Nextcloud in docker behind nginx as reverse proxy

Nextcloud version (eg, 12.0.2): 17.0.1
Operating system and version (eg, Ubuntu 17.04): Debian GNU/Linux 10 (docker)
Apache or nginx version (eg, Apache 2.4.25): 2.4.38 (docker)
PHP version (eg, 7.1): 7.3.12

Docker : nextcloud:apache
Reverse proxy : nginx in another docker (nginx:latest)
Nginx version (reverse proxy) : 1.17.1

The issue you are facing:

Hi, I did setup a nextcloud (in a docker) behind a reverse proxy.
It mostly works, but some applications don’t (kee and talk so far).
For some reason, those apps are not redirected to port they should.
Instead, when I look at their url, I see the internal port instead of the public one.

Is this the first time you’ve seen this error? : No. I have been having this problem for a while. Tried updating nextcloud. Still got the problem.

Steps to replicate it:

  1. Connect to nextcloud
  2. Click on kee
  3. I am redirected from https://nextcloud.mydomain.com to https://nextcloud.mydomain.com:10080 (10080 is my docker’s internal port). Which doesn’t work because nextcloud expect HTTP at this point. (The reverse proxy recieve HTTPS).

The output of your Nextcloud log in Admin > Logging (follow link):

https://sebsauvage.net/paste/?0c846d77eb0cba17#4Vtp6pHWpmUcUEpzlncziVcq8PxcHdVLhL9ZRBLIFwA=

The output of your config.php file in /html/config (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'passwordsalt' => 'XXXXXXXXXXXXXXXXXXXXXX',
  'secret' => 'XXXXXXXXXXXXXXXXXXXXXX',
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'pgsql',
  'version' => '16.0.3.0',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'XXXXXXXXXXXXXXXXXXXXXX',
  'instanceid' => 'ocabgit3ruvv',
);

The output of your mydomain.base.php file in /html/config (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
'default_language' => 'fr',
'default_locale' => 'fr',
'mail_domain' => 'mydomain.com',
'mail_from_address' => 'nextcloud',
);

The output of your mydomain.proxy.php file in /html/config (make sure you remove any identifiable information!):


<?php
$CONFIG = array (
  'overwritehost' => 'nextcloud.mydomain.com',
  'overwriteprotocol' => 'https',
  'overwritewebroot' => '/',
  'overwritecondaddr' => '^51\\.75\\.199\\.137$',
  'overwrite.cli.url' => 'https://nextcloud.mydomain.com',
  'trusted_proxies' => 
    array (
      0 => 'nextcloud.mydomain.com',
      1 => '51.75.199.137',
    ),
  'forwarded_for_headers' => array('HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR', 'X-Forwarded-For'),
    'trusted_domains' => 
    array (
      'nextcloud.mydomain.com',
    ),

);

The output of your docker log in docker logs (follow link):

https://sebsauvage.net/paste/?561df59d26b84df3#Af+8QqOvf0jsQFKvN4OdqTRVjAUZ9rRFXflQB1aVnuQ=

The config of nginx as a reverse proxy :

# Sources : 
#   https://docs.nextcloud.com/server/16/admin_manual/installation/nginx.html
#   https://docs.nextcloud.com/server/16/admin_manual/installation/harden_server.html


server {
  listen 80;
  server_name nextcloud.mydomain.com;

  return 301 https://$http_host$request_uri;

  access_log  /var/log/nginx/nextcloud_access.log;
  error_log   /var/log/nginx/nextcloud_error.log;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name nextcloud.mydomain.com;
  server_tokens off; ## Don't show the nginx version number, a security best practice

  ssl_certificate /etc/letsencrypt/live/nextcloud.mydomain.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/nextcloud.mydomain.com/privkey.pem; # managed by Certbot
  ssl_trusted_certificate /etc/letsencrypt/live/nextcloud.mydomain.com/chain.pem;

  # Add headers to serve security related headers
  # Before enabling Strict-Transport-Security headers please read into this
  # topic first.
  #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
  #
  # WARNING: Only add the preload option once you read about
  # the consequences in https://hstspreload.org/. This option
  # will add the domain to a hardcoded list that is shipped
  # in all major browsers and getting removed from this list
  # could take several months.
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;
  add_header Referrer-Policy no-referrer;

  # Remove X-Powered-By, which is an information leak
  fastcgi_hide_header X-Powered-By;

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  location /.well-known/carddav {
    return 301 $scheme://$host/remote.php/dav;
  }

  location /.well-known/caldav {
    return 301 $scheme://$host/remote.php/dav;
  }

  # set max upload size
  client_max_body_size 512M;
  fastcgi_buffers 64 4K;

  # Enable gzip but do not remove ETag headers
  gzip on;
  gzip_vary on;
  gzip_comp_level 4;
  gzip_min_length 256;
  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
  gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

  # Uncomment if your server is build with the ngx_pagespeed module
  # This module is currently not supported.
  #pagespeed off;

  location / {
    proxy_http_version 1.1;

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    proxy_pass_header   Server;
    # proxy_set_header    Host $host;
    proxy_set_header    X-Real-IP $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto $scheme;

    proxy_pass "http://nextcloud.mydomain.com:10080";
  }

  location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
    deny all;
  }
  location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
  }

  access_log  /var/log/nginx/nextcloud_access.log;
  error_log   /var/log/nginx/nextcloud_error.log;
}

Any suggestions ? Anyone ?

Happy new year, dear nextcloud problem. I hope you get solved in 2020.
Wish you luck !