Nextcloud AIO HTTP ERROR 502

Windows 11
Docker 4.16.2
CADDY_VERSION v2.6.2
Nextcloud Version 25.0.3
Nextcloud AIO v4.2.0 (latest channel)

I got Nextcloud AIO up and running last night after much troubleshooting with the caddy reverse-proxy.
Note: that fix was switching reverse_proxy nextcloud:11000 or reverse_proxy localhost:11000 to reverse_proxy 172.30.255.19:11000 and removing --network host option. I suspect this may be an issue though because that WSL IP keeps changing.

Everything was going well and I was installing apps and uploading a user backup file, and next I look back at it my browser wasn’t running and the site was down almost like it had crashed but the docker containers were still running. Reboots and restarts didn’t seem to fix it.

AIO Interface is up and shows containers up as well

Caddyfile

$ docker exec -it caddy cat /etc/caddy/Caddyfile
https://nextcloud.weme.wtf:443 {
        header Strict-Transport-Security max-age=31536000;
        reverse_proxy 172.17.165.11:11000
#       reverse_proxy nextcloud:11000
#       reverse_proxy 127.0.0.1:11000;
#       reverse_proxy 172.30.255.19:11000
}
https://weme.wtf:443 { # This still works fine so I suspect the format (mentioned in logs) isn't the issue.
        header Strict-Transport-Security max-age=31536000;
        respond "weme.wtf"
}

docker-compose.yml

$ cat .\weme.wtf\docker-compose.yml
services:
  caddy:
    image: caddy:alpine
    restart: unless-stopped
    container_name: caddy
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./certs:/certs
      - ./config:/config
      - ./data:/data
      - ./sites:/srv
    ports:
      - "80:80"
      - "443:443"

  nextcloud:
    image: nextcloud/all-in-one:latest
    restart: unless-stopped
    container_name: nextcloud-aio-mastercontainer
    ports:
      - "8080:8080"
    environment:
      - APACHE_PORT=11000
#      - APACHE_IP_BINDING=127.0.0.1 # Originally got nextcloud working without this but if it allows me to use localhost or 127.0.0.1 then that would work
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - //var/run/docker.sock:/var/run/docker.sock:ro
    depends_on:
      - caddy

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

Logs

Trying to fix docker.sock permissions internally...
Adding internal www-data to group root
WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
e[0;92mInitial startup of Nextcloud All In One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080

If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
https://your-domain-that-points-to-this-server.tld:8443e[0m
{"level":"info","ts":1674939914.8545473,"msg":"using provided configuration","config_file":"/Caddyfile","config_adapter":""}
{"level":"warn","ts":1674939914.855257,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/Caddyfile","line":2}
{"level":"info","ts":1674939914.8557281,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
{"level":"warn","ts":1674939914.8558178,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
{"level":"warn","ts":1674939914.855823,"logger":"http","msg":"automatic HTTP->HTTPS redirects are disabled","server_name":"srv1"}
{"level":"warn","ts":1674939914.855925,"logger":"tls","msg":"YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place","docs":"https://caddyserver.com/docs/automatic-https#on-demand-tls"}
{"level":"info","ts":1674939914.85594,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00080eaf0"}
{"level":"info","ts":1674939914.855988,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1674939914.8560016,"logger":"http","msg":"enabling HTTP/3 listener","addr":":8443"}
{"level":"info","ts":1674939914.8559995,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/mnt/docker-aio-config/caddy/"}
{"level":"info","ts":1674939914.856027,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1674939914.8560448,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"info","ts":1674939914.8561196,"logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}
{"level":"error","ts":1674939914.8561325,"msg":"unable to create folder for config autosave","dir":"/root/.config/caddy","error":"mkdir /root/.config: permission denied"}
{"level":"info","ts":1674939914.8561423,"msg":"serving initial configuration"}
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.0.3. Set the 'ServerName' directive globally to suppress this message
[Sat Jan 28 21:05:14.884152 2023] [ssl:warn] [pid 122] AH01906: 172.20.0.3:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sat Jan 28 21:05:14.884190 2023] [ssl:warn] [pid 122] AH01909: 172.20.0.3:8080:0 server certificate does NOT include an ID which matches the server name
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.0.3. Set the 'ServerName' directive globally to suppress this message
[Sat Jan 28 21:05:14.897459 2023] [ssl:warn] [pid 122] AH01906: 172.20.0.3:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sat Jan 28 21:05:14.897484 2023] [ssl:warn] [pid 122] AH01909: 172.20.0.3:8080:0 server certificate does NOT include an ID which matches the server name
[Sat Jan 28 21:05:14.899298 2023] [mpm_prefork:notice] [pid 122] AH00163: Apache/2.4.54 (Debian) PHP/8.1.14 OpenSSL/1.1.1n configured -- resuming normal operations
[Sat Jan 28 21:05:14.899314 2023] [core:notice] [pid 122] AH00094: Command line: 'apache2 -D FOREGROUND'
WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
e[0;92mInitial startup of Nextcloud All In One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080

If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
https://your-domain-that-points-to-this-server.tld:8443e[0m
{"level":"info","ts":1674940370.4664526,"msg":"using provided configuration","config_file":"/Caddyfile","config_adapter":""}
{"level":"warn","ts":1674940370.4672103,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/Caddyfile","line":2}
{"level":"info","ts":1674940370.4686441,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"warn","ts":1674940370.468789,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
{"level":"warn","ts":1674940370.4687965,"logger":"http","msg":"automatic HTTP->HTTPS redirects are disabled","server_name":"srv1"}
{"level":"warn","ts":1674940370.468881,"logger":"tls","msg":"YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place","docs":"https://caddyserver.com/docs/automatic-https#on-demand-tls"}
{"level":"info","ts":1674940370.4688935,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00069e310"}
{"level":"info","ts":1674940370.4689507,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/mnt/docker-aio-config/caddy/"}
{"level":"info","ts":1674940370.4689684,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1674940370.4689775,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1674940370.468989,"logger":"http","msg":"enabling HTTP/3 listener","addr":":8443"}
{"level":"info","ts":1674940370.4690452,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"info","ts":1674940370.4691014,"logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}
{"level":"error","ts":1674940370.4691176,"msg":"unable to create folder for config autosave","dir":"/root/.config/caddy","error":"mkdir /root/.config: permission denied"}
{"level":"info","ts":1674940370.4691231,"msg":"serving initial configuration"}
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.0.3. Set the 'ServerName' directive globally to suppress this message
[Sat Jan 28 21:12:50.961470 2023] [ssl:warn] [pid 111] AH01906: 172.20.0.3:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sat Jan 28 21:12:50.961508 2023] [ssl:warn] [pid 111] AH01909: 172.20.0.3:8080:0 server certificate does NOT include an ID which matches the server name
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.0.3. Set the 'ServerName' directive globally to suppress this message
[Sat Jan 28 21:12:51.020779 2023] [ssl:warn] [pid 111] AH01906: 172.20.0.3:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sat Jan 28 21:12:51.020804 2023] [ssl:warn] [pid 111] AH01909: 172.20.0.3:8080:0 server certificate does NOT include an ID which matches the server name
[Sat Jan 28 21:12:51.022448 2023] [mpm_prefork:notice] [pid 111] AH00163: Apache/2.4.54 (Debian) PHP/8.1.14 OpenSSL/1.1.1n configured -- resuming normal operations
[Sat Jan 28 21:12:51.022463 2023] [core:notice] [pid 111] AH00094: Command line: 'apache2 -D FOREGROUND'

Another note, when getting help from the Caddy forum they mentioned putting reverse_proxy 172.17.165.11:11000 to reverse_proxy nextcloud:11000

They advised I give feedback

They should be adding the Apache container to a Docker network that Caddy can be added to, so proxying can happen by container/service name.

I’m a bit new to docker but is this possible and/or recommended at all for windows users? I found out since I’m on Windows that I can’t use network_mode: host due to docker-desktop for windows limitation. and the ip returned by the command in the reverse-proxy instructions seems to change.

Hi, can you post the apache container logs here? Also, what is the output of docker inspect nextcloud-aio?

Thank you for your help!

$ docker inspect nextcloud-aio
[
    {
        "Name": "nextcloud-aio",
        "Id": "0a142eaca8b76259147346a41185d9f75b5d3f171ff497e6b4930b6a2f8d74e0",
        "Created": "2023-01-27T02:01:53.098354452Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.31.0.0/16",
                    "Gateway": "172.31.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "28de7619838f80c4e4b4d4af9b5c5bd76ec9b138f1a5517bdb1a047539386e33": {
                "Name": "nextcloud-aio-nextcloud",
                "EndpointID": "4e920e367f4fce3ba4042d50196d7e7d3397ba4844ae25248e452c5f57b0c967",
                "MacAddress": "02:42:ac:1f:00:0a",
                "IPv4Address": "172.31.0.10/16",
                "IPv6Address": ""
            },
            "32b2b03c8c17497565d64308444c952b7af9c0d6ceec24d288ac1163537e3526": {
                "Name": "nextcloud-aio-database",
                "EndpointID": "b69a96527324b613bdbc219439bc07b7047e034f86d2db1a5b20754229dc7ef4",
                "MacAddress": "02:42:ac:1f:00:05",
                "IPv4Address": "172.31.0.5/16",
                "IPv6Address": ""
            },
            "33f38dfac918c65583b41e447f1ba69afa1880c5c14584ec91c3b5160feea1c2": {
                "Name": "nextcloud-aio-collabora",
                "EndpointID": "a016daa5c711a46b0e19efee6b6866a2c8d97101aad28a02528aa733dcf56854",
                "MacAddress": "02:42:ac:1f:00:03",
                "IPv4Address": "172.31.0.3/16",
                "IPv6Address": ""
            },
            "3461ae0c47b9c2d49ce2d727988daa7275462bab6f414f38b4c545eb079ede29": {
                "Name": "nextcloud-aio-apache",
                "EndpointID": "6724317939f47216dfb1ec41ecfaffe2d4af4c96e0b008b38f6d9a6451a0c654",
                "MacAddress": "02:42:ac:1f:00:0b",
                "IPv4Address": "172.31.0.11/16",
                "IPv6Address": ""
            },
            "43b50962015c0e2f656673926bb222d1676e6698a41de753c936b8a0cec0ba1d": {
                "Name": "nextcloud-aio-talk",
                "EndpointID": "8da086dec56891a33ab420701138c014d491b16b413b156fd4cc53fc8cf2c124",
                "MacAddress": "02:42:ac:1f:00:04",
                "IPv4Address": "172.31.0.4/16",
                "IPv6Address": ""
            },
            "5cd6ebb50b63567246ec844c3b9220fd0ae75cd94ffad979e6318fba9a4aecfb": {
                "Name": "nextcloud-aio-redis",
                "EndpointID": "60dc54d45b69d00e103a2f2550e44fe536b6f5241b31fc9abe74a1fb0ca947f6",
                "MacAddress": "02:42:ac:1f:00:06",
                "IPv4Address": "172.31.0.6/16",
                "IPv6Address": ""
            },
            "68012d43268048962108a846b45905775ad87623035183222bea36bda9167315": {
                "Name": "nextcloud-aio-imaginary",
                "EndpointID": "e9c27f6b37a0ce7903cedaeb7bf90b6a7afca4b3be07ea5459c428ecdde1efef",
                "MacAddress": "02:42:ac:1f:00:09",
                "IPv4Address": "172.31.0.9/16",
                "IPv6Address": ""
            },
            "6d317e4b78b82042702c1a3b7a63c7881928fd0181f09e285796bd87740ad760": {
                "Name": "nextcloud-aio-clamav",
                "EndpointID": "b01e11b60ea9a4b2e9189e067490fcc142f9b447b5ab39536a22b4aaadbc33c2",
                "MacAddress": "02:42:ac:1f:00:07",
                "IPv4Address": "172.31.0.7/16",
                "IPv6Address": ""
            },
            "c871f68f562b69d875224938fca6c4d6b73c3d97be24c63dde4d03fa7245faf1": {
                "Name": "nextcloud-aio-fulltextsearch",
                "EndpointID": "dc07b59b12a377a29a0c3e64022f735478162bdbfa110e0066da2d6e6eca1276",
                "MacAddress": "02:42:ac:1f:00:08",
                "IPv4Address": "172.31.0.8/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.enable_icc": "true"
        },
        "Labels": {}
    }
]

Apache container logs

2023-01-28 14:21:42 Waiting for Nextcloud to start...
2023-01-28 14:21:47 Waiting for Nextcloud to start...
2023-01-28 14:21:52 Waiting for Nextcloud to start...
2023-01-28 14:21:57 Waiting for Nextcloud to start...
2023-01-28 14:22:02 Waiting for Nextcloud to start...
2023-01-28 14:21:42 nc: getaddrinfo for host "nextcloud-aio-nextcloud" port 9000: Name or service not known
2023-01-28 14:22:08 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.10. Set the 'ServerName' directive globally to suppress this message
2023-01-28 14:22:08 {"level":"info","ts":1674940928.2709227,"msg":"using provided configuration","config_file":"/Caddyfile","config_adapter":""}
2023-01-28 14:22:08 {"level":"warn","ts":1674940928.2719257,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/Caddyfile","line":2}
2023-01-28 14:22:08 {"level":"info","ts":1674940928.2732508,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
2023-01-28 14:22:08 {"level":"warn","ts":1674940928.273418,"logger":"http","msg":"automatic HTTPS is completely disabled for server","server_name":"srv0"}
2023-01-28 14:22:08 {"level":"info","ts":1674940928.2734928,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0007523f0"}
2023-01-28 14:22:08 {"level":"info","ts":1674940928.2738724,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
2023-01-28 14:22:08 {"level":"info","ts":1674940928.2738857,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/mnt/data/caddy"}
2023-01-28 14:22:08 {"level":"info","ts":1674940928.2739112,"logger":"tls","msg":"finished cleaning storage units"}
2023-01-28 14:22:08 {"level":"info","ts":1674940928.2740152,"msg":"autosaved config (load with --resume flag)","file":"/var/www/.config/caddy/autosave.json"}
2023-01-28 14:22:08 {"level":"info","ts":1674940928.2740335,"msg":"serving initial configuration"}

Thanks! Can you try to use
reverse_proxy 172.31.0.1:11000 in your caddyfile and check if that makes it work again?

Unfortunately not. It’s doing the same with 502 error. AIO still running on 8080.

172.30.255.19 is this the ip-addres of your windows pc that runs docker in your local network?

If not, can you try to use the ip-address of your Windows host in the caddyfile?

Windows host - 192.168.1.111.
WSL host (wsl ip worked initally) - 172.17.160.1
I tried both. Theoretically If the nextcloud apache is available on the port shouldn’t I be able to skip caddy and goto localhost:11000 or 172.0.0.1:11000 in my browser especially with - APACHE_IP_BINDING=127.0.0.1 in the config?

docker exec -it caddy caddy fmt /etc/caddy/Caddyfile
https://nextcloud.weme.wtf:443 {
        header Strict-Transport-Security max-age=31536000;
        reverse_proxy 172.17.160.1:11000
        #        reverse_proxy 192.168.1.111:11000
        #        reverse_proxy 172.30.255.19:11000
}

Can you try to use reverse_proxy 192.168.1.111:11000 in your caddyfile and set APACHE_IP_BINDING=0.0.0.0 and restart the container from the AIO interface? Does it work afterwards?

OMG that worked. Thanks so much! And that IP’s router assigned so should be good permanently.

1 Like