Nextcloud Behind Haproxy

robiansyah_alfauzan · January 13, 2025, 8:25am

I experienced a problem when setting up NextCloud using Haproxy so the topology has 1 Haproxy which receives requests directly from the user then 2 NextCloud servers as backend then there is an OnlyOffice server which is integrated with NextCloud

the problem here is:

When the user accesses the folder, an error 401 not authorized appears
When uploading a file an error bar appears as follows: Error while uploading: The server cannot complete your request. If this happens again, please send the technical details below to the server administrator. Further details can be found in the server log.
When a new user logs in an error bar appears: unable to load photo folder
and in the nextcloud log like this:
{“reqId”:“8BjAJdJLby7OsoY5JwS3”,“level”:2,“time”:“2025-01-13T07:43:52+00:00”,“remoteAddr”:“103.154.138.111”,“user”:“nextcloud_admin”,“app”:“no app in context”,“method”:“GET”,“url”:“/ocs/v2.php/apps/notifications/api/v2/notifications”,“message”:“Request does not pass strict cookie check”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0”,“version”:“29.0.10.1”,“data”:}

Kerasit · January 13, 2025, 8:32am

Add the HAProxy IP adress to your config.php under trusted_proxies.
And when doing HA/load balanced setups, the cookie and session stuff becomes a challenge. Your Load balancing must ensure that same session (connection on the HAProxy inbound) will be using the same backend as long as the session is active, or initiate a complete reconnect (destroy session and create a new). Else your cookies and sessions will not be available to the Nextcloud webserver, because it will create a new “session” which will conflict with the current active one.

robiansyah_alfauzan · January 13, 2025, 9:32am

I’ve added trusted proxies to config.php, and for haproxy there is a purpose to implement sticky sessions, are there any configuration recommendations for haproxy?

Kerasit · January 13, 2025, 11:26am

Yes. There are two possible ways of implementing sticky sessions. One of them exposes your use of a reverse proxy in-between.

It drill down to either of two solutions:

HAProxy cookie
IP based / src based

If using HTTP or HTTPS protocol on HAProxy (terminating TLS on HAProxy), you can use a HAProxy session cookie.

If using TCP with TLS pass-through, there is basically only soruce based. However that is easiest to configure:

Example

stick match src
stick-table type ip size 200k expire 30m

Whatever stick-table settings is up to you and your setup. However look it up.

robiansyah_alfauzan · January 14, 2025, 1:59am

Previously there were no problems when implementing a sticky session on Haproxy, there were no errors as I mentioned before, but when the user wanted to create or edit a file on NextCloud which is already integrated with OnlyOffice, an error appeared:

*only the office cant be reached

Actually that’s the only problem, I tried to look into it but the error I mentioned was what occurred.

Kerasit · January 14, 2025, 5:04pm

That is beyond my expertise