Setup Nextcloud with FRP (Fast Reverse Proxy)

ℹ️ Support 📦 Appliances (Docker, Snappy, VM, NCP, AIO)
, , , , ,
1
Support intro

Sorry to hear you’re facing problems. :slightly_frowning_face:

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can. :heart:

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • latest
  • Operating system and version (e.g., Ubuntu 24.04):
    • Debian 12
  • Web server and version (e.g, Apache 2.4.25):
    • latest of nextcloud
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • FRP (Fast Reverse Proxy) and nginx 1.22.1
  • PHP version (e.g, 8.3):
    • latest of nextcloud
  • Is this the first time you’ve seen this error? (Yes / No):
    • No
  • When did this problem seem to first start?
    • Ever since I started trying to set it up
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • AIO
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • FRP (Fast Reverse Proxy)

Summary of the issue you are facing:

Hi, I’m trying to setup Nextcloud on my homeserver that I expose to the Internet using FRP (Fast Reverse Proxy) and a rented VPS. So far, that has worked just fine for all my services, except nextcloud.

I’m running my AIO using this command:

sudo docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8080:8080 \
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING=0.0.0.0 \
--env APACHE_ADDITIONAL_NETWORK="" \
--env SKIP_DOMAIN_VALIDATION=true \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
nextcloud/all-in-one:latest

and this is my config for FRP (frpc.toml):

[[proxies]]
name = "aio"
type = "http"
localPort = 8080
customDomains = ["<IPv4 Address of rented VPS>"]

[[proxies]]
name = "cloud_https2https"
type = "https"
customDomains = ["cloud.domain.org"]
[proxies.plugin]
type = "https2https"
localAddr = "127.0.0.1:443"
crtPath = "/etc/frp/cloud.crt"
keyPath = "/etc/frp/cloud.key"
hostHeaderRewrite = "cloud.domain.org"
requestHeaders.set.x-from-where = "frp"

Finally, this is my NGINX config:

server {
    server_name "cloud.domain.org";

    location / {
        proxy_pass https://<IP>:<Port>;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/cloud.domain.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/cloud.domain.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = cloud.domain.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name "cloud.domain.org";
    listen 80;
    return 404; # managed by Certbot
}

server {
    server_name "<IP>";

    location / {
        proxy_pass https://<IP>:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

When I try to access the AIO Webinterface using the IP of my VPS I get

The page you requested was not found.
Sorry, the page you are looking for is currently unavailable.
Please try again later.

The server is powered by frp.

Faithfully yours, frp.

and opening cloud.domain.org yields:

502 Bad Gateway
nginx/1.22.1

found several other users facing the same problem but could never find an actual solution just one person saying I would need a full manual installation, but never elaborated on what exactly to do.

Has anyone ever got this type of setup to work? FRP is really one of the only solutions that are actually viable since Cloudflare Tunnels don’t support all protocols I need and port forwarding is not an option.

Any help is appreciated.

Steps to replicate it (hint: details matter!):

  1. Run AIO & FRP
  2. Configure FRP using the correct Ports etc.
  3. Notice you cannot access Nextcloud

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

Not possible since nextcloud was never actually running

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

Can't access Nextcloud

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

N/A

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

N/A

Apps

The output of occ app:list (if possible).

Tips for increasing the likelihood of a response

  • Use the preformatted text formatting option in the editor for all log entries and configuration output.
  • If screenshots are useful, feel free to include them.
    • If possible, also include key error output in text form so it can be searched for.
  • Try to edit log output only minimally (if at all) so that it can be ran through analyzers / formatters by those trying to help you.
2

Is there a particular reason you’re not using the suggested config for AIO with an Nginx reverse proxy?

What is the IP:Port value set to?

1 Like
3

I was assuming that this config was only for the case if only nginx is used as the only reverse proxy. I was previously running nextcloud on the VPS that is now running frps. I’ll give that a try though.

The IP is the static public IP of my rented VPS. Pretty much all subdomains that I created also point to that IP.

The port is currently 1007. This is obviously wrong, and I only set that to this port since I was previously running nextcloud on that port. But for now, I am only trying to access the AIO, for which is config is not relevant.

Any idea why I can’t access the AIO in the first place?

Best regards & thanks for the response.

4

The main problem (as I just found out) seems to be that Nextcloud requires an HTTPS connection to the AIO and does so using a self signed certificate.

However, since I want to access the AIO using the IP of my rented VPS that certificate won’t work and my browser will throw the error

This site can’t be reached
The webpage at https://<Public VPS IP>/ might be temporarily down or it
may have moved permanently to a new web address.
ERR_SSL_UNRECOGNIZED_NAME_ALERT

the question is therefore how to circumvent this error. Perhaps by modifying the AIO’s behavior to accept plain HTTP requests? Or possibly using another certificate or some other solution entirely?

Obviously, I cannot just generate some SSL certificates for any domain since I read you HAVE to access the Nextcloud AIO using its servers’ IP.

5

it is not possible to have a valid public TLS certificate for an IP address - there must be a domain name. This is a fundamental fact.

yes from an internal network.

Please review and understand AiO reverse proxy docs

1 Like
6

I would test if it is possible to use TCP protocol on the FRP instead of the HTTPS, and then have the AIO use the letsencrypt. This way you basically streams the trafic with termination hence the SSL/TLS stuff will be between the enduser client and the NC AIO.

1 Like
7

Hi, thanks for the reply.
I did manage to get it to work with my server’s public IP. The main thing was to add an HTTPS proxy to FRP but route it to port 443 instead of 8080. I then used an nginx reverse proxy to get all those requests to forward to 8080 internally. I did read the reverse proxy guide quite a bit, but wasn’t always able to adapt my configuration accordingly due to the difference in setup.

Now, I can access the AIO and create the docker containers no problem. The one problem that remains that is keeping me from a fully working nextcloud instance is that when I now access my cloud.domain.org I get

This page isn’t working
cloud.domain.org redirected you too many times.
Try deleting your cookies.
ERR_TOO_MANY_REDIRECTS

Likely because of some infinite redirect loop between the nextcloud instance and my reverse proxy setup. I’ll add my updated configs for both FRP and nginx below:

FRP:

[[proxies]]
name = "aio_http"
type = "http"
localPort = 80
customDomains = ["<Public VPS IP>"]

[[proxies]]
name = "aio"
type = "https"
localPort = 443
customDomains = ["<Public VPS IP>"]

[[proxies]]
name = "cloud_https2https"
type = "https"
customDomains = ["cloud.domain.org"]
[proxies.plugin]
type = "https2https"
localAddr = "127.0.0.1:443"
crtPath = "/etc/frp/cloud.crt"
keyPath = "/etc/frp/cloud.key"
hostHeaderRewrite = "cloud.domain.org"
requestHeaders.set.x-from-where = "frp"

nginx:

server {
    server_name "cloud.domain.org";

    location / {
        proxy_pass http://localhost:1005;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/cloud.domain.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/cloud.domain.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = cloud.domain.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name "cloud.domain.org";
    listen 80;
    return 404; # managed by Certbot
}

server {
    server_name "<Public VPS IP>";

    location / {
        proxy_pass https://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

If anyone has any idea what’s causing this infinite loop and how to resolve it, I’d be very grateful.

8

did you see this statement:

--publish 8080:8080 This means that port 8080 of the container should get published on the host using port 8080. This port is used for the AIO interface and uses a self-signed certificate by default.

you don’t want to publish the management interface port externally but rather the APACHE_PORT

2 Likes
9

Yes, probably skimmed over it at some point. Though, it is weird then how I was now able to access my nextcloud’s AIO webinterface using this setup without ever forwarding the APACHE_PORT through any of my reverse proxies.

Any thoughts on the ERR_TOO_MANY_REDIRECTS error?

10

you mix 2 different things - AIO interface is for management… and the application itself listens on the APACHE port.

2 Likes
11

Thank you very much. Got it all to work now. Simply adjusting my previous nginx config to:

server {
    server_name "cloud.domain.org";

    location / {
        proxy_pass http://localhost:11000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/cloud.domain.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/cloud.domain.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = cloud.domain.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name "cloud.domain.org";
    listen 80;
    return 404; # managed by Certbot
}

Has made it accessible via HTTPS using my previously generated SSL certificates. Do you reckon it would be useful to create a pull request on nextcloud’s all in one repository to include a guide for FRP in the reverse-proxy.md file?

2 Likes
12

I’m not sure if FRP is widely used but why not?

Posting the complete working config (with required explanations) in the solution post would help as well.

2 Likes
13

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.