Nextcloud AIO Reverting Collabora Online-server URL nightly

ℹ️ Support
, , , , , ,
1
Support intro

Sorry to hear you’re facing problems. :slightly_frowning_face:

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

My AIO instance is resetting the Nextcloud Office: Collabora Online-server each night during maintenance or updates.

If I change it back to my public domain (which it was set to by the AIO install during deployment), office docs work fine via the browser.

I have found another post from 2024 that’s locked, but I don’t understand their suggested fix, or maybe I didn’t do it right?

Here’s the setting after the nextcloud container restarts or does nightly maintenance:

Wrong
Wrong876×531 26.7 KB

Here’s the setting after I change it back, making everything work again:

Right
Right841×568 27.1 KB

I can’t figure out why it keeps reverting back to the internal apache setting.

I have tried adding an environment variable to the master container docker run, didn’t work. Maybe I did something wrong?

docker run -d \
  --init \
  --sig-proxy=false \
  --name nextcloud-aio-mastercontainer \
  --restart always \
  --network nextcloud-aio \
  --publish 8880:8080 \
  --env APACHE_PORT=11000 \
  --env APACHE_IP_BINDING=0.0.0.0 \
  --env APACHE_ADDITIONAL_NETWORK="" \
  --env SKIP_DOMAIN_VALIDATION=true \
  --env NEXTCLOUD_DATADIR="/mnt/sda1/docker_mounts/nextcloud" \
  --env NEXTCLOUD_KEEP_DISABLED_APPS=true \
  --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
  --volume /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /etc/pki/ca-trust/source/anchors:/usr/local/share/ca-certificates:ro \
  -v /etc/pki/tls/certs/ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt:ro \
  --env NEXTCLOUD_TRUSTED_CACERTS_DIR=/mnt/sda1/docker_mounts/nextcloud/trusted_ca_certs \
  --entrypoint "/bin/bash" \
  ghcr.io/nextcloud-releases/all-in-one:latest \
  -c "update-ca-certificates && /start.sh"

Something interesting I found in the nextcloud container env (though I don’t know the interworkings of the code) is this:

Inspect nextcloud-aio-nextcloud:
env:

"NEXTCLOUD_EXEC_COMMANDS=echo 'Activating Collabora config...' php /var/www/html/occ richdocuments:activate-config --wopi-url='http://nextcloud-aio-apache:23973' --callback-url='http://nextcloud-aio-apache:23973' ",

There is a caddy container on the docker server:

cat Caddyfile

cat Caddyfile
# Disable Caddy’s automatic HTTPS (no ACME, no Let’s Encrypt)
{
        auto_https off
}

https://nextcloud.ccac.candiamantics.net:443 {

        # Use the locally-provided certificate pair
        tls /certs/cert.pem /certs/cert.key

        # Remove server banners
        header -Server
        header -X-Powered-By

        # Proxy everything to the Apache container inside the bridge network
        reverse_proxy nextcloud-aio-apache:11000
}

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
  • Operating system and version (e.g., Ubuntu 24.04):
    • NAME=“Rocky Linux”
      VERSION=“9.6 (Blue Onyx)”
  • Web server and version (e.g, Apache 2.4.25):
    • AIO builtin
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • Caddy
  • PHP version (e.g, 8.3):
    • AIO latest
  • Is this the first time you’ve seen this error? (Yes / No):
    • No, each night
  • When did this problem seem to first start?
    • Unknown, long time after an automatic update by master container
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • AIO
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • No

Summary of the issue you are facing:

AIO instance is resetting the Nextcloud Office: Collabora Online-server each night during maintenance or updates.

Steps to replicate it (hint: details matter!):

  1. Set the correct Collabora Online-server

  2. Restart nextcloud-aio-nextcloud

  3. Collabora Online-server has reverted to internal apache URL

Log entries

Nextcloud

Connection to nextcloud-aio-apache (10.0.2.12) 11000 port [tcp/*] succeeded!

Activating Collabora config...

[05-Nov-2025 19:51:27] NOTICE: fpm is running, pid 299

[05-Nov-2025 19:51:27] NOTICE: ready to handle connections

✓ Set WOPI url to http://nextcloud-aio-apache:23973

✓ Set callback url to http://nextcloud-aio-apache:23973

Checking configuration

🛈 Configured WOPI URL: http://nextcloud-aio-apache:23973

🛈 Configured public WOPI URL: https://nextcloud.ccac.candiamantics.net

🛈 Configured callback URL: http://nextcloud-aio-apache:23973

Failed to fetch discovery endpoint from http://nextcloud-aio-apache:23973

cURL error 28: Connection timed out after 5002 milliseconds (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for http://nextcloud-aio-apache:23973/hosting/discovery

Web server / Reverse Proxy

The output of your Apache AIO:

Waiting for Nextcloud to start...

Connection to nextcloud-aio-nextcloud (10.0.2.11) 9000 port [tcp/*] succeeded!

/usr/lib/python3.12/site-packages/supervisor/options.py:13: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.

  import pkg_resources

[Wed Nov 05 19:40:02.623581 2025] [mpm_event:notice] [pid 131:tid 131] AH00489: Apache/2.4.65 (Unix) configured -- resuming normal operations

[Wed Nov 05 19:40:02.624036 2025] [core:notice] [pid 131:tid 131] AH00094: Command line: '/usr/local/apache2/bin/httpd -D FOREGROUND'

INF ts=1762389602.6352432 msg=maxprocs: Leaving GOMAXPROCS=6: CPU quota undefined

INF ts=1762389602.6354551 msg=GOMEMLIMIT is updated package=github.com/KimMachineGun/automemlimit/memlimit GOMEMLIMIT=10833784012 previous=9223372036854776000

INF ts=1762389602.6354809 msg=using config from file file=/tmp/Caddyfile

INF ts=1762389602.6367843 msg=adapted config to JSON adapter=caddyfile

INF ts=1762389602.640184 msg=serving initial configuration

[Wed Nov 05 19:49:15 2025] [error] [(111)Connection refused] [client: [AH00957: FCGI: attempt to connect to 10.0.2.11:9000 (nextcloud-aio-nextcloud:9000) failed]

[Wed Nov 05 19:49:15 2025] [error] [client: 172.20.55.1, 10.0.2.13] [AH01079: failed to make connection to backend: nextcloud-aio-nextcloud] [Mozilla/5.0 (Windows) mirall/4.0.1 (build 20251027) (Nextcloud, windows-10.0.26100 ClientArchitecture: x86_64 OsArchitecture: x86_64)]

[Wed Nov 05 19:49:15 2025] [error] [(111)Connection refused] [client: [AH00957: FCGI: attempt to connect to 10.0.2.11:9000 (nextcloud-aio-nextcloud:9000) failed]

[Wed Nov 05 19:49:15 2025] [error] [client: 172.20.55.1, 10.0.2.13] [AH01079: failed to make connection to backend: nextcloud-aio-nextcloud] [Mozilla/5.0 (Windows) mirall/4.0.1 (build 20251027) (Nextcloud, windows-10.0.26100 ClientArchitecture: x86_64 OsArchitecture: x86_64)]

[Wed Nov 05 19:49:16 2025] [error] [(111)Connection refused] [client: [AH00957: FCGI: attempt to connect to 10.0.2.11:9000 (nextcloud-aio-nextcloud:9000) failed]

[Wed Nov 05 19:49:16 2025] [error] [client: 172.20.55.1, 10.0.2.13] [AH01079: failed to make connection to backend: nextcloud-aio-nextcloud] [Mozilla/5.0 (Windows) mirall/4.0.1 (build 20251027) (Nextcloud, windows-10.0.26100 ClientArchitecture: x86_64 OsArchitecture: x86_64)]

[Wed Nov 05 19:49:29 2025] [error] [(111)Connection refused] [client: [AH00957: FCGI: attempt to connect to 10.0.2.11:9000 (nextcloud-aio-nextcloud:9000) failed]

[Wed Nov 05 19:49:29 2025] [error] [client: 10.0.2.1, 10.0.2.13] [AH01079: failed to make connection to backend: nextcloud-aio-nextcloud] [COOLWSD HTTP Agent 25.04.6.2]

[Wed Nov 05 19:50:02 2025] [error] [(111)Connection refused] [client: [AH00957: FCGI: attempt to connect to 10.0.2.11:9000 (nextcloud-aio-nextcloud:9000) failed]


[Wed Nov 05 19:50:02 2025] [error] [client: 172.20.55.1, 10.0.2.13] [AH01079: failed to make connection to backend: nextcloud-aio-nextcloud] [Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 Edg/141.0.0.0]

[Wed Nov 05 19:50:03 2025] [error] [(111)Connection refused] [client: [AH00957: FCGI: attempt to connect to 10.0.2.11:9000 (nextcloud-aio-nextcloud:9000) failed]


[Wed Nov 05 19:50:03 2025] [error] [client: 172.20.55.1, 10.0.2.13] [AH01079: failed to make connection to backend: nextcloud-aio-nextcloud] [Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 Edg/141.0.0.0]

[Wed Nov 05 19:50:04 2025] [error] [(111)Connection refused] [client: [AH00957: FCGI: attempt to connect to 10.0.2.11:9000 (nextcloud-aio-nextcloud:9000) failed]


[Wed Nov 05 19:50:04 2025] [error] [client: 172.20.55.1, 10.0.2.13] [AH01079: failed to make connection to backend: nextcloud-aio-nextcloud] [Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 Edg/141.0.0.0]

[Wed Nov 05 19:50:17 2025] [error] [(111)Connection refused] [client: [AH00957: FCGI: attempt to connect to 10.0.2.11:9000 (nextcloud-aio-nextcloud:9000) failed]

[Wed Nov 05 19:50:17 2025] [error] [client: 172.20.55.1, 10.0.2.13] [AH01079: failed to make connection to backend: nextcloud-aio-nextcloud] [Mozilla/5.0 (Windows) mirall/4.0.1 (build 20251027) (Nextcloud, windows-10.0.26100 ClientArchitecture: x86_64 OsArchitecture: x86_64)]

[Wed Nov 05 19:50:24 2025] [error] [(111)Connection refused] [client: [AH00957: FCGI: attempt to connect to 10.0.2.11:9000 (nextcloud-aio-nextcloud:9000) failed]


[Wed Nov 05 19:50:24 2025] [error] [client: 172.20.55.1, 10.0.2.13] [AH01079: failed to make connection to backend: nextcloud-aio-nextcloud] [Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 Edg/141.0.0.0]

[Wed Nov 05 19:50:26 2025] [error] [(111)Connection refused] [client: [AH00957: FCGI: attempt to connect to 10.0.2.11:9000 (nextcloud-aio-nextcloud:9000) failed]


[Wed Nov 05 19:50:26 2025] [error] [client: 172.20.55.1, 10.0.2.13] [AH01079: failed to make connection to backend: nextcloud-aio-nextcloud] [Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 Edg/141.0.0.0]

[Wed Nov 05 19:50:29 2025] [error] [(111)Connection refused] [client: [AH00957: FCGI: attempt to connect to 10.0.2.11:9000 (nextcloud-aio-nextcloud:9000) failed]

[Wed Nov 05 19:50:29 2025] [error] [client: 10.0.2.1, 10.0.2.13] [AH01079: failed to make connection to backend: nextcloud-aio-nextcloud] [COOLWSD HTTP Agent 25.04.6.2]

[Wed Nov 05 19:51:19 2025] [error] [(111)Connection refused] [client: [AH00957: FCGI: attempt to connect to 10.0.2.11:9000 (nextcloud-aio-nextcloud:9000) failed]

[Wed Nov 05 19:51:19 2025] [error] [client: 172.20.55.1, 10.0.2.13] [AH01079: failed to make connection to backend: nextcloud-aio-nextcloud] [Mozilla/5.0 (Windows) mirall/4.0.1 (build 20251027) (Nextcloud, windows-10.0.26100 ClientArchitecture: x86_64 OsArchitecture: x86_64)]

[Wed Nov 05 19:51:19 2025] [error] [(111)Connection refused] [client: [AH00957: FCGI: attempt to connect to 10.0.2.11:9000 (nextcloud-aio-nextcloud:9000) failed]

[Wed Nov 05 19:51:19 2025] [error] [client: 172.20.55.1, 10.0.2.13] [AH01079: failed to make connection to backend: nextcloud-aio-nextcloud] [Mozilla/5.0 (Windows) mirall/4.0.1 (build 20251027) (Nextcloud, windows-10.0.26100 ClientArchitecture: x86_64 OsArchitecture: x86_64)]

[Wed Nov 05 19:51:19 2025] [error] [(111)Connection refused] [client: [AH00957: FCGI: attempt to connect to 10.0.2.11:9000 (nextcloud-aio-nextcloud:9000) failed]

[Wed Nov 05 19:51:19 2025] [error] [client: 172.20.55.1, 10.0.2.13] [AH01079: failed to make connection to backend: nextcloud-aio-nextcloud] [Mozilla/5.0 (Windows) mirall/4.0.1 (build 20251027) (Nextcloud, windows-10.0.26100 ClientArchitecture: x86_64 OsArchitecture: x86_64)]

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

{
    "system": {
        "one-click-instance": true,
        "one-click-instance.user-limit": 100,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "check_data_directory_permissions": false,
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "overwritehost": "nextcloud.ccac.candiamantics.net",
        "overwriteprotocol": "https",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "nextcloud.ccac.candiamantics.net"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "31.0.10.2",
        "overwrite.cli.url": "https:\/\/nextcloud.ccac.candiamantics.net\/",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "updatedirectory": "\/nc-updater",
        "loglevel": 2,
        "app_install_overwrite": [
            "nextcloud-aio"
        ],
        "log_type": "file",
        "logfile": "\/var\/www\/html\/data\/nextcloud.log",
        "log_rotate_size": 10485760,
        "log.condition": {
            "apps": [
                "admin_audit"
            ]
        },
        "preview_max_x": 2048,
        "preview_max_y": 2048,
        "jpeg_quality": 60,
        "enabledPreviewProviders": {
            "1": "OC\\Preview\\Image",
            "2": "OC\\Preview\\MarkDown",
            "3": "OC\\Preview\\MP3",
            "4": "OC\\Preview\\TXT",
            "5": "OC\\Preview\\OpenDocument",
            "6": "OC\\Preview\\Movie",
            "7": "OC\\Preview\\Krita",
            "0": "OC\\Preview\\Imaginary",
            "23": "OC\\Preview\\ImaginaryPDF"
        },
        "enable_previews": true,
        "upgrade.disable-web": true,
        "mail_smtpmode": "smtp",
        "trashbin_retention_obligation": "auto, 30",
        "versions_retention_obligation": "auto, 30",
        "activity_expire_days": 30,
        "simpleSignUpLink.shown": false,
        "share_folder": "\/Shared",
        "one-click-instance.link": "https:\/\/nextcloud.com\/all-in-one\/",
        "upgrade.cli-upgrade-link": "https:\/\/github.com\/nextcloud\/all-in-one\/discussions\/2726",
        "maintenance_window_start": 100,
        "allow_local_remote_servers": true,
        "davstorage.request_timeout": 3600,
        "documentation_url.server_logs": "https:\/\/github.com\/nextcloud\/all-in-one\/discussions\/5425",
        "htaccess.RewriteBase": "\/",
        "dbpersistent": false,
        "auth.bruteforce.protection.enabled": true,
        "ratelimit.protection.enabled": true,
        "files_external_allow_create_new_local": false,
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "preview_imaginary_url": "***REMOVED SENSITIVE VALUE***",
        "preview_imaginary_key": "***REMOVED SENSITIVE VALUE***",
        "proxy": "http:\/\/172.20.19.253:8080",
        "proxyexclude": [
            ".ccac.candiamantics.net",
            ".int.candiamantics.com",
            "localhost",
            "127.0.0.1",
            "::1",
            "docker",
            "docker.internal"
        ],
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "data-fingerprint": "2b9ee5d9505a719df8123e51348643bb",
        "updatechecker": false,
        "forbidden_filename_basenames": [
            "con",
            "prn",
            "aux",
            "nul",
            "com0",
            "com1",
            "com2",
            "com3",
            "com4",
            "com5",
            "com6",
            "com7",
            "com8",
            "com9",
            "com\u00b9",
            "com\u00b2",
            "com\u00b3",
            "lpt0",
            "lpt1",
            "lpt2",
            "lpt3",
            "lpt4",
            "lpt5",
            "lpt6",
            "lpt7",
            "lpt8",
            "lpt9",
            "lpt\u00b9",
            "lpt\u00b2",
            "lpt\u00b3"
        ],
        "forbidden_filename_characters": [
            "<",
            ">",
            ":",
            "\"",
            "|",
            "?",
            "*",
            "\\",
            "\/"
        ],
        "forbidden_filename_extensions": [
            " ",
            ".",
            ".filepart",
            ".part"
        ],
        "DOMAIN": "nextcloud.ccac.candiamantics.net"
    }
}

2

The problem initiates from AiO’s approach to setup the system in a predefinied way. This approach allows to rely on some assumptions. I remember there was a similar topic shortly but I don’t find it - the solution was to set some variables..

Look at all-in-one/manual-install/latest.yml at main · nextcloud/all-in-one · GitHub there are variables related to CODE. I’m not sure both work in an automated AiO as well:

      - COLLABORA_HOST=nextcloud-aio-collabora

it is used in a Nextcloud container

but I don’t see any reference if it’s allowed to use it “from outside

3

I still don’t understand why the public URL keeps getting changed. The AIO automatic logic is supposed to handle everything for the user, which it does when it’s first deployed and it fills in the public nextcloud office URL. The fresh deployed solution has the right setting for WOPI public URL.

Checking if I understand your comment correctly:

Are you suggesting adding ENV: - COLLABORA_HOST=nextcloud-aio-collabora to master container docker run command? Or setting - COLLABORA_HOST=FQDN for public clients?

I’ve seen the master container not pass very many variables to the auto created stack containers, which is pretty frustrating since I would like to have them all use an internal corporate style web proxy for TLS inspection.

From your reply above (thanks by the way), the above mentioned:

- COLLABORA_HOST=nextcloud-aio-collabora

I believe you’re saying this variable should be used when doing a manual or compose based deployment. Also, to me, that’s telling nextcloud container the name of the container for collabora, not a URL for communication between the two (another than containers can resolve each other’s name via docker internal DNS/Alias)?

When you say: “use it outside”, I think you mean the public or client URL for office documents. The nextcloud-aio-apache:port is internal docker alias/resolution between containers?”

From my understanding of container to container communication, it makes sense to me when the nextcloud container communicates with the collabora container, it uses the nextcloud-aio-apache:port to get routed to collabora.

4

don’t do this.. TLS inspection is evil, brakes things and reduce security.. but I believe there is an option to configure proxy for internet connection, we had a topic here.

I mean outside of the AiO micro-cosmos - I don’t know if it is possible to pass this variable or is it kind of internal voodoo which brakes if start mangling with.

This are options I feel promising but I’m sorry no idea behind this point. AiO is there for a reason - it is created in a way it works out of the box and not intended for heavy customisation. If you want to control every possible aspect of the system AiO is not right for you. look for Docker community edition or bare-teal install (on a VM)

5

Thanks for the thoughts. I’ll keep at it.

This behavior didn’t start until after an automatic update one day, and I have not done any customization beyond the AIO deployment, so maybe I’m just at fault for missing a required config, or it was a bad update.

6

Ha, you’re not wrong. Opening TLS sessions like many aspects of the modern internet was not the designers intentions. In home labs and small environments, I agree and do not advise it.

However, in certain industries, it’s absolutely required. Think high security networks where you can’t have data getting exfilled due to TLS. So, some of us must learn how to correctly configure applications, OSs, etc. It breaks all kinds of mobile applications with certificate pinning (to defeat/prevent inspection). All kinds of fun.

7

unfortunately I have pain this at work as well.. and the answer is still the same “don’t brake TLS”.. if you want to scan data and prevent exfiltration best strategy is to apply client-side DLP and leave TLS connection alone.. but I know often security department has given absolute power for some reason. ..and definitely for such environments you better choose more customisable variant like bare-metal or at least community micro-image rather than AiO which is focusing on SoHo users and straight internet.