Need to know how to setup Nextcloud to use SSL

I have successfully installed and am running Nextcloud in docker. The installation uses LetsEncrypt to generate the certificates and runs without problems when I access it using HTTP.

When I attempt to use HTTPS, however, I am getting 500 Internal Server Error.

Researching this problem, I have learned that by default the nginx proxy container is not actually configured to use HTTPS (based on various nextcloud descriptions I have read online). Apparently what has to be done is to configure it to be able to use SSL.

Trouble is, there is no step by step procedure given for doing this.

Just about everywhere I look I am finding plenty of tutorials and instructions that include “set up letsencrypt” or "place certs in using certbot or other methods. This is nice but the docker-compose.yml file I used already sets up the certs! What I need is some clear instructions on how to configure the nginx-proxy to use SSL. I have been unable to find such instructions.

Can someone tell me how to properly configure the nginx-proxy container to use SSL? Or failing that, can someone point me to some clear instructions for properly configuring it for SSL?

Please advise.

probably nginx community/docs help you better as this is more related to this software…

100%. This process is outside of Nextcloud since there is no presumption of what way you’ll add SSL. It has also been asked and answered countless times… almost every Nextcloud server uses ssl. There are tons of examples on google. Try reading the admin documentation as well.

https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html

Folks:

Thanks for your replies, but I had already figured out that the problem had something to do with nginx.

For just in particular: the first thing I did when I realized that the proxy was not set up for SSL was to look for various instructions for setting it up for using SSL – including at the link you provided. The iproblem is that everything I found that was clear mostly talked about how to use LetsEncrypt (or CertBot, or some other mechanism) for generating certs. All the other information I found was either unclear or the instructions just didn’t work!

For example: check out this site:

https://www.freecodecamp.org/news/docker-nginx-letsencrypt-easy-secure-reverse-proxy-40165ba3aee2/

It gives an excellent step- by- step description of how to set up an nginx docker container to do reverse proxying and to use SSL. The author even provides a nice docker-compose.yml file that, with proper fiddling, actually starts up an nginx container. Trouble is, the setup doesn’t work because the nginx container fails to stay up due tp a missing configuration file. This was just for starting up a basic nginx server!

This is typical of what I have been finding on the Internet. The instructions are out- of- date (so they don’t work), so poorly written that they are unclear and unfollowable, are based on using proprietary containers that you have to pay for, or they simply do not work.

That is why I came here. I was hoping that someone here had solved this problem and could either tell me how to do it or point me to whatever site they used that provided instructions that actually worked.

So, let me rephrase my question:

Has anyone successfully gotten Nextcloud on Docker to work behind a reverse- proxy with SSL enabled? If so, what did you use? Can you tell me how to get it to work, or can you point me to any site that provided you with instructions that actually work?

And be advised: I don’t necessarily need to use nginx. I am perfectly happy to use any other server as a reverse proxy. I am also fine with not using a reverse proxy at all, if there was some way to set up my Nextcloud container to process requests over SSL. The only reason I am even looking at using reverse proxies is because that seems to be the only way to do Nextcloud over SSL. If there is some other way, I am happy to be informed about it.

My goal is to use Nextcloud over SSL. I don’t care how I do it, just that I can.

I don’t use Docker or nginx, but here’s hoping I can help you here.

You mentioned that your existing docker-compose file handles certs already, which tells me that adding a reverse proxy isn’t strictly necessary - we would just need more information (server logs and perhaps your compose file) to find the mis-configuration.
That said, if you hadn’t seen it, the examples section of nextcloud/docker, like this docker-compose would be good to check against your own compose, or maybe to adopt in place of it. With all the SEO-optimised blogs out there, the most useful stuff isn’t always the easiest to find.

mactrent:

I am looking through the info on the links you provided. I will let you know if any of them can help.

The reply below contains the complete docker-compose.yml file that I used. It was taken from

https://bitlaunch.io/blog/how-to-install-nextcloud/

and tweaked to conform to my particular network. Note that machine, password, and other sensitive information is marked as REDACTED:

services:

proxy:
image: jwilder/nginx-proxy:alpine
labels:
- “com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true”
container_name: nextcloud-proxy
networks:
- nextcloud_network
ports:
- 80:80
- 443:443
volumes:
- ./proxy/conf.d:/etc/nginx/conf.d:rw
- ./proxy/vhost.d:/etc/nginx/vhost.d:rw
- ./proxy/html:/usr/share/nginx/html:rw
- ./proxy/certs:/etc/nginx/certs:ro
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
restart: unless-stopped

letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: nextcloud-letsencrypt
depends_on:
- proxy
networks:
- nextcloud_network
volumes:
- ./proxy/certs:/etc/nginx/certs:rw
- ./proxy/vhost.d:/etc/nginx/vhost.d:rw
- ./proxy/html:/usr/share/nginx/html:rw
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: unless-stopped

db:
image: mariadb:10.5
container_name: nextcloud-mariadb
networks:
- nextcloud_network
volumes:
- db:/var/lib/mysql
- /etc/localtime:/etc/localtime:ro
environment:
- MYSQL_ROOT_PASSWORD=REDACTED
- MYSQL_PASSWORD=REDACTED
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=REDACTED
restart: unless-stopped

app:
image: nextcloud:latest
container_name: nextcloud-app
networks:
- nextcloud_network
depends_on:
- letsencrypt
- proxy
- db
volumes:
- nextcloud:/var/www/html
- ./app/config:/var/www/html/config
- ./app/custom_apps:/var/www/html/custom_apps
- ./app/data:/var/www/html/data
- ./app/themes:/var/www/html/themes
- /etc/localtime:/etc/localtime:ro
environment:
- VIRTUAL_HOST=REDACTED
- LETSENCRYPT_HOST=REDACTED
- LETSENCRYPT_EMAIL=REDACTED
restart: unless-stopped

volumes:
nextcloud:
db:

networks:
nextcloud_network:

Notes about the file above:

1. It was necessary to insure that the MariaDB container was Version 10.5 instead of the “latest” as was in the original Yaml file, because apparently later versions have a problem with how Nextcloud does innodb operations.

2. The nginx-proxy container has a weird behavior: whenever it starts for reasons unknown it overwrites everything in the config directory. I have attempted to make changes that would (theoretically) enable the proxy to use SSL, but when restarting those changes get erased and the default.conf file gets overwritten.

Worse, eliminating the default.conf file actually causes the proxy to cease to function. Any additional conf files I enter (as per instructions from other sites) get erased.

I have even gone to the page on the Docker containers site which gives instructions for using the jwilder/nginx-proxy:alpine image:

https://hub.docker.com/r/jwilder/nginx-proxy

This site gives instructions for how to set up the proxy for handling backend servers for using SSL. Following those instructions, however, pretty much makes Nextcloud completely unreachable. What happens is that HTTPS continues to return 500 errors, but HTTP returns a 400 Bad Gateway error.

I suspect that there must be some setup that has to be done on the Nextcloud container to make it use SSL, but there doesn’t appear to be any instruction anywhere on how to do this. Everything I found points to using a reverse proxy to get SSL working for Nextcloud, but nothing I have found for doing that works.

You’re right: if you want Nextcloud to play nicely with the reverse proxy, there are some entries to be made in Nextcloud’s config file, and also some recommended tweaks to your reverse proxy config. You can find instructions and an example in the Nextcloud admin docs here.
If you want a more full example, you can see my configs for Nextcloud, the Apache server in my Nextcloud container, and my Apache reverse proxy at the end of this post on the forum.

As far as using SSL straight from the docker image without reverse proxy… it looks like it should just work, so I’d want to see the logs next.

Just to be sure, is that config directory you refer to the same as this one:
./proxy/conf.d:/etc/nginx/conf.d ?
If you’re modifying something else, then you’ll need that file/folder to be listed under ‘volumes’ too, or it will be reset whenever you restart the docker image. The ’ Replacing default proxy settings’ section of that docker help page says to modify /etc/nginx/proxy.conf, but doesn’t tell you this.
If you are modifying something that’s listed under ‘volumes’ and it still resets, I’d ask other users of this image what the deal is, because that seems weird to me.

HTTP 400 Bad Gateway means the proxy can’t reach Nextcloud on the specified port, but HTTP 500 Internal Server Error could be sent by the reverse proxy, by the web server in your Nextcloud container, or by Nextcloud itself. Next step would be to check through the logs for all of the above.

I actually found the solution to this problem:

Do not use the Nextcloud image from Nextcloud!

It turns out that if you want a Nextcloud that uses SSL, just use the image from linuxserver.io:

instead of nextcloud:latest. The linuxserver.io folks created a Nextcloud docker image that is already configured to use SSL. All you have to do is pull it and run it.

Frankly, that is how it should be with Docker containers. The idea behind them is for them to be closer to plug- and- play. The most one should have to do with something running in a Docker container is do some simple declarative config values – not have to go into containers and diddle with complex configuration files like I saw in so many instructions for securing the Nextcloud container.

I have run into some problems using Nginx as a proxy. It seems that instructions for properly setting up the Nginx container as a proxy tend to break any connection to Nextcloud. Fortunately, the linuxserver.io Netcloud image does not require a reverse proxy to operate using SSL (I amcurrently not using one with my installation), and it turns out that these days reverse proxy software is easy to create. I am in the process of creating a reverse proxy specifically for Nextcloud which will be easy to set up and use. For those who want automatic renewal of certs and/or the security that comes from running Nextcloud behind a reverse proxy, I will be making a Docker image with this simplified proxy available as soon as I get it completed and working.

My sincerest thanks to those who helped me out with this issue. I would not have found a solution without your help.