Nextcloud AIO Docker with reverse proxy managed by pfsense

Hi all, i would like to install nextcloud on a ubuntu and make it available throug internet and i’ve tried many different ways but i’m stacked

i followed the guidelines for reverse proxy but it is managed by pfsense and i’ve configured well the HAproxy in there

i’m running the config with this

sudo docker run \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8080:8080 \
--publish 443:443 \
--env APACHE_PORT=11000 \
--env APACHE_DISABLE_REWRITE_IP=1 \
--env NEXTCLOUD_TRUSTED_DOMAINS=test.domains.it \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
nextcloud/all-in-one:latest

and i can login in there into the https://ip:8080 but when in aio i put my domain i get this error

NOTICE: PHP message: It seems like the ip-address of test.domains.it is set to an internal or reserved ip-address. (It was found to be set to 'x.x.x.x')
NOTICE: PHP message: The response of the connection attempt to "https://cloud.glamourviaggi.it:443" was: 
NOTICE: PHP message: Expected was: 85fc96f3cb24813dd2518b99e527d3b49971e025778b4404
NOTICE: PHP message: The error message was: SSL certificate problem: unable to get local issuer certificate

i’ve seen some workaround like to not enable ssl encrypt into pfsense ha proxy config or tried with ssl offloading and without

or doing overprotocol =>https in config.php(this i can’t managed because i don’t know in the aio installation where to find config.php to editing)

hope someone could help me

Hi, can you follow all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub?

hi, in the step 5, the reverse proxy is pfsense that is located in a vm so is not in the host os and not in a container

Make sure that the reverse proxy is running on the host OS or if running in a container, connected to the host network. If that is not possible (e.g. on Windows or if the reverse proxy is running on a different host), substitute localhost or 127.0.0.1 in the default configurations by the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'. If the command returns a public ip-address, use ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||' instead (the commands only work on Linux)

and when i retrieve the first code i get the ip of the OS where i wanna host nextcloud

when i use the second i get the docker network ip

First try the ip of the first command then.

what you mean?

I meant the ip of the OS.

hi, so i’ve tested a little bit

first one, i don’t need to open apache port because the reversed proxy is not in the same host, pfsense with haproxy package is in other machine

in the ha proxy i’ve set the ip of the vm with nextcloud and port 8195 so now the code appears like this

sudo docker run \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8195:8080 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
nextcloud/all-in-one:latest

and now when i try to put the domain i get a new error

"it seems like the ip-address is set to an internal or reserver ip address. This is not supported. (it was found to be set to “pfsense ip”)

so looks like that the container can exit and see the pfsense and ping the haproxy but haproxy can’t reverse to the public ip i guess if i understand well

You got it wrongly. You need to set APACHE_PORT and APACHE_IP_BINDING if you want to run AIO behind a reverse proxy.

So something like the following will probably be correct in your case:

sudo docker run \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8195:8080 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING=0.0.0.0 \
nextcloud/all-in-one:latest

Then in haproxy you point at http://ip.address.of.host.that.runs.AIO:11000

And finally you open the AIO interface and it should accept your domain that you’ve configured in haproxy.

All these steps are documented in all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub

nothing, i get the same SSL certificate problem

i’m using a wildcard in ssl offloading in the frontend of HAproxy and in backend i’ve set the ip of the host where i run aio and set port 11000 with encrypt ssl and ssl check

Did you use the recommended haproxy config from all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub?

yes everything is ok but i need that the nextcloud config accept my proxy host there is a command or something? because i’ve added trusted_proxies_domain=ip pfsense, but in the log when i put

2023-06-14T14:47:42.726283038Z NOTICE: PHP message: It seems like the ip-address of https://test.ncdomain.com:443 is set to an internal or reserved ip-address. (It was found to be set to '10.*.*.*')
2023-06-14T14:47:42.753087371Z NOTICE: PHP message: The response of the connection attempt to "https://test.ncdomain.com:443" was: 
2023-06-14T14:47:42.753201252Z NOTICE: PHP message: Expected was: 5b691f308e26c354ce10920e2d5e75312c8c890ee66f4e2b
2023-06-14T14:47:42.753280068Z NOTICE: PHP message: The error message was: SSL certificate problem: unable to get local issuer certificate

So you have a valid Lets-encrypt certificate for your domain that is used in haproxy?

not a lets encrypt, i’ve a wildcard of another certificate that i use with other services(and is setup in the HAproxy the wildcard for the domain)

Okay but it is a valid globally trusted certificate?

yes, is Digicert

Then I dont have a good explanation why it does not work in your case.

You might want to skip the domain validation then by following GitHub - nextcloud/all-in-one: Nextcloud AIO stands for Nextcloud All-in-One and provides easy deployment and maintenance with most features included in this one Nextcloud instance.