":"GET","host":"nextcloud.example.com","uri":"/","headers":{"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Site":["none"],"Sec-Fetch-Mode":["navigate"],"Te":["trailers"],"User-Agent":["Mozilla/5.0
(X11; Linux x86_64; rv:144.0) Gecko/20100101
Firefox/144.0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Accept-Encoding":["gzip,
deflate, br,
zstd"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-User":["?1"],"Priority":["u=0,
i"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"nextcloud.example.com"}},"duration":0.001376288,"status":502,"err_id":"x43fw5f7a","err_trace":"reverseproxy.statusError
(reverseproxy.go:1390)"}

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

docker-compose.yml

services:
  nextcloud:
    image: nextcloud/all-in-one:latest
    restart: unless-stopped
    container_name: nextcloud-aio-mastercontainer
    ports:
      - "8080:8080"
    environment:
      - APACHE_PORT=11000
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

caddy-compose.yml

services:
  caddy:
    image: caddy:2.10.2
    restart: unless-stopped
    container_name: caddy
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./certs:/certs
      - ./config:/config
      - ./data:/data
      - ./sites:/srv
    network_mode: "host"

Apps

The output of occ app:list (if possible).

N/A, I couldn’t install any applications because I couldn’t complete installation.