Nextcloud docker instant, default install no SSL cert inside cloudflare https tunnel

ℹ️ Support
, , , ,
1

Hello,
I tried to install nextcloud using docker compose and run it inside cloudflared tunnel. I have set incoming port to docker is 8765.
I can access the dashboard after disabling rocker loader and zaraz on cloudflare but I have problems accessing dashboard from nextcloud android app. (HTTPS STRICT error)
I tried to use traefik to proxy the nextcloud docker local https but it did not work too.

Anyone can guide me ? Thanks in advance.

This is my docker compose

version: '3.8'

volumes:
  nextcloud:
  db-cloud:
  letsencrypt:

services:
  db-cloud:
    image: mariadb:10.6
    restart: always
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    volumes:
      - db-cloud:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=passwd_change_me
      - MYSQL_PASSWORD=passwd_change_me
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
    networks:
      - nextcloud_network

  nextcloud:
    image: nextcloud
    restart: always
    environment:
      - MYSQL_PASSWORD=passwd_change_me
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=db-cloud
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.rule=Host(`cloud.hamradio.my`)"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.tls=true" # Enable TLS
      - "traefik.http.services.nextcloud.loadbalancer.server.port=80" # Nextcloud port
    networks:
      - nextcloud_network

  traefik:
    image: traefik:v2.10
    container_name: traefik
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--entrypoints.web.address=:80"      # HTTP Entry Point
       - "--certificatesresolvers.myresolver.acme.httpChallenge.entryPoint=web" 
      - "--certificatesresolvers.myresolver.acme.email=9m2pju@gmail.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "8765:80"    # Map external port 443 for HTTPS
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "./letsencrypt:/letsencrypt"
    networks:
      - nextcloud_network

networks:
  nextcloud_network:
2

I’m not sure you only provided part of the config but from what you posted there is a mismatch in the config. Your Nextcloud router listens on entrypoint websecure but there is no such entrypoint on traefik config

additionally I don’t get you traefik config. you map external port 8765 to entrypoint web but according to the comment you expect it to be HTTPs? I would recommend against non-default ports as this are often blocked on network layer (I’m not even sure ACME challenge works on non-default ports)

In general you need 2 entrypoints for plain http and https… while http could redirect to an https (but still required for ACME DNS challenge) and you need to expose both as port as well.