[Solved] Trusted domain configured correctly, 504 Gateway Time-out (docker compose + HAProxy on Pfsense)

EDIT/TLDR: The issue was with the “Trusted Proxies” being entered wrong in the docker-compose.yml file and even after correcting them in the config.php, the system did not recover. Removing that from the docker-compose file and adding them to the config.php file manually AND initiating the config from the external URL AND adding HTTPS protocol override did the trick, and it is now working as expected.

Even more simplified ==> Adding the overrideprotocol=https to the docker-compose environments and initiating the config for a fresh docker install via the external https://subdomain.domain.com URL made it work. No need for trusted proxies in my case.

-----=====-----=====-----=====-----

I have followed the installation documents for nextcloud in docker, and I have torn up pfsense and haproxy config already and ruled those out as a possible issues…

I am using a brand new Ubuntu 22.0 LTS server VM with docker + compose v2 installed.

Once the Nextcloud docker has been spun up I went through the initial setup.
Once complete I can reach the Nextcloud server via the local ip address just fine, and if I try to load the https://subdomain.mydomain.com address, it loads and displays the expected “Untrusted domain…” error message.

My problem is, when I change the config.php and add “subdomain.mydomain.com” to the trusted domain array, and restart the docker, the site is reachable via the internal ip address, but when trying to load the site via the external domain, it errors out with " 504 Gateway Time-out" error message.

The only change that has happened is that I added the domain as trusted.

My config:

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'trusted_proxies' => 
  array (
    0 => '192.168.11.1,10.0.0.0/8,127.0.0.1/8',
  ),
  'upgrade.disable-web' => true,
  'instanceid' => 'XXxxXXXxxXXXxxx',
  'passwordsalt' => 'XXxxXXXxxXXXxxx',
  'secret' => 'XXxxXXXxxXXXxxx',
  'trusted_domains' => 
  array (
    0 => '192.168.11.10',
    1 => 'subdomain.mydomain.com',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '28.0.1.1',
  'overwrite.cli.url' => 'http://192.168.11.10',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'XXxxXXXxxXXXxxx',
  'installed' => true,
);

Docker-compose.yml

version: '2'

volumes:
  nextcloud:
  db:

services:
  db:
    image: mariadb:10.6
    restart: always
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    volumes:
      - /home/dragon/docker/Nextcloud/db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=XXxxXXxxXX
      - MYSQL_PASSWORD=XXxxXXxxXX
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud

  app:
    image: nextcloud
    restart: always
    ports:
      - 80:80
      - 443:443
    links:
      - db
    volumes:
      - /mnt/Storage/Nextcloud:/var/www/html
    environment:
      - NEXTCLOUD_TRUSTED_DOMAINS=subdomain.mydomain.com,localhost,192.168.11.10:8080
      - TRUSTED_PROXIES=192.168.11.1,10.0.0.0/8,127.0.0.1/8
      - PHP_MEMORY_LIMIT=4096M
      - PHP_UPLOAD_LIMIT=4096M
      - MYSQL_PASSWORD=XXxxXXxxXX
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=db

If I remove the domain from the trusted domain, the site loads, with the “Untrusted domain…” error. but it loads ok

I have also tried:

• add the trusted proxies as an array in config.php
• set ‘overwrite.cli.url’ => ‘http://192.168.11.10’,
• set ‘overwritehost’ => ‘192.168.11.10’
• added 127.0.0.1/8 and 10.0.0.0/8 tot the trusted domains indiviually in an array

They all produced the same error…

Edit:
Further to the above I did a fresh VM install, updated everything, and it is still the same.
If I do not have the mydomain listed in the Tusted domains, then the site loads via the mydomain, has a valid, correct certificate, but when I add the mydomain to the “trusted domains” list, the page load errors out with 504 Gateway Time-out.
This to me shows that it’s either the docker image, or something in Nextcloud is off… Please point me to something I am missing here, as I can’t get past this…

Thank you

504 Gateway Time-out

Are you seeing this in your proxy logs or your browser?

If browser, check your browser console Network tab to see what’s really going on. I suspect you’re getting redirecting somewhere odd.

Also check your proxy logs and your Nextcloud container logs for Apache details (not Nextcloud log; though it wouldn’t hurt to check that too).

Also, run occ config:list system to make sure you’re looking at your fully parsed config. The Docker image has other config files, and you’re not seeing everything active necessarily.

You have a few issues I see:

• TRUSTED_PROXIES should be a space separated list when provided to Docker; at the moment your
• Your overwrite* parameters should reflect the host name you’re trying to use; not the IP address scenario
• your 'trusted_proxies` config is bogus; one entry per array element only please

Your trusted_domains config looks just fine as-is.

Thank you for your help

I have already checked the proxy log (HAProxy in Pfsense) and there aren’t any errors. it passes the request through and does not get a response.

I have wiped the current install, and interestingly, if I load Nextcloud from the https://mydomainxyz address, it sticks, and only that domain will become trusted in the config.php file (I know that most of the Environment variables in the docker-compose.yml will get processed at the initialisation, and will be ignored at a later start/restart when config.php already exists)
Regardless of the “create an admin page” loading, it errored out after providing the credentials.
Also reloading the site resulted in the same 504 Gateway time out (same result after restarting the docker)

I tried to access the apache log, but wasn’t able to. I understand that it’s in /var/log/apache2, but could not read anything (tried cat, tail)

“occ config:list system” → could not run, neither in the host system nor in the docker environment…

I checked in the Browser network tab (in the console) but apart from seeing the correct subdomain.domain.com it only showed a timeout error after about 8sec. No redirection, nothing…

I tidied up the config.php, but that made also no difference (trusted proxies, and overwrite as well)

I will remove the trusted proxies from my docker-compose.yml and redeploy to see if that does anything…
This is wild as I had a functioning Nextcloud docker install not so long ago, and now I can’t get this working for some very strange reason…

Just realized this has the same problem as your TRUSTED_PROXIES line. Space separation not commas[1].

To run occ in the container it depends on how you’re doing it. This should work since you’re using compose:

docker compose exec -u33 app ./occ config:list system

[1] GitHub - nextcloud/docker: ⛴ Docker image of Nextcloud

Thank you, I cut the trustedproxies out of the docker-compose file, and retried it from scratch.

I managed to log in to the Nextcloud instance, but only from Google Chrome. Firefox gave the same error… the first page loads, but then it erors out after that. Safari is exactly the same as Firefox, loads the login page, but then times out.

I have added the proxies back manually to he config.php restarted it and now it seems to be loading correctly.

On top of that I had to add a ‘overwriteprotocol’ => ‘https’ as some links had the HTTP://domain.com instead of httpS://xyz and that caused the links to not work…

So in summary, the trustedproxies in the docker-compose file corrupted something with the inappropriate spacing and even after correcting it in the config.php it was not enough to make the whole setup to function.

The instance is only available via the external link (which is just fine by me) as the internal IP address also gets redirected (*protocol-overridden) by the config to HTTPS, and since nextcloud by default doesn’t speak https, the loading of the site fails…

I will mark the case as solved.

Thank you very much for your help!!!

It’s possible to deal with that. There are multiple approaches. Two that come to mind:

• Using overwritecond
• Using split DNS

Fortunately, PFsense handles Haipin Nat fine, and I can use external links from inside the network as well.