Self test fails behind HAProxy but everything else works

recode · November 3, 2024, 10:21am

Nextcloud version (eg, 29.0.5): 30.0.1
Operating system and version (eg, Ubuntu 24.04): Ubuntu 24.04.1 LTS
Apache or nginx version (eg, Apache 2.4.25): nginx/1.24.0 (Ubuntu)
PHP version (eg, 8.3): 8.3

Self test fails in Settings → Admin → Overview. Takes a long time and ends up with message Server check error.

Is this the first time you’ve seen this error? (Y/N): Y

The output of your Nextcloud log in Admin > Logging: cleared under fresh install and remaining empty.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'passwordsalt' => '-',
  'secret' => '-',
  'trusted_domains' =>
  array (
    0 => 'my.ext.ip.addr',
    1 => 'cloud.mydomain.tld',
  ),
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '30.0.1.2',
  'overwrite.cli.url' => 'https://cloud.mydomain.tld',
  'dbname' => 'nextclouddb',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextclouddbuser',
  'dbpassword' => '-',
  'installed' => true,
  'instanceid' => '-',
  'overwritehost' => 'cloud.mydomain.tld',
  'maintenance' => false,
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'trusted_proxies' =>
  array (
    0 => 'haproxy.int.ip.addr',
  ),
  'mail_smtpmode' => 'sendmail',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'cloud',
  'mail_domain' => 'mydomain.tld',
  'overwriteprotocol' => 'https',
  'logtimezone' => 'Europe/City',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => '0',
    'password' => '-',
    'timeout' => '0.5',
    'dbindex' => '1',
  ),
);

The output of your Apache/nginx/system log in /var/log/____:

- - [03/Nov/2024:11:16:12 +0100] cloud.mydomain.tld "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" 0.052
- - [03/Nov/2024:11:16:42 +0100] cloud.mydomain.tld"GET /settings/ajax/checksetup HTTP/1.1" 499 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" 60.014
- - [03/Nov/2024:11:16:42 +0100] cloud.mydomain.tld "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0" 0.054

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

Fehler beim Überprüfen der Servereinrichtung

scubamuc · November 3, 2024, 4:59pm

Servus @recode und willkommen in der Community

in diesem Array sollte keine IP-Adresse enthalten sein, sondern nur FQDN

also 0 => 'my.ext.ip.addr', entfernen und 1 => auf 0 => abändern.

Der erste Eintrag soll lauten 0 => 'cloud.mydomain.tld',
Ein zweiter Eintrag könnte heißen 1 => 'othername.mydomain.tld',
oder
Er könnte heißen 1 => 'cloud.mydomain.mydnsprovider.xyz,

siehe auch 101: Network, domain and DNS

recode · November 3, 2024, 5:42pm

Vielen herzlichen Dank, habe das gleich korrigiert. Die Fehlermeldung bleibt jedoch. Ich habe im Übrigen auch die Nextcloud Instanz ohne SSL Termination auf dem HaProxy probiert, in anderen Worten also mit Letsencrypt-Vollbetrieb, auch das hatte nichts gebracht bezüglich der Meldung.

recode · November 6, 2024, 6:24am

I got it working. It appeared to be a firewall setting; it was not just to set access from the internet to HAProxy but also the Nextcloud instance in the DMZ needed access over the internet interface to HAProxy.

However, though now the self test works, I need to reensure this is safe on the firewall anyway

godmax.2019 · November 6, 2024, 11:13am

Could you explain in a bit more detail how you solved this problem for HAProxy, I have the same problem starting from 30.0.1. Thanks in advance!

recode · November 6, 2024, 6:44pm

Network configuration looks like this: internet > firewall (NAT enabled) / HaProxy > ncserver (e.g 192.168.1.5).

Anytime I did a Nextcloud self test on ncserver, I discovered DROP_INPUT blocks from the dmzserver internal ip address to the external ip address in the firewall logs, like this:

DROP_INPUT 192.168.1.5 fw.public.ip.addr 443

So, in fact, the ncserver in DMZ contacts back the public ip address of the firewall during self test.

Having had allowed a rule from 192.168.1.5 to fw.public.ip.addr the self test didn’t fail any more but I don’t think it’s a good idea to open that rule permanently so I need to double check that “fix”.

godmax.2019 · November 7, 2024, 7:26pm

I just digged a little bit deeper in my nextcloud configuration and for me it was really the trusted_domains values (I had wrong values from a previously migrated server there).
After adding my current nextcloud domain to trusted_domains the check worked again, since that overview.php just calls https://{baseUrl}/index.php/settings/ajax/checksetup with ajax call.

recode · November 7, 2024, 8:41pm

Thank you That hinted me to do the following on the nextcloud machine:

curl -I --http2 https://cloud.mydomain.tld

→ without firewall rule enabled: no output.
→ with firewall rule enabled: output.

So it basically seems I can’t call my own nextcloud instance on the instance machine itself without enabling that firewall rule.

system · November 15, 2024, 8:42pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.