Nextcloud 12 keeps banning my reverse proxy

I’ve a problem between my NC server and my HAproxy.

If i go trough HAproxy, the logins fails with error

504 bad gateway

if i login trough NC address, the login succedes.

I think there is somewere a configuration thats blocks HAproxy thinking it’s a DOS attack.

I’ve already tried to disable mod_evasive and to add trusted proxy ip to configuration, but no luck

where can i set php/apache connections limits?


Are you positive it’s not a misconfiguration? HAProxy handles connections to 6 copies of Nextcloud for me with no problem.

I’m not sure since I’m still in testing with the actual configuration, but I think that the problem was that I was missing the option to enable x-forward-for in haproxy configuration. My proxy is a pfsense module.
Somehow i think that the php/apache processes were overloaded in terms of memory and/or connection traking since all clients where tracked as the same IP(haproxy one).

Can you provide a sample of your frontend/backend options? I’m only using ssl offloading, xforwarfor option and ssl connection tracking.


Mine isn’t using SSL as it’s just a PoC, but hope this helps regardless. I can show an SSL config for another solution if you wish, also working fine.

        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        ssl-default-bind-options no-sslv3

        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

listen nccluster
    mode http
    stats enable
    stats uri /haproxy?stats
    stats realm Strictly\ Private
    balance leastconn
    option httpclose
    option forwardfor
    server web1 check fall 1 rise 2
    server web2 check fall 1 rise 2
    server web3 check fall 1 rise 2
    server web4 check fall 1 rise 2
    server web5 check fall 1 rise 2
    server web6 check fall 1 rise 2