Placing Nextcloud behind HAProxy with SSL Passthrough

I was setting up a server for the company I work at that required both a Wordpress website as well as Nextcloud. Now of course, these services require much less thinking if you leave them on their native ports 80 and 443, and you don’t have to tell your employees to go to port 8443 to visit the company cloud! :stuck_out_tongue: That meant my solution was to do a reverse proxy, and I chose to do HAProxy. This is a good use case if you want to run separate services on different machines on the local network, VMs or containers. My rig is set up as follows:

OS: Ubuntu Server 16.04
LXD containers inside a ZFS pool
Here are my 3 containers:

  • Ubuntu 16.04 container using LAMP and Wordpress
  • Ubuntu 16.04 container using LAMP and Nextcloud
  • Ubuntu 16.04 container with just HAProxy

Install your SSL certificates on your Nextcloud and other machines (if you have them) to allow HAProxy to pass the SSL traffic to the server. There is an SSL Termination configuration available too, but these configurations only focus on the pass through configuration.

If you don’t know much about reverse proxies (like me), be sure to forward ports 80 and 443 on your router to your HAProxy container’s IP address since that machine will be handling the incoming traffic from the web and passing it to the backend. This configuration also utilizes the TLS SNI feature so specifying the ServerName in your apache (or nginx or whatever you’re using) configuration files.

In my case I am using Wordpress and Nextcloud, but you can use whatever you want following the template of these configurations.

log /dev/log    local0
log /dev/log    local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
maxconn 4096
user haproxy
group haproxy

log     global
mode    tcp
option  tcplog
option  dontlognull
timeout connect 15s
timeout client  15s
timeout server  15s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend localhost80  #Front end for port 80, does a redirect to port 443
bind *:80
mode http
redirect scheme https code 301 if !{ ssl_fc }

frontend localhost443   #Listens on port 443
bind *:443
option tcplog
mode tcp

acl tls req.ssl_hello_type 1

tcp-request inspect-delay 5s
tcp-request content accept if tls

acl is_wordpress req.ssl_sni -i   # ACL specifying domain1
acl is_nextcloud req.ssl_sni -i                # ACL specifying domain2
acl is_nextcloud2 req.ssl_sni -i   # ACL specifying www.domain2

# I had to make a separate ACL for because that's my nextcloud's SNI, is the alias to it, had to specify both for it to work for me

use_backend nextcloud_cluster if is_nextcloud  #points the ACL to the backend
use_backend nextcloud_cluster if is_nextcloud2
use_backend wordpress_cluster if is_wordpress

backend wordpress_cluster
mode tcp

option ssl-hello-chk

# Provide your server's <ip_addr>:443. You can have many servers in your backend since HAProxy does loadbalancing
server is_wordpress check 

backend nextcloud_cluster
mode tcp

option ssl-hello-chk

server is_nextcloud check

Since HAProxy can also do load balancing, you can scale Nextcloud across multiple computers for load balancing. The Nextcloud documentation has a page on this which could come in handy if you need this

To start HAProxy, check to see if there are any instances of HAProxy running and kill them:

top -u haproxy

To start HAProxy, I ran this command:

/usr/sbin/haproxy -db -f /etc/haproxy/haproxy.cfg -D -p /var/run/haproxy.pi

Hopefully this helps people out! I ended up having to sift through tens of different configurations to get my setup to work so YMMV, but this is what worked for me after about a week of head bashing


I’m providing an update for the folks who wish to do this with FreeBSD. I recently switched my environment to this Ubuntu setup to FreeBSD, and the differences are mild. First, make sure you have HAProxy installed. The config script will have a full path of /usr/local/etc/haproxy.conf. Also make sure you added the line haproxy_enable="YES" in your /etc/rc.conf file.

The config file will follow all the same configs, but for each backend, make sure you do NOT have option ssl-hello-chk.

Finally, FreeBSD has some really nice HAProxy integration. So, once you have your config file set up the way you like it, it’s as simple as running service haproxy start and you should be good!


this is really useful, thanks.

Could i ask what your proxy configuration in nextcloud config.php was?

Hi thetre97, this is all I have in my config.php file

<?php $CONFIG = array ( 'instanceid' => 'instance', 'passwordsalt' => '++salt', 'secret' => 'secret', 'trusted_domains' => array ( 0 => '', 1 => '', 2 => 'localhost', 3 => 'internal_ip', ), 'datadirectory' => '/var/nc_data', 'overwrite.cli.url' => '', 'dbtype' => 'mysql', 'version' => '', 'dbname' => 'nextcloud', 'dbhost' => 'localhost', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => 'adminuser', 'dbpassword' => 'passwd', 'logtimezone' => 'UTC', 'installed' => true, 'memcache.local' => '\\OC\\Memcache\\APCu', 'maintenance' => false, 'loglevel' => 1, 'mail_smtpmode' => 'smtp', 'theme' => '', );

okay, that looks similar to mine, however when I use your haproxy config file, it won’t connect to NC - just comes up with ‘This site can’t be reached’ although i can connect to other site within the config absolutely fine…
I read somewhere in the docs about having to add some proxy configs if you are putting it behind a load balancer etc, but when i added that in it didn’t work either… :confused: I am using Docker containers - you wouldn’t know if it’s something to do with that? Guess i will have to keep fiddling :slight_smile:
Be glad of any help from anyone…

I honestly don’t know anything about Docker containers. I would think Docker might make a difference. I’m using LXD containers for my solution (which is a lot like running on a bare metal server or VM). Perhaps you aren’t using the right port for your Docker container? Or (correct me if I’m wrong), doesn’t Docker do different ports each time? You may not even have to put your NC container behind a load balancer unless you are doing many instances of your Docker image. I did this originally to have services using ports 80 & 443 be able to sit on those same ports. I’d make certain your port numbers are correct on the same on HAProxy and your containers, and also make sure you have port forwarding enabled.

Thanks, works perfectly :slight_smile:

I’m happy to hear it helped you :slight_smile:

I know I am dredging up a long-dead thread but this seems to be a good place to cast a wider net on my issue and you seem to be a good person to direct my question :slight_smile:

I have almost the identical set-up (using LXD and HAProxy) but cannot get mine to work. Would you mind hopping on over to my issue and seeing if you see the culprit? Thank you!

Thanks a lot. This was a great help.
I downloaded the HAProxy Aloha VM trial version, deployed it on my virtual machine and configured it as you had above (from frontend onwards). Works a charm !

**~**$ /usr/sbin/haproxy -db -f /etc/haproxy/haproxy.cfg -D -p /var/run/haproxy.pi

[ALERT] 341/232442 (13460) : Starting proxy http-in: cannot bind socket []

I am getting above message when I try to start haproxy…
I also tried specific ip address of the node. but same error

Is there another application already binding this interface?

possibly but not at port 80.

@vitachaos you have probably figured it out by now, but non-root users can’t bind to 0-1024 ports.
You need to start haproxy as root or you can change the lowest port unprivileged users can bind by
sysctl net.ipv4.ip_unprivileged_port_start=443
or by other means if you must start haproxy as unprivileged user.