Nextcloud on QNAP TS-264 using AIO behind NGINX

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
, , , , , ,
1

Hi,

Sorry if this is a repeated question but I have been looking to solve the installation problem for weeks and was unable to find a good solution yet. (I am newbie so bare in mind if I use wrong terminology or obvious mistakes :D)

I am using docker compose to install Nextcloud AIO on QNAP. It is going to be run behind reverse proxy (NGINX). I followed all the steps explained in Nextcloud documentation about installing being reverse proxy Link (or at least I think I did). In qnap in order for my NGINX is accessible through internet I have to use qnet network and so I build another one (bridge mode) to communicate with Nextcloud. So I could not use host mode to give 127.0.0.1 for my Apache. here is my docker compose file:

version: '3'

services:
  nextcloud:
      container_name: nextcloud-aio-mastercontainer
      image: nextcloud/all-in-one:latest
      restart: always
      init: true
    #   network_mode: host
      ports:
        - 8090:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
        - 9443:443
      environment:
        SKIP_DOMAIN_VALIDATION: true
        # AIO_DISABLE_BACKUP_SECTION: false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
        APACHE_PORT: 11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
        APACHE_IP_BINDING: 0.0.0.0 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
        # BORG_RETENTION_POLICY: --keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
        # COLLABORA_SECCOMP_DISABLED: false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
        NEXTCLOUD_DATADIR: /mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
        # NEXTCLOUD_MOUNT: /mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
        # NEXTCLOUD_UPLOAD_LIMIT: 10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
        # NEXTCLOUD_MAX_TIME: 3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
        # NEXTCLOUD_MEMORY_LIMIT: 512M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
        # NEXTCLOUD_TRUSTED_CACERTS_DIR: /path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
        # NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
        # NEXTCLOUD_ADDITIONAL_APKS: imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
        # NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
        # NEXTCLOUD_ENABLE_DRI_DEVICE: true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
        # NEXTCLOUD_KEEP_DISABLED_APPS: false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps
        # TALK_PORT: 3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
        # WATCHTOWER_DOCKER_SOCKET_PATH: /var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
      volumes:
        - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
        - /var/run/docker.sock:/var/run/docker.sock:ro

      networks:
        - internal_route
      
  
  proxy:
    image: "nginx:1.27.1"
    restart: unless-stopped
    
    networks:
      - qnet-dhcp
      - internal_route
    
    ports:
      - "8180:80"
      - "18443:443"

    volumes:
      - ./myproject/ssl_conf.conf:/etc/nginx/nginx.conf
      - ./certs:/etc/nginx/certs

volumes:
  pgdata:
  static_data:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work

networks:
  qnet-dhcp:
    driver: qnet
    driver_opts:
      iface: "eth1"
    ipam:
      driver: qnet
      options:
        iface: "eth1"
  internal_route:
    driver: bridge

And this is my config file for my NGINX:

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    

    keepalive_timeout  65;
    
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }
    
    include /etc/nginx/conf.d/*.conf;
    
    
    server {
        listen 80;
        server_name cloud.mydomain.com;

        location / {
            return 301 https://$host$request_uri;
        }
    }

    server {
        listen 443 ssl;
        server_name cloud.mydomain.com;
        
        location / {
            proxy_pass http://nextcloud-aio-mastercontainer:11000$request_uri;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-Scheme $scheme;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Accept-Encoding "";
            proxy_set_header Host $host;
    
            client_body_buffer_size 512k;
            proxy_read_timeout 86400s;
            client_max_body_size 0;
    
            # Websocket support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }

        ssl_certificate     /etc/nginx/certs/mysslcert.pem;
        ssl_certificate_key /etc/nginx/certs/mysslprivate.key;

        
        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
        ssl_session_tickets off;
    
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
        ssl_prefer_server_ciphers on;
    }
}

and my nginx log is:

2024/09/23 00:10:38 [error] 32#32: *5 no resolver defined to resolve nextcloud-aio-mastercontainer, client: 172.69.23.20, server: cloud.mydomain.com, request: "GET / HTTP/1.1", host: "cloud.mydomain.com"
172.69.23.20 - - [23/Sep/2024:00:10:38 +0000] "GET / HTTP/1.1" 502 157 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0" "xx.xxx.xxx.xxx"

keep in ind that I am running other services in the same docker compose and nginx can resolve the hostnam properly and nextcloud is the only one it cannot.
Also my nextcloud log is:

Trying to fix docker.sock permissions internally...
Adding internal www-data to group root
.+.............+..+............+...+..........+..+.......+........+......+....+..+......+...+.+...+...............+++++++++++++++++++++++++++++++++++++++++++++*.........+..+.+..............+.+.....+.+++++++++++++++++++++++++++++++++++++++++++++*.....+.+.....+............+.+...........+..........+...........+....+.........+............+..+......+................+.................................+........+......................+.....+.+......+....................+...+.....................+....+..+.+............+.....+...+...+.+....................+...+............+.+...+......+.....+.........+......+.+........+....+........+.........+....+............+........+......+................+.....+...+.+.....+.........+............+.......+......+..+....+.........+.....+............+...................+.........+..+.........+...+.......+....................+....+..+++++
....+.......+...+..+...+.........+...+.......+...+..............+...+.+++++++++++++++++++++++++++++++++++++++++++++*.....+.+..+...+.+.....+.+..+.............+..+.......+...+..+++++++++++++++++++++++++++++++++++++++++++++*..+....+........................+..+......+....+.....+.+.....+...+....+.....+...+...................+........+...+....+...+..+....+.....+...............+......+++++
-----
Initial startup of Nextcloud All-in-One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080
⚠️ Important: do always use an ip-address if you access this port and not a domain as HSTS might block access to it later!

If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
https://your-domain-that-points-to-this-server.tld:8443
[Sun Sep 22 23:59:30.905351 2024] [mpm_event:notice] [pid 134:tid 134] AH00489: Apache/2.4.62 (Unix) OpenSSL/3.3.1 configured -- resuming normal operations
[Sun Sep 22 23:59:30.905706 2024] [core:notice] [pid 134:tid 134] AH00094: Command line: 'httpd -D FOREGROUND'
[22-Sep-2024 23:59:30] NOTICE: fpm is running, pid 140
[22-Sep-2024 23:59:30] NOTICE: ready to handle connections
{"level":"info","ts":1727049570.9967988,"msg":"using config from file","file":"/Caddyfile"}
{"level":"info","ts":1727049570.998994,"msg":"adapted config to JSON","adapter":"caddyfile"}

I will be grateful if someone can help me.

2

Hi, can you follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#6-how-to-debug-things?

3

Hi Simon,

I have tried to follow the steps many many times but I cannot figure out where the issue is. Of course as ai said since the ports 80, 443 and 8080 are occupied by Qnap, I could not use the host network. I could reaolve my nginx problem and I route it correctly but it seems like I only have master container created and nothing beyond that so nginx cannot connect to port 11000 of the apache.

Has anyone use qnap and nextcloud aio using docker? It seems odd that I cannot find any resource about these together.

It is almost a month that I am trying to make it work. I have read all your responses to other people but it does not resolve my issue yet.

4

QNAPs Docker supports a network mode connecting a container to a physical network (don’t remember how it is called - same/similar to regular Docker MACVLAN)… this way you could assign different IP to your nginx and AiO containers. it should be enough to resolve the port conflict…

5

Thank you Willi for your response. Yes qnap uses qnet and that is how i am dealing with it. Although I am not giving an ip and let it choose by itself and will have no port issues. But then i will not be able to use host as recommended by NC aio, and when doung so the only container starting is the master container, and nothing beyond that. Nginx try to access port 11000 but Apache is not running.