[Solved] Problem with AIO behind dockerized Caddy all on same VPS

ℹ️ Support
, , ,
1
Support intro

Sorry to hear you’re facing problems. :slightly_frowning_face:

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can. :heart:

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • Nextcloud AIO v12.5.0
  • Operating system and version (e.g., Ubuntu 24.04):
    • Debian 13
  • Web server and version (e.g, Apache 2.4.25):
    • replace me
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • Caddy v2.10.2
  • PHP version (e.g, 8.3):
    • replace me
  • Is this the first time you’ve seen this error? (Yes / No):
    • replace me
  • When did this problem seem to first start?
    • After install
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • AIO
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • No

Summary of the issue you are facing:

Cannot submit domain. Yields the following popup error: “Domain does not point to this server or the reverse proxy is not configured correctly. See the mastercontainer logs for more details. (‘sudo docker logs -f nextcloud-aio-mastercontainer’)”

Steps to replicate it (hint: details matter!):

  1. Create DNS records on the domain registrar for the mydomain.ca and cloud.mydomain.ca, both pointing to a fresh VPS.

  2. VPS is installed with iptables-nft and the following firewall rules manually set up (ignoring docker rules):

  3. -P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3478 -j ACCEPT
-A INPUT -p udp -m udp --dport 3478 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT

  4. Caddy as the fronting reverse proxy and Nextcloud AIO are set up with the following compose.yaml which is based on the sample at https://github.com/nextcloud/all-in-one/discussions/575 .

    services:
  caddy:
    image: caddy:alpine
    restart: unless-stopped
    container_name: caddy
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./config:/config
      - ./data:/data
      - ./sites:/srv
    network_mode: "host"

  nextcloud:
    image: nextcloud/all-in-one:latest
    restart: unless-stopped
    container_name: nextcloud-aio-mastercontainer
    ports:
      - "8080:8080"
    environment:
      - APACHE_PORT=11000
      - APACHE_IP_BINDING=127.0.0.1
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    depends_on:
      - caddy

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

  5. The following Caddyfile was used. Note that Caddy serves files for mydomain.ca with an autogenerated cert and the cloud.mydomain.ca subdomain is forwarded to the AIO.

  6. https://cloud.mydomain.ca:443 {
        header Strict-Transport-Security max-age=31536000;
        # Adjust to match APACHE_PORT and APACHE_IP_BINDING. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below
        reverse_proxy localhost:11000
}

mydomain.ca {
        root * /srv/mydomain.ca

        file_server
        tls a_user@some_mail.com
}

  7. Start the system

  8. docker compose up

[+] up 4/4
✔ Network server_default                  Created                                                                                                                                                                                                                                 0.0s
✔ Volume nextcloud_aio_mastercontainer    Created                                                                                                                                                                                                                                 0.0s
✔ Container caddy                         Created                                                                                                                                                                                                                                 0.1s
✔ Container nextcloud-aio-mastercontainer Created                                                                                                                                                                                                                                 0.1s
Attaching to caddy, nextcloud-aio-mastercontainer
caddy  | {“level”:“info”,“ts”:1769786001.8112128,“msg”:“maxprocs: Leaving GOMAXPROCS=2: CPU quota undefined”}
caddy  | {“level”:“info”,“ts”:1769786001.8115678,“msg”:“GOMEMLIMIT is updated”,“package”:“github.com/KimMachineGun/automemlimit/memlimit",“GOMEMLIMIT”:7501064601,"previous”:9223372036854775807}
caddy  | {“level”:“info”,“ts”:1769786001.8120391,“msg”:“using config from file”,“file”:“/etc/caddy/Caddyfile”}
caddy  | {“level”:“info”,“ts”:1769786001.8141012,“msg”:“adapted config to JSON”,“adapter”:“caddyfile”}
caddy  | {“level”:“info”,“ts”:1769786001.8154073,“logger”:“admin”,“msg”:“admin endpoint started”,“address”:“localhost:2019”,“enforce_origin”:false,“origins”:[“//[::1]:2019”,“//127.0.0.1:2019”,“//localhost:2019”]}
caddy  | {“level”:“info”,“ts”:1769786001.8160043,“logger”:“tls.cache.maintenance”,“msg”:“started background certificate maintenance”,“cache”:“0xc00062ac00”}
caddy  | {“level”:“info”,“ts”:1769786001.8165526,“logger”:“http.auto_https”,“msg”:“server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS”,“server_name”:“srv0”,“https_port”:443}
caddy  | {“level”:“info”,“ts”:1769786001.8167696,“logger”:“http.auto_https”,“msg”:“enabling automatic HTTP->HTTPS redirects”,“server_name”:“srv0”}
caddy  | {“level”:“info”,“ts”:1769786001.818084,“logger”:“http”,“msg”:“enabling HTTP/3 listener”,“addr”:“:443”}
caddy  | {“level”:“info”,“ts”:1769786001.8184545,“msg”:“failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See 
 for details.”}
caddy  | {“level”:“info”,“ts”:1769786001.8192825,“logger”:“http.log”,“msg”:“server running”,“name”:“srv0”,“protocols”:[“h1”,“h2”,“h3”]}
caddy  | {“level”:“warn”,“ts”:1769786001.8196764,“logger”:“http”,“msg”:“HTTP/2 skipped because it requires TLS”,“network”:“tcp”,“addr”:“:80”}
caddy  | {“level”:“warn”,“ts”:1769786001.819935,“logger”:“http”,“msg”:“HTTP/3 skipped because it requires TLS”,“network”:“tcp”,“addr”:“:80”}
caddy  | {“level”:“info”,“ts”:1769786001.8200164,“logger”:“http.log”,“msg”:“server running”,“name”:“remaining_auto_https_redirects”,“protocols”:[“h1”,“h2”,“h3”]}
caddy  | {“level”:“info”,“ts”:1769786001.8200912,“logger”:“http”,“msg”:“enabling automatic TLS certificate management”,“domains”:[“cloud.mydomain.ca”,“mydomain.ca”]}
caddy  | {“level”:“info”,“ts”:1769786001.8218472,“msg”:“autosaved config (load with --resume flag)”,“file”:“/config/caddy/autosave.json”}
caddy  | {“level”:“info”,“ts”:1769786001.8222244,“msg”:“serving initial configuration”}
caddy  | {“level”:“info”,“ts”:1769786001.8246408,“logger”:“tls”,“msg”:“storage cleaning happened too recently; skipping for now”,“storage”:“FileStorage:/data/caddy”,“instance”:“b631342d-0b14-4259-8aa3-95bcbdca04bd”,“try_again”:1769872401.8246381,“try_again_in”:86399.999999399}
caddy  | {“level”:“info”,“ts”:1769786001.8247738,“logger”:“tls”,“msg”:“finished cleaning storage units”}
nextcloud-aio-mastercontainer  | Trying to fix docker.sock permissions internally…
nextcloud-aio-mastercontainer  | Creating docker group internally with id 989
nextcloud-aio-mastercontainer  | …+…+..+…+…+++++++++++++++++++++++++++++++++++++++++++++.+…+…+…+…+…+…+…+…+.+…+..+…+..+…+..+…+…+…+..+…+…+…+…+..+…+…+..+.+..+…+.+…+…+.+..+.+..+…+…+.+…+.+…+…+…+…+..+.+…+…+..+…+…+…+…+…+…+.+…+…+…+..+++++++++++++++++++++++++++++++++++++++++++++…+…+.+…+…+…+…+…+…+…+.+..+.+++++
nextcloud-aio-mastercontainer  | …+.+…+…+…+…+…+.+..+++++++++++++++++++++++++++++++++++++++++++++..+++++++++++++++++++++++++++++++++++++++++++++…+…+…+…+.+…+…+..+.+..+…+…+…+…+..+…+…+…+…+…+…+.+…+…+…+…+..+…+…+..+…+.+…+…+…+.+…+…+…+…+…+…+…+…+…+…+…+…+..+…+…+…+..+…+…+…+…+…+…+…+…+…+..+…+…+..+…+…+…+…+…+…+.+..+…+.+..+.+…+.+…+…+…+..+…+.+…+…+…+…+…+…+…+.+…+…+…+…+.+…+..+…+…+..+…+…+…+.+…+…+…+…+…+…+…+…+.+…+.+…+…+…+…+…+…+…+…+..+…+…+…+.+…+…+…+…+…+…+…+…+…+…+…+.+…+++++
nextcloud-aio-mastercontainer  | -----
nextcloud-aio-mastercontainer  | Initial startup of Nextcloud All-in-One complete!
nextcloud-aio-mastercontainer  | You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
nextcloud-aio-mastercontainer  | E.g. https://internal.ip.of.this.server:8080
nextcloud-aio-mastercontainer  | ⚠️ Important: do always use an ip-address if you access this port and not a domain as HSTS might block access to it later!
nextcloud-aio-mastercontainer  | [30-Jan-2026 15:13:23] NOTICE: fpm is running, pid 138
nextcloud-aio-mastercontainer  | [30-Jan-2026 15:13:23] NOTICE: ready to handle connections
nextcloud-aio-mastercontainer  | [Fri Jan 30 15:13:23.987563 2026] [mpm_event:notice] [pid 133:tid 133] AH00489: Apache/2.4.66 (Unix) OpenSSL/3.5.4 configured – resuming normal operations
nextcloud-aio-mastercontainer  | [Fri Jan 30 15:13:23.988256 2026] [core:notice] [pid 133:tid 133] AH00094: Command line: ‘httpd -D FOREGROUND’
nextcloud-aio-mastercontainer  | {“level”:“info”,“ts”:1769786004.0032039,“msg”:“maxprocs: Leaving GOMAXPROCS=2: CPU quota undefined”}
nextcloud-aio-mastercontainer  | {“level”:“info”,“ts”:1769786004.0033894,“msg”:“GOMEMLIMIT is updated”,“package”:“github.com/KimMachineGun/automemlimit/memlimit",“GOMEMLIMIT”:7501064601,"previous”:9223372036854775807}
nextcloud-aio-mastercontainer  | {“level”:“info”,“ts”:1769786004.0034254,“msg”:“using config from file”,“file”:“/Caddyfile”}
nextcloud-aio-mastercontainer  | {“level”:“info”,“ts”:1769786004.0058382,“msg”:“adapted config to JSON”,“adapter”:“caddyfile”}
nextcloud-aio-mastercontainer  | {“level”:“info”,“ts”:1769786004.008718,“msg”:“serving initial configuration”}

  9. In Firefox, go to https://cloud.mydomain.ca:8080 to get the passphrase to login to NC AIO.

  10. Login to get the page that has “Submit domain” on it.

  11. enter cloud.mydomain.ca and click Submit domain

  12. The following is emitted in the logs showing the connection was refused:

  13. caddy                          | {"level":"error","ts":1769786143.4509768,"logger":"http.log.error","msg":"dial tcp [::1]:11000: connect: connection refused","request":{"remote_ip":"172.19.0.2","remote_port":"35958","client_ip":"172.19.0.2","proto":"HTTP/2.0","method":"GET","host":"cloud.mydomain.ca","uri":"/","headers":{"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"cloud.mydomain.ca"}},"duration":3.000433088,"status":502,"err_id":"cec0i0bu0","err_trace":"reverseproxy.statusError (reverseproxy.go:1390)"}
nextcloud-aio-mastercontainer  | NOTICE: PHP message: The response of the connection attempt to "https://cloud.mydomain.ca:443" was: 
nextcloud-aio-mastercontainer  | NOTICE: PHP message: Expected was: 96e1225a2898a4007d1e4af7e486341b0b93a4c5791627e9
nextcloud-aio-mastercontainer  | NOTICE: PHP message: The error message was: 
nextcloud-aio-mastercontainer  | NOTICE: PHP message: Please follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#how-to-debug in order to debug things!

  14. The nextcloud-aio-domaincheck container is supposed to be exposing localhost:11000, but hitting that port with nc hangs.

  15. $ docker ps -a
CONTAINER ID   IMAGE                                               COMMAND                  CREATED          STATUS                    PORTS                                                                     NAMES
e7639b878161   ghcr.io/nextcloud-releases/aio-domaincheck:latest   "/start.sh"              41 minutes ago   Up 41 minutes (healthy)   127.0.0.1:11000->11000/tcp                                                nextcloud-aio-domaincheck
dd81c83d8416   nextcloud/all-in-one:latest                         "/start.sh"              43 minutes ago   Up 43 minutes (healthy)   80/tcp, 8443/tcp, 9000/tcp, 0.0.0.0:8080->8080/tcp, [::]:8080->8080/tcp   nextcloud-aio-mastercontainer
026879b736ed   caddy:alpine                                        "caddy run --config …"   43 minutes ago   Up 43 minutes                                                                                       caddy
$ nc -z 127.0.0.1 11000; echo $?
<note: nc does not return>

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

see above

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

POST /api/configuration HTTP/1.1
Host: cloud.mydomain.ca:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: */*
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br, zstd
Content-type: application/x-www-form-urlencoded
Content-Length: 163
Origin: https://cloud.mydomain.ca:8080
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Referer: https://cloud.mydomain.ca:8080/containers
Cookie: PHPSESSID=c982a956c3359171fd781c595beee2be
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0

HTTP/1.1 422 Unprocessable Entity
Date: Fri, 30 Jan 2026 16:08:32 GMT
Server: Apache/2.4.66 (Unix)
X-Powered-By: PHP/8.4.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

PASTE HERE

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

/bin/sh: occ: not found

Apps

The output of occ app:list (if possible).

2

Hi, please check all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub

3

I have gone through that document many, many times over the past 4 days, including the How to debug things section. For step 2 in that section, I do not use docker run, but instead use a docker compose file. For step 6, the sentence structure makes it difficult to understand. I dearly want to rewrite that step, but it does not seem to make sense enough for me to rewrite it. Step 7 is where I get hung up. In my case, if I run the nc command inside of the caddy container, it returns a 1, but the step does not explain what to do in this case. Again, I would like to rewrite this step to expand the info given in it. When I run the nc command on the host, port 11000 does not respond, implying that something is preventing nextcloud-aio-domaincheck from responding on that port.

4

I found the problem and would like to note that the issue was not mentioned anyplace in the all-in-one reverse proxy doc.

The DNS configuration in Debian 13 (and likely other Debian based distros and versions) uses 127.0.0.53:53 as an entrypoint into the DNS resolver used by the software and docker containers on the host. The software also access localhost:11000 as entry points into various services in the AIO. Since these ports are accessed from localhost through the INPUT chain in iptables, ports 53 and 11000 must be allowed in your iptables configuration.

-A INPUT -p tcp -m multiport --dports 22,53,80,443,8080,3478 -j ACCEPT
-A INPUT -p udp -m multiport --dports 53,443,3478 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 11000 -j ACCEPT