Nextcloud behind traefik - Redirect loop detected

LoggSar · February 8, 2024, 8:35pm

Hi there

I´ve setup nextcloud behind a traefik router.
nextcloud itself is working - if I access it local and with port forwarding , but not behind traefik.
There seems to be a issue with the certificate for the subdomain.

level=error msg=“Unable to obtain ACME certificate for domains "nextcloud.placeholder.local": unable to generate a certificate for the domains [nextcloud.placeholder.local]: error: one or more domains had a problem:\n[nextcloud.placeholder.local] acme: error: 400 :: urn:ietf:params:acme:error:connection :: xxx.xxx.xxx.xxx: Fetching http://placeholder.local/.well-known/acme-challenge/jGSFmgz-S0ZQ4L-I1LjW52SxJWZkKvxah9Jti0j_vYU: Redirect loop detected\n” providerName=http.acme ACME CA=“https://acme-v02.api.letsencrypt.org/directory” routerName=nextcloud@docker rule=“(Host(nextcloud.placeholder.local))”

Here are my configs:
docker-compose.yml

version: '3'
services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - traefik_web
    command:
      - "--providers.docker"
      - "--providers.docker.exposedByDefault=false"
      - "--providers.docker.network=traefik_web"
      - "--entrypoints.http.address=:80"
      - "--entrypoints.http.http.redirections.entrypoint.to=https"
      - "--entrypoints.http.http.redirections.entrypoint.to.scheme=https"
      - "--entrypoints.https.address=:443"
      - "--log.level=DEBUG"
      - "--log.filePath=/logs/traefik.log"
      - "--accesslog=true"
      - "--accesslog.filePath=/logs/access.log"
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      - ./data/dynamic_conf.yml:/dynamic_conf.yml
      - ./logs/:/logs/
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
#      - "traefik.http.routers.traefik.rule=Host(`placeholder.local`)"
      - "traefik.http.routers.traefik.rule=HostRegexp(`placeholder.local`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users="
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
#      - "traefik.http.routers.traefik-secure.rule=Host(`placeholder.local`)"
      - "traefik.http.routers.traefik-secure.rule=HostRegexp(`placeholder.local`)"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=http"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "providers.file.filename=/dynamic_conf.yml"
      - "traefik.http.routers.traefik-secure.middlewares=secHeaders@file,traefik-auth"
networks:
  traefik_web:
    external: true

the traefik.yml

log:
#  level: error
  level: debug
api:
  dashboard: true
entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: "./dynamic_conf.yml"
certificatesResolvers:
  http:
    acme:
      email: me@nextcloud
      storage: acme.json
      httpChallenge:
        entryPoint: http

dynamic_conf.yml

tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
      curvePreferences:
        - CurveP521
        - CurveP384
      sniStrict: true
http:
  middlewares:
    secHeaders:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true
        sslRedirect: true
        #HSTS Configuration
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
        customFrameOptionsValue: "SAMEORIGIN"

The docker-compose for nextcloud looks like this:

version: '2'
services:
  app:
    image: nextcloud
    container_name: nextcloud
    restart: always
    ports:
      - 880:80
    links:
      - db
    volumes:
      - ./app:/var/www/html
      - ./logs:/var/www/html/data
      - ./data:/var/www/html/data
    environment:
      - TZ=Europe/Berlin
      - NC_default_phone_region=DE
      - NEXTCLOUD_ADMIN_USER=
      - NEXTCLOUD_ADMIN_PASSWORD=
      - MYSQL_PASSWORD=
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=db
      - APACHE_PORT=11000
      - APACHE_DISABLE_REWRITE_IP=1
      - NEXTCLOUD_TRUSTED_DOMAINS=
      - TRUSTED_PROXIES=traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.tls=true"
      - "traefik.http.routers.nextcloud.tls.certresolver=http"
      - "traefik.http.routers.nextcloud.entrypoints=https"
      - "traefik.http.routers.nextcloud.rule=(Host(`nextcloud.hostname.local`))"
      - "traefik.http.routers.nextcloud.service=nextcloud"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=880"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-dav"
      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.regex=^/.well-known/ca(l|rd)dav"
      - "traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement=/remote.php/dav/"
      - 'traefik.http.middlewares.nextcloud-dav.redirectRegex.permanent=true'

#      - 'traefik.http.middlewares.nextcloud-header.headers.referrerPolicy=no-referrer'
#      - 'traefik.http.middlewares.nextcloud-header.headers.stsSeconds=15552000'
#      - 'traefik.http.middlewares.nextcloud-header.headers.forceSTSHeader=true'
#      - 'traefik.http.middlewares.nextcloud-header.headers.stsPreload=true'
#      - 'traefik.http.middlewares.nextcloud-header.headers.stsIncludeSubdomains=true'
#      - 'traefik.http.middlewares.nextcloud-header.headers.browserXssFilter=true'
#      - 'traefik.http.middlewares.nextcloud-header.headers.customRequestHeaders.X-Forwarded-Proto=https'

  db:
    image: mariadb:10.6
    container_name: nextcloud-db
    restart: always
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    volumes:
      - ./database:/var/lib/mysql
      - /tmp:/tmp
    environment:
      - MYSQL_ROOT_PASSWORD=
      - MYSQL_PASSWORD=
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud

I dont believe its a traefik issue, but I dont find the error.

wwe · February 8, 2024, 10:21pm

I had an idea o use the term http/s for entrypoints names as well in the past but gave up for some reason. I don’t remember exactly but I think there was some naming clash… I think there is a reason for web and web-secure naming in traefik docs.

I would recommend you start with very simple config e.g. Docker and add complexity once it works.

look at my working config

the second one is more current and you can translate the thread if needed…