Nextcloud with Nginx reverseproxy same docker host

Zamb · March 18, 2024, 2:43pm

Hello,

I have an issue when trying to access the Nextcloud AIO installation from a Nginx reverse proxy running on the same machine.

I follow the docs at:

github.com

nextcloud/all-in-one/blob/main/reverse-proxy.md#1-configure-the-reverse-proxy

# Reverse Proxy Documentation

A [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) is basically a web server that enables computers on the internet to access a service in a [private subnet](https://en.wikipedia.org/wiki/Private_network).

**Please note:** Publishing the AIO interface with a valid certificate to the public internet is **not** the goal of this documentation! Instead, the main goal is to publish Nextcloud with a valid certificate to the public internet which is **not** running inside the mastercontainer but in a different container! If you need a valid certificate for the AIO interface, see [point 5](#5-optional-get-a-valid-certificate-for-the-aio-interface).

In order to run Nextcloud behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else), you need to specify the port that AIO's Apache container shall use, add a specific config to your web server or reverse proxy and modify the startup command a bit. All examples below will use port `11000` as example `APACHE_PORT` which will be exposed on the host to receive unencrypted HTTP traffic from the reverse proxy. **Advice:** If you need https between Nextcloud and the reverse proxy because it is running on a different server in the same network, simply add another reverse proxy to the chain that runs on the same server like AIO and takes care of https proxying (most likely via self-signed cert). Another option is to create a VPN between the server that runs AIO and the server that runs the reverse proxy which takes care of encrypting the connection.

**Attention:** The process to run Nextcloud behind a reverse proxy consists of at least steps 1, 2 and 4:
1. **Configure the reverse proxy! See [point 1](#1-configure-the-reverse-proxy)**
1. **Use this startup command! See [point 2](#2-use-this-startup-command)**
1. Optional: If the reverse proxy is installed on the same host and in the host network, you should limit the apache container to only listen on localhost. See [point 3](#3-limit-the-access-to-the-apache-container)
1. **Open the AIO interface. See [point 4](#4-open-the-aio-interface)**
1. Optional: Get a valid certificate for the AIO interface! See [point 5](#5-optional-get-a-valid-certificate-for-the-aio-interface)
1. Optional: How to debug things? See [point 6](#6-how-to-debug-things)

**Please note:** Since the Apache container gets created by the mastercontainer, there is **NO** way to provide custom docker labels or custom environmental variables for the Apache container. So please do not attempt to do this because you will fail! Only the documented way will work!

## 1. Configure the reverse proxy

This file has been truncated. show original

Section 1.3: 1. On the same server in a Docker container
I dont want to put the Nginx container on the network:host so I go for the: host.docker.internal:host-gateway.

From the Nginx container I run this to test connectivity:

# curl -v http://host.docker.internal:11000
*   Trying 172.17.0.1:11000...
* connect to 172.17.0.1 port 11000 failed: Connection timed out

nginx container have IP: 172.23.0.3
nextcloud-aio-nextcloud have IP: 172.20.0.11

They are on different networks. What do I miss in the documentation?

Thanks for advices!

szaimen · March 18, 2024, 2:56pm

Hi, can you follow all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub?

Zamb · March 18, 2024, 3:29pm

If I change Nextcloud to use network: host it works as expected. So the issue is I have Nginx and Nextcloud in different networks.

Zamb · March 19, 2024, 9:12am

The Reverse Proxy documentation seems to be valid when Nginx and Nextcloud are in the same Docker network. In my case I have Nginx and Nextcloud in different docker-compose project on the same Docker host.

As I understand it:
I cannot directly reference a default network created by one Docker Compose file from another Docker Compose file.

Maybe I shall manually the networks and assign it to the containers?

szaimen · March 19, 2024, 9:42am

Can you post the compose or docker run command here that you used?

Zamb · March 19, 2024, 10:29am

Yes! Here are the important things.

This is the Nextcloud AIO nextcloud/docker-compose.yaml -file:

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    container_name: nextcloud-aio-mastercontainer
    restart: always
    ports:
      - '8080:8080'
    environment:
      - APACHE_PORT=11000
      - APACHE_IP_BINDING=0.0.0.0
      - NEXTCLOUD_DATADIR=/mnt/data-nextcloud
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

Here is the compose-file for the web-frontend with Nginx as reverseproxy nextcloud/docker-compose.yaml:

services:
  nginx:
    container_name: webfront_nginx
    image: nginx:latest
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - nginx:/etc/nginx/conf.d
      - certbot_conf:/etc/letsencrypt
      - certbot_www:/var/www/certbot
    command:     .... Excluded ....
#    network_mode: host # - I try to avoid this.

  certbot:
    container_name: webfront_certbot
    .... Excluded ....

volumes:
  nginx:
  certbot_conf:
  certbot_letsencrypt:
  certbot_www:

From the Nginx config for my domain:

....
location / {
        proxy_pass http://[docker-host-ip-works-when-network-is-set-to-host]:11000$request_uri;
....

Edit:
The network configuration from Portainer:

Edit 2:

When I add the network nextcloud-aio to the container webfront_nginx I’m able to reach nextcloud-aio-apache from webfront_nginx:
eg. curl http://nextcloud-aio-apache:11000 -v

Maybe that is what I have to do, but I don’t know how to add it to my nextcloud/docker-compose.yaml-file?

Thanks for advices.

Zamb · March 25, 2024, 8:49pm

Do you have any advice on how I should approach this? Thanks!

dugite-code · March 26, 2024, 1:54am

One method I currently use is to create an external network “manually” (Actually via ansible) and then link both Nginx and Netcloud together.

docker network create -d bridge nextcloud

services:
  web-nginx:
    container_name: nginx
    image: nginx:latest
    restart: unless-stopped
[...]
    networks:
      - nextcloud
      - homeassistant

networks:
  nextcloud:
    name: nextcloud
    external: true
  homeassistant:
    name: homeassistant
    external: true

It’s ugly and I’m certain there MUST be a better method to allow using multiple docker-compose files but this works now so I haven’t researched it extensively.

*EDIT: the reason I’m manualy creating the network and using external: true in both nginx and nextcloud is to avoid issues where the network may not exist yet.

Note: when referencing the docker container name in your proxy pass you can set the docker resolver and use variables. This makes sure nginx will resolve the name on access rather on the proxy start-up, otherwise nginx will complain the domain can’t be resolved if the nextcloud container is down and fail to start.

    resolver 127.0.0.11 valid=10s; #Docker resolver with short valid time
    set $upstream_app nextcloud_notify; #Docker container name
    set $upstream_port 7867;
    set $upstream_proto http;
    proxy_pass $upstream_proto://$upstream_app:$upstream_port;

Zamb · March 28, 2024, 2:35pm

There are several possible approaches here. One option could be to configure the Nginx container to use the host network by setting network: host .

This way, you wouldn’t need to manually add all Docker networks from various containers (such as Nextcloud and other web applications you want to access through the Nginx proxy) to the Nginx container.

I tend to use the host network.