Hello guys,
sorry to be next one who has problems with running nc-aio behind a reverse proxy. I have no idea what else to try and am therefore looking for help here.
Setup:
- AlmaLinux 9.4 running on a physical machine in my LAN
- Client: Docker Engine - Community
- Version: 27.1.1
- API version: 1.46
- OS/Arch: linux/amd64
- Nextcloud-AIO and nginx-reverse-proxy are running on the same host
Problem: When doing the domain validation I get the following error: Domain does not point to this server or the reverse proxy is not configured correctly. See the mastercontainer logs for more details. ('sudo docker logs -f nextcloud-aio-mastercontainer')
When I have a look in the logs it says:
Initial startup of Nextcloud All-in-One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080
⚠ Important: do always use an ip-address if you access this port and not a domain as HSTS might block access to it later!
If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
https://your-domain-that-points-to-this-server.tld:8443
[27-Jul-2024 09:46:10] NOTICE: fpm is running, pid 163
[27-Jul-2024 09:46:10] NOTICE: ready to handle connections
[Sat Jul 27 09:46:10.105485 2024] [mpm_event:notice] [pid 157:tid 157] AH00489: Apache/2.4.61 (Unix) OpenSSL/3.3.1 configured -- resuming normal operations
[Sat Jul 27 09:46:10.105504 2024] [core:notice] [pid 157:tid 157] AH00094: Command line: 'httpd -D FOREGROUND'
{"level":"info","ts":1722073570.109382,"msg":"using config from file","file":"/Caddyfile"}
{"level":"info","ts":1722073570.1100562,"msg":"adapted config to JSON","adapter":"caddyfile"}
</html>nter>openresty</center>1></center>d>nnection attempt to "https://cloud.fhoyer.de:443" was: <html>
NOTICE: PHP message: Expected was: ...
NOTICE: PHP message: The error message was:
NOTICE: PHP message: Please follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#6-how-to-debug-things in order to debug things!
I went through the given Debugging-List:
- Make sure to exactly follow the whole reverse proxy documentation step-for-step from top to bottom! - I went through it several times and I can not find a mistake.
- Make sure that you used the docker run command that is described in this reverse proxy documentation. Hint: make sure that you have set the
APACHE_PORT
via e.g.--env APACHE_PORT=11000
during the docker run command! - - Make sure to set the
APACHE_IP_BINDING
variable correctly. If in doubt, set it to--env APACHE_IP_BINDING=0.0.0.0
- - Make sure that all ports to which your reverse proxy is pointing match the chosen
APACHE_PORT
. - - Make sure to follow this to adapt the example configurations to your specific setup -
- Make sure that the mastercontainer is able to spawn other containers. You can do so by checking that the mastercontainer indeed has access to the Docker socket which might not be positioned in one of the suggested directories like
/var/run/docker.sock
but in a different directory, based on your OS and the way how you installed Docker. The mastercontainer logs should help figuring this out. You can have a look at them by runningsudo docker logs nextcloud-aio-mastercontainer
after the container is started the first time. - as “aio-domaincheck” is spawned I think this shoul not be the problem - Check if after the mastercontainer was started, the reverse proxy if running inside a container, can reach the provided apache port. You can test this by running
nc -z localhost 11000; echo $?
from inside the reverse proxy container. If the output is0
, everything works. Alternatively you can of course use instead oflocalhost
the ip-address of the host here for the test. - netcat is not shipped with npm. But I useddocker run -it --net host nicolaka/netshoot
to runnc -z localhost 11000; echo $?
and that worked. - Make sure that you are not behind CGNAT. If that is the case, you will not be able to open ports properly. In that case you might use a Cloudflare Tunnel. - not applicable
- If you use Cloudflare, you might need to skip the domain validation anyways since it is known that Cloudflare might block the validation attempts. In that case, see the last option below. - not applicable
- If your reverse proxy is configured to use the host network (as recommended in the above docs) or running on the host, make sure that you’ve configured your firewall to open port 443 and 80. - the firewall still confuses me, but I am pretty sure the ports are open . I also followed the advice for distros using firewalld
- Check if you have a public IPv4- and public IPv6-address. If you only have a public IPv6-address (e.g. due to DS-Lite), make sure to enable IPv6 in Docker and your whole networking infrastructure (e.g. also by adding an AAAA DNS-entry to your domain). -
- Try to configure everything from scratch if it still does not work by following GitHub - nextcloud/all-in-one: 📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.. -
- As last resort, you may disable the domain validation by adding
--env SKIP_DOMAIN_VALIDATION=true
to the docker run command. But only use this if you are completely sure that you’ve correctly configured everything! - as I am not sure that I did not make a mistake I did not try this option
My docker-compose.yml for nc-aio:
services:
nextcloud-aio-mastercontainer:
image: nextcloud/all-in-one:latest
init: true
restart: always
container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
- /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
network_mode: bridge # add to the same network as docker run would do
ports:
# - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
- 8080:8080
# - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
environment: # Is needed when using any of the options below
# AIO_DISABLE_BACKUP_SECTION: false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
APACHE_PORT: 11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
APACHE_IP_BINDING: 127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/ma>
# BORG_RETENTION_POLICY: --keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
# COLLABORA_SECCOMP_DISABLED: false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
NEXTCLOUD_DATADIR: /mnt/md0/nc-data/ # Allows to set the host directory for Nextcloud's datadir. ⚠⚠⚠ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/al # NEXTCLOUD_MOUNT: /mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
# NEXTCLOUD_UPLOAD_LIMIT: 10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
# NEXTCLOUD_MAX_TIME: 3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
NEXTCLOUD_MEMORY_LIMIT: 2048M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
# NEXTCLOUD_TRUSTED_CACERTS_DIR: /path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-use>
# NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-ne>
# NEXTCLOUD_ADDITIONAL_APKS: imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all>
# NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextc>
# NEXTCLOUD_ENABLE_DRI_DEVICE: true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠⚠⚠ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don' # NEXTCLOUD_KEEP_DISABLED_APPS: false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. See https://github.com/nextcloud/all-in-one#how-to-k>
# TALK_PORT: 3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
# WATCHTOWER_DOCKER_SOCKET_PATH: /var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs >
security_opt: ["label:disable"] # Is needed when using SELinux
volumes: # If you want to store the data on a different drive, see https://github.com/nextcloud/all-in-one#how-to-store-the-filesinstallation-on-a-separate-drive
nextcloud_aio_mastercontainer:
name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work
My docker-compose.yml fpr npm:
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
network_mode: host
ports:
# These ports are in format <host-port>:<container-port>
- '80:80' # Public HTTP Port
- '443:443' # Public HTTPS Port
- '81:81' # Admin Web Port
# Add any other Stream port you want to expose
# - '21:21' # FTP
# Uncomment the next line if you uncomment anything in the section
environment:
# Uncomment this if you want to change the location of
# the SQLite DB file within the container
# DB_SQLITE_FILE: "/data/database.sqlite"
# Uncomment this if IPv6 is not enabled on your host
DISABLE_IPV6: 'true'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
And my settings in npm:
Can you help me with telling me what I did wrong or giving me hints on how to debug this?