Nextcloud migration to traefik failing, looking for help troubleshooting

I have a fully working install of nextcloud 18.0.3 hosted using docker-compose on a debian linux homeserver (versions etc. below), which I’m trying to migrate from a setup that uses an nginx self-signed certificate to lets-encrypt certificates served by traefik 1.7 (also running in a docker container) as wildcard domains. Traefik is working for a dozen or so other services on this server.

I’ve worked through forums here, on https://community.containo.us and on discourse.linuxserver.io and am fairly confident I’m working with the agreed correct docker-compose settings for my configuration.

It seems like something is going haywire with the forwarding. From what I can tell, traffic is getting passed from traefik to nginx, but not beyond to nextcloud for some reason. But I am really at a loss to tell what about this configuration is causing it. Any suggestions would be most welcome! Also happy to post additional logs/troubleshooting as needed.

Traefik config using docker-compose:

traefik:
    # Note: upgrade to traefik 2 requires major migration, so holding at 1.7 for now
    image: traefik:v1.7.19 # The official Traefik docker image
    container_name: traefik
    restart: always
    command: --api --docker --configFile=/traefik.toml # Enables the web UI and tells Traefik to listen to docker
    restart: unless-stopped
    networks:
      traefik_proxy:
    ports:
      - "80:80"     # The HTTP port
      - "443:443"   # HTTPS
    labels:
      - "traefik.enable=true"
      - "traefik.backend=traefik"
      - "traefik.frontend.rule=Host:traefik.mydns"
      - "traefik.port=8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
      - /opt/appdata/traefik/traefik.toml:/traefik.toml
      - /opt/appdata/traefik/acme.json:/acme.json
      - /opt/appdata/traefik/log:/log
    env_file:
      - /opt/traefik.env
nextcloud-mariadb:
    image: linuxserver/mariadb
    container_name: nextcloud-mariadb
    labels:
      - "traefik.enable=false"
    networks:
      nextcloud:
    volumes:
      - /opt/appdata/mariadb:/config
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=blahblahblah
  nextcloud:
    image: linuxserver/nextcloud
    container_name: nextcloud
    networks:
      nextcloud:
      traefik_proxy:
    labels:
      - "traefik.backend=nextcloud"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.enable=true"
      - "traefik.frontend.rule=Host:[myNextcloudDomain]"
      - "traefik.port=80"
      - "traefik.protocol=http"
      - "traefik.frontend.headers.referrerPolicy=no-referrer"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.browserXSSFilter=true"
      - "traefik.frontend.headers.contentTypeNosniff=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.SSLHost=[myNextcloudDomain]"
      - "traefik.frontend.headers.SSLForceHost=true"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"
      - "traefik.frontend.headers.customFrameOptionsValue=SAMEORIGIN"
    volumes:
      - /opt/appdata/nextcloud:/config
      - /mnt/disk1/nextcloud:/data
    ports:
      - "4003:443"
    restart: always
    depends_on:
      - nextcloud-mariadb
    links:
      - nextcloud-mariadb:mariadb
    environment:
      - PUID=${PUID}
      - PGID=${PGID}

The trouble is that whilst configured in this way, I can access the nextcloud server at https://192.168.1.x:4003 but attempting to access it at nextcloud.traefik.mydns fails with a 301 error.

Working from outside in:

Connections are registering in traefik logs:

/opt/appdata/traefik/log/traefik.log:time="2020-04-24T09:38:21Z" level=debug msg="vulcand/oxy/forward/http: Round trip: http://172.26.0.12:80, code: 301, Length: 169, duration: 167.469µs tls:version: 303, tls:resume:false, tls:csuite:c02f, tls:server:nextcloud.traefik.mydns"

/opt/appdata/traefik/log/traefik.log:time="2020-04-24T09:38:21Z" level=debug msg="vulcand/oxy/forward/http: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"172.26.0.12:80\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Cdn-Loop\":[\"cloudflare\"],\"Cf-Connecting-Ip\":[\"87.75.107.138\"],\"Cf-Ipcountry\":[\"GB\"],\"Cf-Ray\":[\"588ed9d24fa7d21c-MAN\"],\"Cf-Request-Id\":[\"024d2677680000d21c2a268200000001\"],\"Cf-Visitor\":[\"{\\\"scheme\\\":\\\"https\\\"}\"],\"Connection\":[\"Keep-Alive\"],\"Cookie\":[\"__cfduid=db3762c0b7533d5ad1ecebf0ac937e4ba1566377128; _ga=GA1.2.616866650.1585847692; _gid=GA1.2.112496847.1587719409\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0\"],\"X-Forwarded-For\":[\"87.75.107.138\"],\"X-Forwarded-Proto\":[\"https\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"nextcloud.traefik.mydns\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"162.158.34.115:41264\",\"RequestURI\":\"/\",\"TLS\":null}"

/opt/appdata/traefik/log/traefik.log:time="2020-04-24T09:38:21Z" level=debug msg="vulcand/oxy/forward: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"172.26.0.12:80\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Cdn-Loop\":[\"cloudflare\"],\"Cf-Connecting-Ip\":[\"87.75.107.138\"],\"Cf-Ipcountry\":[\"GB\"],\"Cf-Ray\":[\"588ed9d24fa7d21c-MAN\"],\"Cf-Request-Id\":[\"024d2677680000d21c2a268200000001\"],\"Cf-Visitor\":[\"{\\\"scheme\\\":\\\"https\\\"}\"],\"Connection\":[\"Keep-Alive\"],\"Cookie\":[\"__cfduid=db3762c0b7533d5ad1ecebf0ac937e4ba1566377128; _ga=GA1.2.616866650.1585847692; _gid=GA1.2.112496847.1587719409\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0\"],\"X-Forwarded-For\":[\"87.75.107.138\"],\"X-Forwarded-Proto\":[\"https\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"nextcloud.traefik.mydns\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"162.158.34.115:41264\",\"RequestURI\":\"/\",\"TLS\":null}"

/opt/appdata/traefik/log/traefik.log:time="2020-04-24T09:38:21Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Cdn-Loop\":[\"cloudflare\"],\"Cf-Connecting-Ip\":[\"87.75.107.138\"],\"Cf-Ipcountry\":[\"GB\"],\"Cf-Ray\":[\"588ed9d24fa7d21c-MAN\"],\"Cf-Request-Id\":[\"024d2677680000d21c2a268200000001\"],\"Cf-Visitor\":[\"{\\\"scheme\\\":\\\"https\\\"}\"],\"Connection\":[\"Keep-Alive\"],\"Cookie\":[\"__cfduid=db3762c0b7533d5ad1ecebf0ac937e4ba1566377128; _ga=GA1.2.616866650.1585847692; _gid=GA1.2.112496847.1587719409\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0\"],\"X-Forwarded-For\":[\"87.75.107.138\"],\"X-Forwarded-Proto\":[\"https\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"nextcloud.traefik.mydns\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"162.158.34.115:41264\",\"RequestURI\":\"/\",\"TLS\":null}"

(note I am obfuscating IP and DNS as best practice here)

You can see docker config above.

Nextcloud log shows no entries at all relating to my attempts to connect whilst in this new configuration.

Output of config.php file in /nginx

## Version 2018/08/16 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf

user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	client_max_body_size 0;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# Logging Settings
	##

	access_log /config/log/nginx/access.log;
	error_log /config/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

   	#upstream php-handler {
     	#   server nextcloud:9000;
    	#}

	##
	# nginx-naxsi config
	##
	# Uncomment it if you installed nginx-naxsi
	##

	#include /etc/nginx/naxsi_core.rules;

	##
	# nginx-passenger config
	##
	# Uncomment it if you installed nginx-passenger
	##

	#passenger_root /usr;
	#passenger_ruby /usr/bin/ruby;

	##
	# Virtual Host Configs
	##
	include /etc/nginx/conf.d/*.conf;
	include /config/nginx/site-confs/*;

}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}
daemon off;

And nginx/site-confs/default

upstream php-handler {
    server 127.0.0.1:9000;
}
server {
    listen 80;
    listen [::]:80;
    server_name _;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name _;
    ssl_certificate /config/keys/cert.crt;
    ssl_certificate_key /config/keys/cert.key;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;
    fastcgi_hide_header X-Powered-By;
    root /config/www/nextcloud/;
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

    # The following rule is only needed for the Social app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
    location / {
        rewrite ^ /index.php;
    }
    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
        deny all;
    }
    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|ocm-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        try_files $fastcgi_script_name =404;
        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^\/(?:updater|ocs-provider|ocm-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
    }
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header Referrer-Policy no-referrer;
        access_log off;
    }
    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
        try_files $uri /index.php$request_uri;
        access_log off;
    }
}

The output of your nginx access log:

172.26.0.4 - - [24/Apr/2020:12:53:14 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:14 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:14 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:14 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:14 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:14 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:14 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:14 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:14 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:14 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:14 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:14 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:14 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:14 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:15 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:15 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:15 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:15 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:15 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:15 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
172.26.0.4 - - [24/Apr/2020:12:53:15 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"

No relevant entries in nginx error log.

Basic system properties:

Nextcloud version: 18.0.3
Operating system and version: Debian 4.9.130-2
Docker version 19.03.8, build afacb8b7f0
docker-compose version 1.23.2, build 1110ad01
Using linuxserver.io container here: https://hub.docker.com/r/linuxserver/nextcloud

Also worth noting that this seems to be an issue that others are experiencing: See traefik forum post here and linuxserver-io post here.

your nextcloud container redirects ports 80 to 443.

but traefik wants to talk http with port80.

use a plan vanilla port 80 nginx conf. example:

1 Like

That was exactly it. In case other users wander onto this thread and wonder, I removed the following lines from nginx/site-confs/default:

    listen [::]:80;
    server_name _;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name _;
    ssl_certificate /config/keys/cert.crt;
    ssl_certificate_key /config/keys/cert.key;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;
    fastcgi_hide_header X-Powered-By;

Also worth noting (and thanks for the sample config @Reiner_Nippes!) that it was necessary to remove $server_port from both carddav and caldav location = lines to be sure that it didn’t erroneously specify port 80 against traefik.

1 Like

sorry to necro this post, but I’m having the exact issue described. I’m trying to run it on 443 to no avail, for some reason it redirects me to the root domain.

I’ve given up trying and researching so I guess I’m here. I copied your steps, but still nothing.

Okay, so weird. Works on one domain I own, but not the one I want the Nextcloud on.

That works like charm, thanks much for the solution