[Solved] Nextcloud AIO with Traefik allows only external access

Until now I use nextloudpi, but read, this will not get updates anymore. So I try Nextcloud AIO. As described in https://github.com/nextcloud/all-in-one/blob/main/local-instance.md I don’t want my NC in public internet. I only want local access. So I followed the installation manual https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md for Traefik 2.

I used the docker-compose.yml from https://github.com/nextcloud/all-in-one/blob/main/docker-compose.yml for creating the master-container. I was able to install the container and Nextcloud in version 26, because I have a port-forwarding for ports 80 and 443 to the traefik-container.

But then the problems begin:
I am not able to open the Nextcloud Loginpage from LAN, the website is not found. But I can open the Nextcloud Loginpage from external (smartphone with deactivated WLAN).

I then create a local DNS record in pi-hole for my nextcloud-domain with the ip-address of my NAS, which runs the docker-containers. After this

• the container nextcloud-aio-apache shows status unhealthy
• open the nextcloud-url shows me the login-page from my router Fritzbox 7590ax

I see in the traefik.log, that my nextcloud-domain has get a letsencrypt-certificate. And I have another container, which works with traefik. I can open the url from LAN and public internet. So the problems are related to the nextcloud-aio-installation.

In my router the nextcloud-domain is in the “DNS-Rebind-Protection”.

Here is my static traefik.yml, which is taken from another installation manual, and so some different to the manual https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md:

api:
  dashboard: true
certificatesResolvers:
  http:
    acme:
      email: "xxx"
      storage: "acme_letsencrypt.json"
      httpChallenge:
        entryPoint: http
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: "https"
          scheme: "https"
  https:
    address: ":443"
global:
  checknewversion: true
  sendanonymoususage: false
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: true
    network: "proxy"
  file:
    directory: "./conf"
    watch: true
  providersThrottleDuration: 10
log:
  level: "DEBUG"
  filePath: "/logs/traefik.log"
accessLog:
  filePath: "/logs/access.log"

And here is the dynamic nextcloud.yml configuration:

http:
    routers:
        nextcloud:
            rule: "Host(`nextcloud.xxx.xx`)"
            entrypoints:
                - "https"
            service: nextcloud
            middlewares:
                - nextcloud-chain
            tls:
               certresolver: "http"

    services:
        nextcloud:
            loadBalancer:
                servers:
                    - url: "http://192.168.178.57:11000" # Use the host's IP address if Traefik runs outside the host network

    middlewares:
        nextcloud-secure-headers:
            headers:
                hostsProxyHeaders:
                    - "X-Forwarded-Host"
                referrerPolicy: "same-origin"

        https-redirect:
            redirectscheme:
                scheme: https 

        nextcloud-chain:
            chain:
                middlewares:
                    # - ... (e.g. rate limiting middleware)
                    - https-redirect
                    - nextcloud-secure-headers

Here is the docker-compose.yml, which I used to create the master-container:

version: "3.8"

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work

services:
  nextcloud:
    image: nextcloud/all-in-one:latest
    restart: always
    container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
      - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
    ports:
      - 16000:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      - 16001:8080
      - 16002:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
    # environment: # Is needed when using any of the options below
    environment:
      # - AIO_DISABLE_BACKUP_SECTION=false # Setting this to true allows to hide the backup section in the AIO interface.
      - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      # - APACHE_IP_BINDING=0.0.0.0 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      # - COLLABORA_SECCOMP_DISABLED=false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
      # - NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
      # - NEXTCLOUD_MOUNT=/mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
      # - NEXTCLOUD_UPLOAD_LIMIT=10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
      # - NEXTCLOUD_MAX_TIME=3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
      # - NEXTCLOUD_MEMORY_LIMIT=512M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
      # - NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defiend-certification-authorities-ca
      # - NEXTCLOUD_STARTUP_APPS=deck twofactor_totp tasks calendar contacts # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
      # - NEXTCLOUD_ADDITIONAL_APKS=imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
      # - NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
      # - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container which is needed for hardware-transcoding. See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
      # - TALK_PORT=3478 # This allows to adjust the port that the talk container is using.
      # - WATCHTOWER_DOCKER_SOCKET_PATH=/var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
    # networks: # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
      # - nextcloud-aio # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
  # # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
  # # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588
  # caddy:
  #   image: caddy:alpine
  #   restart: always
  #   container_name: caddy
  #   volumes:
  #     - ./Caddyfile:/etc/caddy/Caddyfile
  #     - ./certs:/certs
  #     - ./config:/config
  #     - ./data:/data
  #     - ./sites:/srv
  #   network_mode: "host"

# # Optional: If you need ipv6, follow step 1 and 2 of https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md first and then uncomment the below config in order to activate ipv6 for the internal nextcloud-aio network.
# # Please make sure to uncomment also the networking lines of the mastercontainer above in order to actually create the network with docker-compose
# # Inspired by https://github.com/mailcow/mailcow-dockerized/blob/master/docker-compose.yml
# networks:
#  nextcloud-aio:
#    name: nextcloud-aio # This line is not allowed to be changed as otherwise the created network will not be used by the other containers of AIO
#    driver: bridge
#     enable_ipv6: true
#     ipam:
#       driver: default
#       config:
#         - subnet: fd12:3456:789a:2::/64 # IPv6 subnet to use

Do anyone know the cause of my problems? Do you need more information?

Thanks in advance

Matthias

Maybe interesting:
With http://nextcloud.xxx.xx:11000/login I get the login-page from nextcloud, but the login with user admin and the password from installation is not possible. I get no error, but the login-page is shown again.

From external access the login with admin is possible.

Matthias

Hi, did you already see and follow GitHub - nextcloud/all-in-one: Nextcloud AIO stands for Nextcloud All-in-One and provides easy deployment and maintenance with most features included in this one Nextcloud instance.?

Do you mean the section “How can I access Nextcloud locally?”? Then yes, I use PI-Hole to create a local DNS-record. The link https://docs.callitkarma.me/posts/PiHole-Local-DNS/ leads to 404 page not found, so I don’t know, what was written there.

Matthias

I’ve found a snapshot of it here: Setup Local DNS A & CNAME records on PiHole | Callitkarma.me Docs

Thank you, szaimen. I don’t know this procedure before.

Until now I have different local DNS-Records in PI-Hole for the same ip-address (my NAS). Now I delete the local DNS-Record for nextcloud.xxx.xx and create a local CNAME-Record for this domain nextcloud.xxx.xx with target domain . The same I did for the domain which I used successfull with traefik.

But the nextcloud.xxx.xx is still not reachable in LAN, the other domain works normal after my change.

So this is not the solution to my problem.

Matthias

Is nextcloud.xxx.xx the domain that you entered in the AIO interface during initial installation?

yes, and the same domain is in the nextcloud.yml as rule.

Did you configure your router correctly so that the pi-hole is your local dns server for all devices in the LAN ?

Yes, in network-settings the “local DNS-Server” is set to the ip-address, on which PI-Hole is running - for IPv4 and IPv6.

And other domains, I created in PI-Hole are reachable. Only the nextcloud domain don’t work.

Matthias

What kind of issue do you get when you open the domain internally? What is the output of ping nextcloud.xxx.xx? Does it return the internal ip-address of the server that runs traefik?

When I open https://nextcloud.xxx.xx:8443 (the published port in the traefik-container, which is mapped to port 443), I get
This website is not reachable
nextcloud.xxx.xx refused the connection
in Browser Vivaldi. In Browser Firefox I get
Connection failed
without a message, that something refused a connection.

Before the change in PI-Hole in such cases I get the login-page of my router, so maybe we proceed…

ping nextcloud.xxx.xx return the ip-address 192.168.178.57, which is the NAS.

I see the problem now. Why is traefik not using port 443 internally and 8443 instead?

Traefik has ports published:
880 to internal 80
8443 to internal 443

My router uses port 443 for its login-page, so I cannot forward this port to traefik. Instead in my router the ports are forwarded:
80 external to 880 on NAS
443 external to 8443 on NAS
My plan is, to disable the port forwarding for port 443. I don’t want to access my domains from public internet, only local. But during installation of Nexcloud AIO the domain must be reachable on port 443.

Why cannot you use port 443 for Traefik?

Indeed, why? Maybe I thought to complicate.

I changed the docker-compose.yml for starting traefik and now the ports
880 to 80
443 to 443
are published.

But now the Traefik Dashboard is not reachable with error “404 page not found”. The same I get, when I open https://nextcloud.xxx.xx.

Matthias

So Traefik now publishes port 443:443 ? Is it also listening on port 443? Can you provide some logs maybe?

In traefik.log is nothing useful. But I search for the error and find a way to debug:

curl -v -H "Host: traefik.xxx.xx" https://192.168.178.57:443/dashboard                                                                                                                         [60]
*   Trying 192.168.178.57:443...
* Connected to 192.168.178.57 (192.168.178.57) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self-signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

For nextcloud.xxx.xx I get the same output.

Strange is, that before changing the published port in traefik container, I had a letsencrypt certificate for Traefik and Nextcloud.

I guess, we are on the right way - using port 443 in traefik makes things easier (no ports in URL). But now we have to solve a new problem. For now I have no idea for that. But I stay searching…

Matthias

Does Traefik not have logs that you could investigate?

Yes, traefik have logs and I already set the log level to debug. Here is what I get for the Traefik Dashboard:

time="2023-05-24T20:40:10+02:00" level=debug msg="Trying to challenge certificate for domain [traefik.xxx.xx] found in HostSNI rule" ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=traefik@docker rule="Host(`traefik.xxx.xx`)" providerName=http.acme
time="2023-05-24T20:40:10+02:00" level=debug msg="Looking for provided certificate(s) to validate [\"traefik.xxx.xx\"]..." ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=traefik@docker rule="Host(`traefik.xxx.xx`)" providerName=http.acme
time="2023-05-24T20:40:10+02:00" level=debug msg="No ACME certificate generation required for domains [\"traefik.xxx.xx\"]." routerName=traefik@docker rule="Host(`traefik.xxx.xx`)" providerName=http.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory"
time="2023-05-24T20:40:10+02:00" level=debug msg="Adding route for traefik.xxx.xx with TLS options default" entryPointName=https

But this logs don’t help me to find the cause of the problem.