Nextcloud 2.0.2 AIO - Installation fails

Hello, we have a HA Proxy in front of Nextcloud.

Everything still runs fine during installation, but then the Docker folder nextcloud/aio-apache:latest and nextcloud/aio-domaincheck:latest always ends.

Why?

Tried this:

sudo docker run \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
-e SKIP_DOMAIN_VALIDATION=true \
--restart always --publish 80:80 \
--publish 8080:8080 \
--publish 8443:8443 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
nextcloud/all-in-one:latest

or that:


sudo docker run \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8080:8080 \
-e APACHE_PORT=11000 \
-e SKIP_DOMAIN_VALIDATION=true \
-e NEXTCLOUD_DATADIR="/mnt/ncdata" \
-e NEXTCLOUD_UPLOAD_LIMIT=10G \
-e NEXTCLOUD_MOUNT="/mnt/" \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
nextcloud/all-in-one:latest

Failure:

If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
https://your-domain-that-points-to-this-server.tld:8443e[0m
2022-09-22 08:14:04,792 CRIT Supervisor is running as root.  Privileges were not dropped because no user is specified in the config file.  If you intend to run as root, you can set user=root in the config file to avoid this message.
{"level":"info","ts":1663834445.836296,"msg":"using provided configuration","config_file":"/Caddyfile","config_adapter":""}
{"level":"warn","ts":1663834445.8376222,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/Caddyfile","line":2}
{"level":"info","ts":1663834445.8387744,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"warn","ts":1663834445.8389735,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
{"level":"warn","ts":1663834445.8389845,"logger":"http","msg":"automatic HTTP->HTTPS redirects are disabled","server_name":"srv1"}
{"level":"info","ts":1663834445.839067,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00036c150"}
{"level":"warn","ts":1663834445.8393326,"logger":"tls","msg":"YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place","docs":"https://caddyserver.com/docs/automatic-https#on-demand-tls"}
{"level":"error","ts":1663834445.8396316,"msg":"unable to create folder for config autosave","dir":"/var/www/.config/caddy","error":"mkdir /var/www/.config: permission denied"}
{"level":"info","ts":1663834445.839705,"msg":"serving initial configuration"}
{"level":"info","ts":1663834445.8397286,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/mnt/docker-aio-config/caddy/"}
{"level":"info","ts":1663834445.839777,"logger":"tls","msg":"finished cleaning storage units"}
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[Thu Sep 22 08:14:05.849115 2022] [ssl:warn] [pid 101] AH01906: 172.17.0.2:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Sep 22 08:14:05.849423 2022] [ssl:warn] [pid 101] AH01909: 172.17.0.2:8080:0 server certificate does NOT include an ID which matches the server name
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[Thu Sep 22 08:14:05.875755 2022] [ssl:warn] [pid 101] AH01906: 172.17.0.2:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Sep 22 08:14:05.876146 2022] [ssl:warn] [pid 101] AH01909: 172.17.0.2:8080:0 server certificate does NOT include an ID which matches the server name
[Thu Sep 22 08:14:05.879657 2022] [mpm_prefork:notice] [pid 101] AH00163: Apache/2.4.54 (Debian) PHP/8.0.23 OpenSSL/1.1.1n configured -- resuming normal operations
[Thu Sep 22 08:14:05.880202 2022] [core:notice] [pid 101] AH00094: Command line: 'apache2 -D FOREGROUND'

Can you post the logs of the apache container and your HAprox config?

CONTAINER ID   IMAGE                              COMMAND                  CREATED       STATUS                     PORTS                                                                                                                     NAMES
383f1a41007c   nextcloud/aio-apache:latest        "start.sh /usr/bin/s…"   2 hours ago   Exited (0) 2 hours ago                                                                                                                               nextcloud-aio-apache
3ba6b8c4f1a3   nextcloud/aio-nextcloud:latest     "/start.sh /usr/bin/…"   2 hours ago   Up 3 minutes (healthy)     9000/tcp                                                                                                                  nextcloud-aio-nextcloud
cd4c52ccbed4   nextcloud/aio-redis:latest         "start.sh"               2 hours ago   Up 3 minutes (healthy)     6379/tcp                                                                                                                  nextcloud-aio-redis
76373d6284c6   nextcloud/aio-postgresql:latest    "start.sh"               2 hours ago   Up 3 minutes (healthy)     5432/tcp                                                                                                                  nextcloud-aio-database
e095b4519a3f   nextcloud/aio-domaincheck:latest   "/start.sh"              2 hours ago   Exited (137) 2 hours ago                                                                                                                             nextcloud-aio-domaincheck
2fd1ccd07a19   nextcloud/all-in-one:latest        "start.sh /usr/bin/s…"   2 hours ago   Up 3 minutes (healthy)     0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp, 0.0.0.0:8443->8443/tcp, :::8443->8443/tcp   nextcloud-aio-mastercontainer

Apache Log:

Waiting for Nextcloud to start...
nc: getaddrinfo for host "nextcloud-aio-nextcloud" port 9000: Name or service not known
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.6. Set the 'ServerName' directive globally to suppress this message
{"level":"info","ts":1663834651.4324899,"msg":"using provided configuration","config_file":"/Caddyfile","config_adapter":""}
{"level":"warn","ts":1663834651.4346657,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/Caddyfile","line":2}
{"level":"info","ts":1663834651.4358983,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1663834651.4362164,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0003924d0"}
{"level":"info","ts":1663834651.4362478,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"warn","ts":1663834651.4362597,"logger":"http","msg":"automatic HTTP->HTTPS redirects are disabled","server_name":"srv0"}
{"level":"info","ts":1663834651.437259,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/mnt/data/caddy"}
{"level":"info","ts":1663834651.4373107,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1663834651.4374712,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["c.meyer.de"]}
{"level":"info","ts":1663834651.4379838,"msg":"autosaved config (load with --resume flag)","file":"/var/www/.config/caddy/autosave.json"}
{"level":"info","ts":1663834651.4380043,"msg":"serving initial configuration"}
{"level":"info","ts":1663834651.4384208,"logger":"tls.obtain","msg":"acquiring lock","identifier":"c.meyer.de"}
{"level":"info","ts":1663834651.4411757,"logger":"tls.obtain","msg":"lock acquired","identifier":"c.meyer.de"}
{"level":"info","ts":1663834652.2783682,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["c.meyer.de"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1663834652.2784834,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["c.meyer.de"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
{"level":"info","ts":1663834652.7654939,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"c.meyer.de","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1663834654.1353533,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"c.meyer.de","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]}}
{"level":"error","ts":1663834654.1354105,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"c.meyer.de","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge","instance":"","subproblems":[]},"order":"https://acme-v02.api.letsencrypt.org/acme/order/743275557/127787781647","attempt":1,"max_attempts":3}
{"level":"error","ts":1663834654.1354535,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"c.meyer.de","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge"}
{"level":"error","ts":1663834654.1354778,"logger":"tls.obtain","msg":"will retry","error":"[c.meyer.de] Obtain: [c.meyer.de] solving challenge: c.meyer.de: [c.meyer.de] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol \"acme-tls/1\" for tls-alpn-01 challenge (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":2.694256894,"max_duration":2592000}
{"level":"info","ts":1663834703.1944914,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
{"level":"warn","ts":1663834703.194546,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
{"level":"info","ts":1663834703.195875,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0003924d0"}
{"level":"info","ts":1663834703.1959393,"logger":"tls.obtain","msg":"releasing lock","identifier":"c.meyer.de"}
{"level":"error","ts":1663834703.1961439,"logger":"tls.obtain","msg":"unable to unlock","identifier":"c.meyer.de","lock_key":"issue_cert_c.meyer.de","error":"remove /mnt/data/caddy/locks/issue_cert_c.meyer.de.lock: no such file or directory"}
{"level":"error","ts":1663834703.1961849,"logger":"tls","msg":"job failed","error":"c.meyer.de: obtaining certificate: context canceled"}
{"level":"info","ts":1663834703.197529,"logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}
{"level":"info","ts":1663834703.197552,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}

Firewal Log:

192.168.144.90 = Nextcloud
192.168.144.253 = Opnsense with HA Proxy

    192.168.144.52.2814 > 192.168.252.253.9292: Flags [S], cksum 0x0e38 (correct), seq 1143265525, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.214011 rule 67/0(match): pass in on em1: (tos 0x0, ttl 127, id 41599, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.144.52.2815 > 192.168.252.253.9292: Flags [S], cksum 0xd969 (correct), seq 643705737, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.001514 rule 67/0(match): pass in on em1: (tos 0x0, ttl 127, id 41601, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.144.52.2816 > 192.168.252.253.9292: Flags [S], cksum 0x9293 (correct), seq 1175409325, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.000745 rule 67/0(match): pass in on em1: (tos 0x0, ttl 127, id 41603, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.144.52.2817 > 192.168.252.253.9292: Flags [S], cksum 0x6faf (correct), seq 1807765471, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.000835 rule 67/0(match): pass in on em1: (tos 0x0, ttl 127, id 41605, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.144.52.2818 > 192.168.252.253.9292: Flags [S], cksum 0x50e4 (correct), seq 3097829828, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.005110 rule 67/0(match): pass in on em1: (tos 0x0, ttl 127, id 41616, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.144.52.2819 > 192.168.252.253.9292: Flags [S], cksum 0xa4b9 (correct), seq 4151152421, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.220121 rule 66/0(match): pass in on em1: (tos 0x0, ttl 51, id 46203, offset 0, flags [DF], proto TCP (6), length 60)
    80.187.65.179.9164 > 192.168.252.253.443: Flags [S], cksum 0x325b (correct), seq 982578561, win 65535, options [mss 1340,sackOK,TS val 93219552 ecr 0,nop,wscale 8], length 0
 00:00:00.009273 rule 66/0(match): pass in on em1: (tos 0x0, ttl 51, id 41577, offset 0, flags [DF], proto TCP (6), length 60)
    80.187.65.179.9165 > 192.168.252.253.443: Flags [S], cksum 0x995f (correct), seq 2511745874, win 65535, options [mss 1340,sackOK,TS val 93219556 ecr 0,nop,wscale 8], length 0
 00:00:00.104391 rule 60/0(match) [uid 80]: pass out on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.144.253.59513 > 192.168.144.2.443: Flags [S], cksum 0xb87f (incorrect -> 0x4f32), seq 1265648558, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 3868189132 ecr 0], length 0
 00:00:00.039332 rule 60/0(match) [uid 80]: pass out on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.144.253.59514 > 192.168.144.2.443: Flags [S], cksum 0xb87f (incorrect -> 0x073c), seq 3439798714, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 2762802177 ecr 0], length 0
 00:00:01.735475 rule 66/0(match): pass in on em1: (tos 0x0, ttl 126, id 52528, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.254.83.60377 > 192.168.252.253.443: Flags [S], cksum 0x1747 (correct), seq 663210918, win 64240, options [mss 1319,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.238521 rule 60/0(match) [uid 80]: pass out on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.144.253.59515 > 192.168.144.90.8080: Flags [S], cksum 0xb8d7 (incorrect -> 0x24a7), seq 233517909, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 3307560305 ecr 0], length 0
 00:00:00.941569 rule 66/0(match): pass in on em1: (tos 0x0, ttl 127, id 41867, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.144.52.2821 > 192.168.252.253.443: Flags [S], cksum 0x566e (correct), seq 2857192736, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.013327 rule 60/0(match) [uid 80]: pass out on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.144.253.59516 > 192.168.144.90.11000: Flags [S], cksum 0xb8d7 (incorrect -> 0x5b8c), seq 2285815403, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 774414442 ecr 0], length 0
 00:00:00.443139 rule 66/0(match): pass in on em1: (tos 0x0, ttl 127, id 41876, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.144.52.2822 > 192.168.252.253.443: Flags [S], cksum 0xcc85 (correct), seq 1782912784, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.006810 rule 60/0(match) [uid 80]: pass out on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.144.253.59517 > 192.168.144.2.443: Flags [S], cksum 0xb87f (incorrect -> 0x5877), seq 849581123, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 1002261390 ecr 0], length 0
 00:00:00.590722 rule 60/0(match) [uid 80]: pass out on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.144.253.59518 > 192.168.144.90.11000: Flags [S], cksum 0xb8d7 (incorrect -> 0xdeeb), seq 1996881397, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 215817295 ecr 0], length 0
 00:00:01.012133 rule 60/0(match) [uid 80]: pass out on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.144.253.59519 > 192.168.144.90.11000: Flags [S], cksum 0xb8d7 (incorrect -> 0x6453), seq 2147586077, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 3092795463 ecr 0], length 0
 00:00:00.402006 rule 66/0(match): pass in on em1: (tos 0x2,ECT(0), ttl 127, id 17022, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.144.11.51993 > 192.168.252.253.443: Flags [SEW], cksum 0x805e (correct), seq 880662612, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.007758 rule 60/0(match) [uid 80]: pass out on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.144.253.59520 > 192.168.144.90.8080: Flags [S], cksum 0xb8d7 (incorrect -> 0x32a4), seq 2335711402, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 1941517881 ecr 0], length 0
 00:00:00.635460 rule 60/0(match) [uid 80]: pass out on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.144.253.59521 > 192.168.144.90.11000: Flags [S], cksum 0xb8d7 (incorrect -> 0x83f3), seq 2696033783, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 873393764 ecr 0], length 0
 00:00:01.447019 rule 66/0(match): pass in on em1: (tos 0x0, ttl 127, id 41886, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.144.52.2824 > 192.168.252.253.443: Flags [S], cksum 0x9a89 (correct), seq 2251500828, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.013491 rule 60/0(match) [uid 80]: pass out on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.144.253.59522 > 192.168.144.12.8090: Flags [S], cksum 0xb889 (incorrect -> 0x38a0), seq 3637235169, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 2468877893 ecr 0], length 0
 00:00:00.547563 rule 66/0(match): pass in on em1: (tos 0x0, ttl 126, id 11221, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.254.113.63816 > 192.168.252.253.443: Flags [S], cksum 0x5292 (correct), seq 3594113936, win 64240, options [mss 1458,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.098009 rule 60/0(match) [uid 80]: pass out on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.144.253.59523 > 192.168.144.90.443: Flags [S], cksum 0xb8d7 (incorrect -> 0xffee), seq 4203134005, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 2456182073 ecr 0], length 0
 00:00:00.567528 rule 66/0(match): pass in on em1: (tos 0x0, ttl 126, id 11231, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.254.113.63817 > 192.168.252.253.443: Flags [S], cksum 0x2540 (correct), seq 4029671147, win 64240, options [mss 1458,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.199774 rule 60/0(match) [uid 80]: pass out on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.144.253.59524 > 192.168.144.2.443: Flags [S], cksum 0xb87f (incorrect -> 0x4919), seq 3844093588, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 1562502322 ecr 0], length 0
 00:00:00.257451 rule 60/0(match) [uid 80]: pass out on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.144.253.59525 > 192.168.144.90.443: Flags [S], cksum 0xb8d7 (incorrect -> 0xe466), seq 2928915251, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 4269040038 ecr 0], length 0
 00:00:01.023924 rule 60/0(match) [uid 80]: pass out on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.144.253.59526 > 192.168.144.90.443: Flags [S], cksum 0xb8d7 (incorrect -> 0x5cb8), seq 1989444906, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 2719525816 ecr 0], length 0
 00:00:00.576284 rule 66/0(match): pass in on em1: (tos 0x0, ttl 126, id 52713, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.254.144.51516 > 192.168.252.253.443: Flags [S], cksum 0xabd5 (correct), seq 3962016833, win 64240, options [mss 1458,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.142410 rule 60/0(match) [uid 80]: pass out on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.144.253.59527 > 192.168.144.2.443: Flags [S], cksum 0xb87f (incorrect -> 0x9b69), seq 689108052, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 1328455328 ecr 0], length 0
 00:00:00.317848 rule 60/0(match) [uid 80]: pass out on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.144.253.59528 > 192.168.144.90.443: Flags [S], cksum 0xb8d7 (incorrect -> 0xab9f), seq 3510976964, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 1266392097 ecr 0], length 0
 00:00:01.530653 rule 66/0(match): pass in on em1: (tos 0x0, ttl 126, id 52540, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.254.83.60378 > 192.168.252.253.443: Flags [S], cksum 0xe973 (correct), seq 2577565533, win 64240, options [mss 1319,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.199180 rule 60/0(match) [uid 80]: pass out on em0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.144.253.59529 > 192.168.144.2.443: Flags [S], cksum 0xb87f (incorrect -> 0x482b), seq 2257932740, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 4000356263 ecr 0], length 0

HA Proxy Config

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log audit debug
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats


# Frontend: LetsEncrypt_443 ()
frontend LetsEncrypt_443
    bind 192.168.252.253:443 name 192.168.252.253:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 crt-list /tmp/haproxy/ssl/605f6609f106d1.17683543.certlist 
    mode http
    option http-keep-alive
    default_backend acme_challenge_backend
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options

    # ACL: Nextcloud
    acl acl_60604e669c3ca4.13013327 hdr(host) -i c.meyer.de
    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_605f6d4b6453d2.03059920
    # ACTION: Nextcloud
    use_backend Nextcloud if acl_60604e669c3ca4.13013327


# Frontend: LetsEncrypt_80 ()
frontend LetsEncrypt_80
    bind 192.168.252.253:80 name 192.168.252.253:80 
    mode tcp
    default_backend acme_challenge_backend
    # tuning options
    timeout client 30s

    # logging options
    # ACL: find_acme_challenge
    acl acl_605f6d4b6453d2.03059920 path_beg -i /.well-known/acme-challenge/

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_605f6d4b6453d2.03059920

# Frontend (DISABLED): 1_HTTP_frontend ()

# Frontend (DISABLED): 1_HTTPS_frontend ()

# Frontend (DISABLED): 0_SNI_frontend ()


# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580 

# Backend: Nextcloud ()
backend Nextcloud
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server Nextcloud2 192.168.144.90:11000 ssl verify none
    server Nextcloud3 192.168.144.90:443 ssl verify none
    server Nextcloud4 192.168.144.90:8443 ssl verify none
    server Nextcloud5 192.168.144.90:8080 ssl verify none

Can you try again with that and send me the fresh logs of the apache container?

now the apache container is running, but the page doesn’t open yet.

Error message:
503 Service Unavailable
No server is available to handle this request.

nc: getaddrinfo: Name does not resolve
Waiting for database to start...
Configuring Redis as session handler...
Setting php max children...
Initializing nextcloud 24.0.5.1 ...
Initializing finished
New nextcloud instance
Installing with PostgreSQL database
starting nextcloud installation
Nextcloud was successfully installed
Applying default settings...
System config value loglevel set to string 2
System config value log_type set to string file
System config value logfile set to string /var/www/html/data/nextcloud.log
System config value log_rotate_size set to string 10485760
admin_audit 1.14.0 enabled
Config value logfile for app admin_audit set to /var/www/html/data/audit.log
System config value log.condition => apps => 0 set to string admin_audit
Applying preview settings...
System config value preview_max_x set to string 2048
System config value preview_max_y set to string 2048
System config value jpeg_quality set to string 60
Config value jpeg_quality for app preview set to 60
System config value enabledPreviewProviders deleted
System config value enabledPreviewProviders => 1 set to string OC\Preview\Image
System config value enabledPreviewProviders => 2 set to string OC\Preview\MarkDown
System config value enabledPreviewProviders => 3 set to string OC\Preview\MP3
System config value enabledPreviewProviders => 4 set to string OC\Preview\TXT
System config value enabledPreviewProviders => 5 set to string OC\Preview\OpenDocument
System config value enabledPreviewProviders => 6 set to string OC\Preview\Movie
System config value enable_previews set to boolean true
Applying other settings...
System config value upgrade.disable-web set to boolean true
System config value mail_smtpmode set to string smtp
System config value trashbin_retention_obligation set to string auto, 30
System config value versions_retention_obligation set to string auto, 30
System config value activity_expire_days set to string 30
System config value simpleSignUpLink.shown set to boolean false
System config value share_folder set to string /Shared
twofactor_totp 6.4.0 installed
twofactor_totp enabled
deck 1.7.1 installed

bled
tasks 0.14.4 installed
tasks enabled
calendar 3.5.0 installed
calendar enabled
contacts 4.2.1 installed
contacts enabled
apporder 0.15.0 installed
apporder enabled
System config value tempdirectory set to string /mnt/ncdata/tmp/
Applying one-click-instance settings...
System config value one-click-instance set to boolean true
System config value one-click-instance.user-limit set to integer 100
Adjusting log files...
System config value logfile set to string /var/www/html/data/nextcloud.log
Config value logfile for app admin_audit set to /var/www/html/data/audit.log
Applying network settings...
System config value trusted_domains => 1 set to string c.meyer.de
System config value overwrite.cli.url set to string https://c.meyer.de/
System config value htaccess.RewriteBase set to string /
.htaccess has been updated
System config value files_external_allow_create_new_local set to boolean true
notify_push 0.4.0 installed
notify_push enabled
System config value trusted_proxies => 0 set to string 127.0.0.1
System config value trusted_proxies => 1 set to string ::1
Config value base_endpoint for app notify_push set to https://c.meyer.de/push
richdocuments 6.2.0 installed
richdocuments enabled
Config value wopi_url for app richdocuments set to https://c.meyer.de/
System config value allow_local_remote_servers set to boolean true
spreed 14.0.5 installed
spreed enabled
Config value stun_servers for app spreed set to ["c.meyer.de:3478"]
Config value turn_servers for app spreed set to [{"server":"c.meyer.de:3478","secret":"c3c79f97772ece8b35809be7eed1c58a6e5d0191e047a5c6","protocols":"udp,tcp"}]
Config value signaling_servers for app spreed set to {"servers":[{"server":"https://c.meyer.de/standalone-signaling/","verify":true}],"secret":"9df75aee81a3a80bfa58a8be2871dc9c1a14e7f01ea03cd5"}
files_antivirus 3.3.1 installed
files_antivirus enabled
Config value av_mode for app files_antivirus set to daemon
Config value av_port for app files_antivirus set to 3310
Config value av_host for app files_antivirus set to nextcloud-aio-clamav
Config value av_stream_max_length for app files_antivirus set to 104857600
Config value av_max_file_size for app files_antivirus set to -1
Config value av_infected_action for app files_antivirus set to only_log
fulltextsearch 24.0.0 installed
fulltextsearch enabled
fulltextsearch_elasticsearch 24.0.1 installed
fulltextsearch_elasticsearch enabled
nc: getaddrinfo for host "nextcloud-aio-nextcloud" port 9000: Name or service not known
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
CONTAINER ID   IMAGE                                 COMMAND                  CREATED          STATUS                        PORTS                                                                                  NAMES
47104a8565c4   nextcloud/aio-apache:latest           "start.sh /usr/bin/s…"   9 minutes ago    Up 9 minutes (healthy)        0.0.0.0:11000->11000/tcp, :::11000->11000/tcp                                          nextcloud-aio-apache
eddbd4779cd9   nextcloud/aio-nextcloud:latest        "/start.sh /usr/bin/…"   9 minutes ago    Up 9 minutes (healthy)        9000/tcp                                                                               nextcloud-aio-nextcloud
d7c58fd63284   nextcloud/aio-imaginary:latest        "/usr/local/bin/imag…"   10 minutes ago   Up 10 minutes (healthy)       9000/tcp                                                                               nextcloud-aio-imaginary
9917bddbf0a6   nextcloud/aio-fulltextsearch:latest   "/bin/tini -- /usr/l…"   10 minutes ago   Up 10 minutes (healthy)       9200/tcp, 9300/tcp                                                                     nextcloud-aio-fulltextsearch
46092805bb11   nextcloud/aio-clamav:latest           "/init"                  11 minutes ago   Up 11 minutes (healthy)       3310/tcp, 7357/tcp                                                                     nextcloud-aio-clamav
186685814d87   nextcloud/aio-redis:latest            "start.sh"               11 minutes ago   Up 11 minutes (healthy)       6379/tcp                                                                               nextcloud-aio-redis
c496d714bba9   nextcloud/aio-postgresql:latest       "start.sh"               12 minutes ago   Up 12 minutes (healthy)       5432/tcp                                                                               nextcloud-aio-database
48bb59330ef4   nextcloud/aio-talk:latest             "start.sh /usr/bin/s…"   12 minutes ago   Up 12 minutes (healthy)       0.0.0.0:3478->3478/tcp, 0.0.0.0:3478->3478/udp, :::3478->3478/tcp, :::3478->3478/udp   nextcloud-aio-talk
78d51a857ddd   nextcloud/aio-collabora:latest        "/start-collabora-on…"   12 minutes ago   Up 12 minutes (healthy)       9980/tcp                                                                               nextcloud-aio-collabora
e7220fe0530f   nextcloud/aio-domaincheck:latest      "/start.sh"              14 minutes ago   Exited (137) 14 minutes ago                                                                                          nextcloud-aio-domaincheck
e31b75b70cc9   nextcloud/all-in-one:latest           "start.sh /usr/bin/s…"   14 minutes ago   Up 14 minutes (healthy)       80/tcp, 8443/tcp, 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp                            nextcloud-aio-mastercontainer

grafik

The apache logs do not seem complete… However AIO seem to work now so there must be something wrong with your HAProxy config. The config needs to point towards the given Apache port, e.g. http://ip.of.this.server:11000 and not at 5 different backends at the same time. Also where in your HAProxy config did you specify the domain that Nextcloud will use?

Yes, thank you, it works now. Had wrong settings because I had tested too much.

But what was the problem now? Haven’t you done anything differently? or am I missing something?

Great that it works now! Can you post your working HAProxy config here? We are looking for docunenting it in oit reverse proxy documentation… BTW: is Nextcloud Office working for you?

Working HA proxy configuration

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log audit debug
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs

# autogenerated entries for config in backends/frontends

# autogenerated entries for stats

# Frontend: LetsEncrypt_443 ()
frontend LetsEncrypt_443
    bind 192.168.252.253:443 name 192.168.252.253:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 crt-list /tmp/haproxy/ssl/605f6609f106d1.17683543.certlist 
    mode http
    option http-keep-alive
    default_backend acme_challenge_backend
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: find_acme_challenge
    acl acl_605f6d4b6453d2.03059920 path_beg -i /.well-known/acme-challenge/
    # ACL: Nextcloud
    acl acl_60604e669c3ca4.13013327 hdr(host) -i c.meyer.de

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_605f6d4b6453d2.03059920
    # ACTION: Nextcloud
    use_backend Nextcloud if acl_60604e669c3ca4.13013327


# Frontend: LetsEncrypt_80 ()
frontend LetsEncrypt_80
    bind 192.168.252.253:80 name 192.168.252.253:80 
    mode tcp
    default_backend acme_challenge_backend
    # tuning options
    timeout client 30s

    # logging options
    # ACL: find_acme_challenge
    acl acl_605f6d4b6453d2.03059920 path_beg -i /.well-known/acme-challenge/

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_605f6d4b6453d2.03059920

# Frontend (DISABLED): 1_HTTP_frontend ()

# Frontend (DISABLED): 1_HTTPS_frontend ()

# Frontend (DISABLED): 0_SNI_frontend ()

# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580 

# Backend: Nextcloud ()
backend Nextcloud
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server Nextcloud1 192.168.144.90:11000 
    server Nextcloud2 192.168.144.90:8080 ssl verify none

# Backend (DISABLED): SSL_backend ()

Nextcloud Office works perfectly

I would now like to connect the Nextcloud to an Active Directory server via LDAP. But how? I don’t understand the instructions in Github.

Thanks! This looks like a quite advanced HAProxy config. Would you be able to give me a simpler one for our documentation? I doubt that all of yours is needed for a simple one…

Great!

Sorry, this is not directly related to AIO so I hope that someone else steps in to help you. Also i guess it is better to open a new thread regarding this.

I think it’s easier that way

global
    chroot                      /var/haproxy
    log                         /var/run/log audit debug
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    retries 3
    default-server init-addr last,libc

# Frontend: LetsEncrypt_443 ()

    # ACL: Nextcloud
    acl acl_60604e669c3ca4.13013327 hdr(host) -i HOSTNAME

# Backend: Nextcloud ()
backend Nextcloud
    mode http
    balance source
    server Nextcloud1 192.168.144.90:11000 
    server Nextcloud2 192.168.144.90:8080 ssl verify none

Thank you! Am I allowed to use this config as an example for HAProxy in our reverse proxy documentation?

Of course, even gladly.

Great, thank you!

I added the proivded config here: add HaProxy to reverse proxy documentation by szaimen · Pull Request #1197 · nextcloud/all-in-one · GitHub

Does this look good to you or should we rather add a bit more so that it also covers Lets encrypt? What do you think? :slight_smile:

Ping @dima ? :slight_smile:

I find it better with Lets Encrypt, since an HA proxy makes little sense without this service.

Thanks for the reply! I added lets encrypt back to the documentation. Can you please check if still makes sense now?