Nextcloud Docker + Synology reverse proxy: HTTPS not recognized, CalDAV 405, redirect loop with overwriteprotocol

â„č Support 📩 Appliances (Docker, Snappy, VM, NCP, AIO)
, , , , , ,
1

The Basics

  • Nextcloud Server version: 33.0.2

  • Operating system: Synology DSM 7 (Linux)

  • Web server: Apache (inside Nextcloud Docker container)

  • Reverse proxy: Synology DSM built-in reverse proxy (nginx-based)

  • PHP version: 8.4.20

  • Is this the first time you’ve seen this error? No

  • When did this problem first start? From initial setup

  • Installation method: Docker (official Nextcloud image + MariaDB via docker-compose)

  • Are you using Cloudflare, mod_security, or similar? No

Summary of the issue:

Nextcloud is running in Docker on a Synology DS225+ behind the Synology built-in reverse proxy. External HTTPS access works fine in the browser, but Nextcloud does not recognize the HTTPS protocol correctly. This causes:

  1. Nextcloud admin panel shows “HTTPS not configured” warning

  2. DAVx⁔ on Android gets HTTP 405 on CalDAV endpoint (workaround: use /remote.php/dav in URL)

  3. iPhone CalDAV with SSL fails completely

  4. Setting overwriteprotocol = https causes ERR_TOO_MANY_REDIRECTS on local access

Steps to replicate:

  1. Set overwriteprotocol = https via occ config:system:set

  2. Try to access Nextcloud locally via http://192.168.x.x:8080

  3. ERR_TOO_MANY_REDIRECTS occurs

  4. Remove overwriteprotocol — local access works again but HTTPS warning returns

Configuration

Nextcloud config:list system output:

{
    "system": {
        "trusted_domains": [
            "192.168.x.x:8080",
            "yournas.synology.me",
            "192.168.x.x"
        ],
        "overwrite.cli.url": "https://yournas.synology.me",
        "trusted_proxies": ["172.19.0.0/16", "127.0.0.1"],
        "overwritehost": "yournas.synology.me",
        "forwarded_for_headers": ["HTTP_X_FORWARDED_FOR"],
        "overwritecondaddr": "^172\\.19\\.0\\.[0-9]+$",
        "maintenance_window_start": "1",
        "default_phone_region": "NL",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "dbtype": "mysql"
    }
}

Synology reverse proxy headers:

X-Forwarded-Proto: https
X-Forwarded-Host: yournas.synology.me
X-Forwarded-Port: 443
Access-Control-Allow-Methods: GET,POST,PUT,DELETE,MKCOL,PROPFIND,PROPPATCH,COPY,MOVE,REPORT,OPTIONS

Reverse proxy rule:

Source: HTTPS yournas.synology.me:443
Destination: HTTP localhost:8080

Docker network:

Subnet: 172.19.0.0/16
Gateway: 172.19.0.1

What I’ve tried:

  • Setting trusted_proxies to 172.17.0.0/16 (wrong subnet), corrected to 172.19.0.0/16

  • Setting overwritecondaddr to match Docker subnet ^172\.19\.0\.[0-9]+$ — still causes redirect loop

  • Adding all X-Forwarded-* headers in Synology reverse proxy

  • Using /remote.php/dav suffix in DAVx⁔ URL — resolves 405 but only without overwriteprotocol

Question:

How do I correctly configure Nextcloud behind the Synology DSM reverse proxy so that:

  1. HTTPS is recognized correctly by Nextcloud (no “HTTPS not configured” warning)

  2. Local HTTP access still works without redirect loop

  3. CalDAV works for both DAVx⁔ (Android) and iPhone via SSL

  4. overwriteprotocol = https can be set without causing redirect loops

Any help is greatly appreciated!

2

Hello @AdOtjuh, welcome to the Nextcloud community! :handshake:

please open dev tools (F12) and review the destination of redirect. Often it helps to understand to reason of wrong redirect.

IMO this setting is always causing trouble.. try to remove it..

highly recommend to avoid this. It only cause trouble in many situations like different URLs for internal vs external view - see topics tagged local_network . Better use public domain internally as well 101: Split-Brain DNS (split-horizon)

3

Hi Willi,
Thank you so much for welcoming me for you kind reply. Especially the Split-Brain DNS suggestion was very helpfull! But I’m not there yet


Update on my issue:

Here’s what I’ve done and the current situation:

What I did:

  1. Installed AdGuard Home in Docker on the NAS

  2. Added DNS rewrite: xxx.synology.me → 192.168.x.xxx (internal NAS IP)

  3. Configured Windows laptop to use NAS IP as DNS server (had to disable IPv6 on Wi-Fi adapter)

  4. Added a second reverse proxy rule in Synology DSM:

    • Nextcloud1: http://xxx.synology.me:80 → http://localhost:8080

    • Nextcloud: https://xxx.synology.me:443 → http://localhost:8080

Current situation:

  • Split-Brain DNS works — xxx.synology.me resolves to internal NAS IP from local network :white_check_mark:

  • https://xxx.synology.me works in browser from local network :white_check_mark:

  • https://xxx.synology.me works externally (mobile data) :white_check_mark:

  • CalDAV via DAVx⁔ works with https://xxx.synology.me/remote.php/dav :white_check_mark:

Remaining problem:

Setting overwriteprotocol = https still causes ERR_TOO_MANY_REDIRECTS even with Split-Brain DNS working. The Nextcloud admin panel still shows “HTTPS not configured” warning.

Current config.php relevant settings:

'trusted_proxies' => ['172.19.0.0/16', '127.0.0.1'],
'overwritehost' => 'xxx.synology.me',
'overwrite.cli.url' => 'https://xxx.synology.me',
'forwarded_for_headers' => ['HTTP_X_FORWARDED_FOR'],
'overwritecondaddr' => removed as suggested

Question:

With Split-Brain DNS now working and both HTTP and HTTPS reverse proxy rules in place, how can I correctly set overwriteprotocol = https without causing a redirect loop? Is there something specific about the Synology reverse proxy that prevents this from working correctly?

Additional note about router limitations:

The KPN Box 12 router (Dutch ISP router) does not allow changing the primary DNS server in DHCP settings. The primary DNS is locked to the router’s own IP (192.168.x.xxxx) and the secondary DNS field is not editable.

As a workaround I had to:

  • Install AdGuard Home in Docker on the NAS

  • Manually configure DNS per device (disabled IPv6 on Wi-Fi adapter on Windows laptop to force IPv4 DNS usage)

  • This means Split-Brain DNS currently only works on devices where DNS is manually configured

Is there a better solution for this router limitation, such as using AdGuard Home as DHCP server instead of the router? And would that help solve the overwriteprotocol issue?

Thank you very much in advance for helping me in the right direction.

Kind regards Alexander

4

there are many issues I would proceed in following order

  1. ensure your https://xxx.synology.me address works both internally and externally (with customs DNS, hosts file etc) - should be ok now per your last post
  2. clean up reverse proxy config:

this might be an issue a service can not server two different variants (http and https) on the same port

I would only setup 1 https rule and configure http → https redirect (in the reverse proxy).

  1. “too many redirects”
  • you didn’t share f12 findings
  • likely comes from bad reverse proxy config.. usually Nextcloud relies on HTTP_X_ headers and overwrite* settings are only a backup/hard-coded setting to let the system know it runs behind reverse proxy but can not detect it’s real config likely headers are missing or not trusted - review 101: reverse proxy also look for real-ip and follow my little cumbersome writeup Apache Docker behind reverse proxy
  1. router config - I have no clue about Adguard but I know Pihole can do DHCP (likely not very easy with Docker). In my setup I did it other way round - I configure my internal DNS as upstream/provider DNS in my router. You have to try a bit to avoid DNS loops (internal DNS) but at the end it works without touching clients.
5

Hi Willi,

Thank you so much for your help! With your guidance we made significant progress. Here’s an update on where we stand:

What’s working now:

  • remoteip.conf with RemoteIPInternalProxy directives mounted in the Docker container — this was the key fix!

  • overwriteprotocol = https now works without redirect loops

  • https://xxx.synology.me works correctly both externally and in the browser locally

  • HSTS enabled in Synology reverse proxy

  • All Nextcloud admin warnings are gone!!

  • DAVx⁔ on Android works correctly with CalDAV

Remaining issues:

1. Split-Brain DNS on Windows laptop

The KPN Box 12 router does not allow changing DNS settings. We installed AdGuard Home in Docker and configured a DNS rewrite (xxx.synology.me`` → 192.168.x.xxx). This works via IPv4 but Windows uses IPv6 DNS (from the router) which has priority and returns the external Synology IP.

Current workaround: added a hosts file entry on the Windows laptop. This works for the browser but is not ideal for all devices.

2. iPhone CalDAV with SSL

The iPhone shows “server identity not verified” and presents a KPN certificate instead of the Let’s Encrypt certificate when trying to connect via xxx.synology.me with SSL. This is likely related to the IPv6 issue — the iPhone connects via IPv6 which goes through the KPN router.

Without SSL the iPhone CalDAV works fine using the internal IP address.

Questions:

  1. Is there a better solution for Split-Brain DNS when the router doesn’t allow DNS changes? You mentioned configuring internal DNS as upstream in the router — could you elaborate on how to do this with AdGuard Home and the KPN Box 12?

  2. How can we solve the iPhone IPv6 issue so that the Let’s Encrypt certificate is presented correctly instead of the KPN certificate?

Thanks again for all your help — we wouldn’t have gotten this far without you.

Best regards,
Alexander

6

if the router doesn’t allow DNS changes you are lost.. the only solution would be another DHCP server.. what I mantioned - use you Adguard as “provider” DNS of your router if possible. This way the router resolves everything from Adguard.. Look at this guide section “Pi-Hole as upstream of your router”

I think you are using your router public IP as AAAA record, which is not right - it must be the effective public IPv6 address of the server. This brings some challenges with dynamic IPs but it’s another story. maybe this helps NC not reachable over Domain (IPv6) - #2 by wwe