I would like to install the nextcloud aio for nextcloud server in a linux vm / deploying a nextcloud image from azure market place.
During the setup it is expecting the public domain, where I want to install and access the nextcloud internally in my private organization network instead of using public domain. I want to avoid using pubic domain.
Please let me know the best way to achieve that in detail.
According to the documentation, it’s possible to set up a local instance with AIO that is not directly accessible from the Internet, but you’ll still need to use a registered public domain name. IP addresses and/or self-signed certificates are not supported.
See also here: https://github.com/nextcloud/all-in-one?tab=readme-ov-file#are-self-signed-certificates-supported-for-nextcloud
…and here: https://github.com/nextcloud/all-in-one?tab=readme-ov-file#can-i-use-an-ip-address-for-nextcloud-instead-of-a-domain
Thank you for your response. I see there is an option for reverse-proxy method of installation where I can buy my own certificate and use.
Please let me know can we use a certificate issued by godaddy for nextcloud instance? can we avoid public domain requirement in reverse proxy method.
I also read something about skipping the domaincheck? what happens if I skip domain check?
I don’t quite understand what you mean by avoiding a public domain. If this about avoiding Nextcloud being accessible from the internet, then yes. If it’s to avoid registering and paying for a domain name, then no.
Signed certificates, regardless of whether they are issued automatically or manually, can only be issued for registered domain names.
I’m not sure exactly how domain validation works in AIO, so I can’t be sure, but it doesn’t look to me like turning it off will suddenly allow you to use IP addresses or self-signed certificates 
However, it is possible that in certain situations, such as a reverse proxy situation with manually installed certificates (e.g. from GoDaddy) and without ports 80 and 443 open, even though the domain and certificates are correctly configured, the domain check will fail and therefore needs to be turned off.
I mean, whenever I install and setup nextcloud aio, it is asking me a public domain/dns to enter, If I use my internal dns it is throwing an error. If I follow the reverse proxy method to install & set up nextcloud aio, will it accept my internal dns.
Q2) Suppose if I install nextcloud aio with public domain, it will create a certificate from Lets Encrypt but what if If want to use my own certficiate issued by godaddy instead of Lets Encrypt one
If I follow this example installation Example installation on Ubuntu 22.04 LTS — Nextcloud latest Administration Manual latest documentation , I am not being asked any public domain/ dns
why do we have a restriction of using public dns for nextcloud aio installation?
I have never tested this myself, but as I understand the documentation, yes. If you put a reverse proxy in front of it, HTTPS will be managed there, and not by the AIO stack anymore. How you install the certificates and from which CA shouldn’t matter as long as they are signed certificates and DNS is working. However you might have to turn off domain validation in this case.
But why don’t you try it, and then maybe come back with more specific questions in case you run into any issues…?
That’s because it’s a full manual installation, where you have to configure everything yourself, so obviously you won’t be asked anything.
You still haven’t answered the question why this is a problem for you…
Is it because you don’t want to register a domain name, is it because you don’t want to have any proof on the Internet that this instance even exists, or do you just not want the instance to be accessible from the public Internet?
If it’s the latter, just use the reverse proxy method with Let’s Encrypt’s DNS Challenge and call it a day.
If it’s one of the former, you probably won’t be able to use GoDaddy certificates either, because a) you need a registered domain name to get GoDaddy certificates, and b) GoDaddy needs to somehow verify that you’re the owner of the domain name they’re issuing the certificates for as well, but yeah, there may be other methods available.
Thank you so much patiently answering my queries.
I do not want to register or purchase a public dns, I want to use it in my internal domain. I do have an external domain with the same name for which I get cert from godaddy and I want to use the same cert for my internal domain as well.
I have been trying to install the nextcloud using the reverse proxy method but its not working for me.
<VirtualHost *:80>
ServerName nextcloud.smartplantcloud.net
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
RewriteCond %{SERVER_NAME} =<your-nc-domain>
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
<VirtualHost *:443>
ServerName nextcloud.smartplantcloud.net
# Reverse proxy based on https://httpd.apache.org/docs/current/mod/mod_proxy_wstunnel.html
RewriteEngine On
ProxyPreserveHost On
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
AllowEncodedSlashes NoDecode
ProxyPass / http://localhost:11000/ nocanon
ProxyPassReverse / http://localhost:11000/
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteCond %{THE_REQUEST} "^[a-zA-Z]+ /(.*) HTTP/\d+(\.\d+)?$"
RewriteRule .? "ws://localhost:11000/%1" [P,L,UnsafeAllow3F]
# Enable h2, h2c and http1.1
Protocols h2 h2c http/1.1
# Solves slow upload speeds caused by http2
H2WindowSize 5242880
# TLS
SSLEngine on
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLSessionTickets off
# If running apache on a subdomain (eg. nextcloud.example.com) of a domain that already has an wildcard ssl certificate from certbot on this machine,
# the <your-nc-domain> in the below lines should be replaced with just the domain (eg. example.com), not the subdomain.
# In this case the subdomain should already be secured without additional actions
# SSL Configuration
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/smartplantcloud.pem
SSLCertificateKeyFile /etc/apache2/ssl/smartplantcloud.key
# Disable HTTP TRACE method.
TraceEnable off
<Files ".ht*">
Require all denied
</Files>
# Support big file uploads
LimitRequestBody 0
Timeout 86400
ProxyTimeout 86400
5 . Browsing and configuring AIO with https://ip:8080 , it direct me to the containers page where I am entering my internal dns but it is saying “DNS config is not set for this domain or the domain is not a valid domain! (It was found to be set to '”
I am seeing below errors in the apache log
HTTP: failed to make connection to backend: localhost
[Mon Oct 14 03:59:21.262242 2024] [proxy:error] [pid 5785:tid 128542131611200] (111)Connection refused: AH00957: http: attempt to connect to 127.0.0.1:11000 (localhost) failed
You may actually need to skip/disable domain validation in this case.
For some reason it cannot connect to port 11000 on localhost where the AIO Apache container is supposed to listen. Is the container up and running?
Other than that, I’m not sure what could be causing the issue. Your configuration looks fine as far as I can tell by comparing it to the documentation. But I’m no expert when it comes to how AIO handles networking, or Docker networking in general, so there might someting else preventing it from connecting to the AIO Apache container.
Oh, and of course with this configuration the reverse proxy and AIO need to be running on the same server, but I assume that is the case here.
The container is up and running and the reverse proxy and nextcloud aio is installing in the same vm.
likely the reason is
the special “localhost” IP address is local to every system… in other words Apache listens on the localhost address of the Apache container and not on the host. the doc all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub recommends
--env APACHE_IP_BINDING=0.0.0.0 \
No, this setting actually makes the apache container listen on the localhost address of the host. But the reverse proxy also needs to run in the host network then in order to make it work.
Thank you for looking into it. Please let me know what might went wrong here?
Am I following the right process for setup?
My goal here is to use the internal dns of my internal domain and use the certificates purchased for the same domain.
I was in an impression that reverse proxy set up using my certs and installing nextcloud-aio with skip domain verication option.
Please guide me in the right direction by providing simplified solution.
one can not purchase TLS certificate for an internal domain like cloud.local or cloud.internal etc. one of the fundamental requirement for public CA (official) certificates is a public DNS… you definitely could use public DNS inside of your internal network and even restrict access from the internet (makes it harder to setup but technically it works) see AiO local instance docs…
hard requirements for “internal only” might be easier to achieve using other variants like community docker or native install on a server or VM because AiO follows some assumptions and adds some limitations in order to make it easy turnkey solution …but this is another story.
Thank you for suggestions. Here the design of my organization network is something different. It has internal and external domain xyz. Com.
There are many layers in the network. The dns can’t directly listens to external ip, it resolves to internal ip which doesn’t like by AIO.
Every where it is recommended to use AIO, so I am preferring using it. I am following the last method of of local instance doc
I have been trying the reverse proxy method of installation but failing.
Manual installation by taking zip from community project working for me.
What is the recommended approach of installation where it supports gmbh license and get support for product.
here you mix different things. some integrated mechanisms like aquiring LE TLS cert using ACME protocol require the system require the system to be (partly) accessible from the internet. And your internal system can’t be accessible from the internet reverse proxy comes into play and acts as an intermediate party forwarding requests from outsinde into internal network.
DNS internally resolving to a local IP is perfectly valid installation as long same public domain (validation) is accessible externally - see 101: Split-Brain DNS (split-horizon)
many different installation variants exist… AiO is addressing SOHO segment and is limited to 100 users… Enterprise installation with more than 100 users and support contract would likely prefer dedicated hardware especially when adding more resource demanding functionality like Office and Talk
Hi All, I could able to install the apache reverse proxy method to install the nextcloud-aio.
This may be due to the network design. We have a public and private dns with the same name. The request will come from the public dns → private dns.
If I use only privite dns entry, I could get the login page but when I am having the public → private setup, It is giving the above error.
Can someone help me if there are any further configuration changes fix my issue here.
I have gone through few topics like this but unable to fix my issue. Nextcloud AIO Install: location of the backup archive
[SOLVED] How to add trusted proxies? · nextcloud/all-in-one · Discussion #3396 · GitHub
it looks you reach the mastercontainer management interface which runs on port :8080 or :8443. double check you request is forwarded to apache container port :443
Explanation of used ports:
8080/TCP: Mastercontainer Interface with self-signed certificate (works always, also if only access via IP-address is possible, e.g.https://ip.address.of.this.server:8080/)Important: do always use an ip-address if you access this port and not a domain as HSTS might block access to it later! (It is also expected that this port uses a self-signed certificate due to security concerns which you need to accept in your browser)
80/TCP: redirects to Nextcloud (is used for getting the certificate via ACME http-challenge for the Mastercontainer)8443/TCP: Mastercontainer Interface with valid certificate (only works if port 80 and 8443 are open/forwarded in your firewall/router and you point a domain to your server. It generates a valid certificate then automatically and access via e.g.https://public.domain.com:8443/is possible.)443/TCP: will be used by the Apache container later on and needs to be open/forwarded in your firewall/router443/UDP: will be used by the Apache container later on and needs to be open/forwarded in your firewall/router if you want to enable http3
I have installed the nextcloud-aio using reverse proxy. I can login to the nextcloud when the ip mapped to the interner dns.
I am getting the above screen only when I map this ip to the netscalar ip. There is a citrix netscalar. When we make a request to this url from external, it will go to external netscalar ip from there internal netsalar ip and from there it reach to the internal dns and then to the server.
When I see the configuration.json file , I see an entry where AIO_URL point to my internal ip: 8080
I couldn’t understand what condition the request is not meeting to load the correct login page.
I updated , all the ips the request passing through in trusted_proxies in config.php
I updated the /etc/hosts file with these ips and the same dns entry
Its working internally but not externally. As nextcloud is giving some page as the response, we can say that the request is reaching to the server but server is responding in a different way.
We need to understand when nextcloud server throws this page and what configuration changes fix this.
Reverse-Proxy Configuraiton:
<VirtualHost *:80>
ServerName abc.com
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
RewriteCond %{SERVER_NAME} =abc.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
<VirtualHost *:443>
ServerName abc.com
# Reverse proxy based on https://httpd.apache.org/docs/current/mod/mod_proxy_wstunnel.html
RewriteEngine On
ProxyPreserveHost On
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
AllowEncodedSlashes NoDecode
ProxyPass / http://localhost:11000/ nocanon
ProxyPassReverse / http://localhost:11000/
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteCond %{THE_REQUEST} "^[a-zA-Z]+ /(.*) HTTP/\d+(\.\d+)?$"
RewriteRule .? "ws://localhost:11000/%1" [P,L,UnsafeAllow3F]
# Enable h2, h2c and http1.1
Protocols h2 h2c http/1.1
# Solves slow upload speeds caused by http2
H2WindowSize 5242880
# TLS
SSLEngine on
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLSessionTickets off
# If running apache on a subdomain (eg. nextcloud.example.com) of a domain that already has an wildcard ssl certificate from certbot on this machine,
# the <your-nc-domain> in the below lines should be replaced with just the domain (eg. example.com), not the subdomain.
# In this case the subdomain should already be secured without additional actions
SSLCertificateFile /etc/apache2/ssl/abc.pem
SSLCertificateKeyFile /etc/apache2/ssl/abc.key
SSLCertificateChainFile /etc/apache2/ssl/abcchain.pem
# Disable HTTP TRACE method.
TraceEnable off
<Files ".ht*">
Require all denied
</Files>
# Support big file uploads
LimitRequestBody 0
Timeout 86400
ProxyTimeout 86400
nextcloud-aio install command:
sudo docker run
–init
–sig-proxy=false
–name nextcloud-aio-mastercontainer
–restart always
–publish 8080:8080
–env APACHE_PORT=11000
–env APACHE_IP_BINDING=0.0.0.0
–volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config
–volume /var/run/docker.sock:/var/run/docker.sock:ro
–env SKIP_DOMAIN_VALIDATION=true
nextcloud/all-in-one:latest
I’m having really hard time getting how you try to configure it. From my understanding you have a chain of [ext Netscaler] → [int Netscaler] → [reverse proxy] → [AiO] and it works if you access through external NS but not through internal one? This makes no sense in my eyes… and if it still the case you must systematically check the logs of the components - which host header is transmitted, which port is used… there must be a difference which you must remove. You goal is to make the request looking the same on application level - same host header, same destination port. the only difference is on the network side - coming from internal network you access LAN IP, coming from the internet you access a public IP (which in turn connects to the internal one)…
It works for me when there is no netscalar involved. I am using a windows activie directory domain, there is a cname configured for this linux vm ip and when I configure and access the nextcloud-aio, it is accessible and asking me the login credentials and everything working fine.
When I configure this cname to point out to internal netscalar → at internal netscalar we have the entries for this server → external netscalar ( this external netscalar mapped to public ip) - the netscalars listers port 443,8080
Is there any setting we can do at config.php to allow these kind of setting. Really hard to troubleshoot. No clues.
The nextcloud-aio instance is same. Only how we configure it either for external facing and internal network is only the difference.