Trying to set up a High Performance Backend for Talk. docker AIO-talk problem: Error: Cannot connect to (signaling) server
Sorry to hear you’re facing problems. 
The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.
If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.
Getting help
In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.
Before clicking submit: Please check if your query is already addressed via the following resources:
- Official documentation (searchable and regularly updated)
- How to topics and FAQs
- Forum search
(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).
The Basics
- Nextcloud Server version (e.g., 29.x.x):
- 31.0.10
- Operating system and version (e.g., Ubuntu 24.04):
Ubuntu 22.04
- Web server and version (e.g, Apache 2.4.25):
Apache2 2.4.65
- Reverse proxy and version _(e.g. nginx 1.27.2)
- Cloudflare
- PHP version (e.g, 8.3):
8.3.38
- Is this the first time you’ve seen this error? (Yes / No):
Yes, I'm trying to set up a HPB for Talk
- When did this problem seem to first start?
- When I installed the docker AIO-talk container
- Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
Bare Metal
- Are you using CloudfIare, mod_security, or similar? (Yes / No)
Yes (cloudflare)
Nextcloud configuration
Output of occ config:list system :
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"192.168.1.237",
"nc.korkythekat.com"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "31.0.10.2",
"overwrite.cli.url": "https:\/\/nc.korkythekat.com\/nextcloud",
"overwritehost": "nc.korkythekat.com",
"overwriteprotocol": "https",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"default_phone_region": "GB",
"installed": true,
"memcache.local": "\\OC\\Memcache\\APCu",
"filelocking.enabled": "true",
"memcache.locking": "\\OC\\Memcache\\Redis",
"maintenance_window_start": 1,
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 0,
"dbindex": 0,
"password": "***REMOVED SENSITIVE VALUE***",
"timeout": 1.5
},
"maintenance": false,
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "smtp",
"mail_sendmailmode": "smtp",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "465",
"mail_smtpauth": 1,
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"theme": "",
"loglevel": 2,
"htaccess.RewriteBase": "\/"
}
}
Summary of issue
I’m trying to set up a High Performance Backend for Talk, in response to this persistent error-message in my Admin-Settings page:
No High-performance backend configured - Running Nextcloud Talk without the High-performance backend only scales for very small calls (max. 2-3 participants). Please set up the High-performance backend to ensure calls with multiple participants work seamlessly. For more details see the documentation
.
Consulted the official documentation, as advised, here:
I opted for the method that utilizes the pre-built HPB-container from Nextcloud All-in-One.
I am also trying to use Cloudflare to “reverse proxy” the signaling server (this may well be the source of my problems, but indulge me further)
Thus, I set up docker and generated the necessary “secrets”. I also set up a new “published application route” for my Cloudflare tunnel, pointing at signaling.korkythekat.com:8080
I wasn’t at all sure about this last step (i am writing here as a Nextcloud / server noob)
To install the AIO-talk container I issued this terminal command:
docker run \
--name=nextcloud-talk-hpb \
--restart=always \
--detach \
-e NC_DOMAIN=nc.korkythekat.com \
-e TALK_PORT=3478 \
-e TURN_SECRET=<withheld> \
-e SIGNALING_SECRET=<withheld> \
-e INTERNAL_SECRET=<withheld> \
-e SKIP_DOMAIN_VALIDATION=true \
-p 8080:8081 \
ghcr.io/nextcloud-releases/aio-talk:latest
[This is essentially the command in the “quick install” documentation, with the addition of the “SKIP_DOMAIN_VALIDATION=true” environment variable, which my reading suggested could be helpful with Cloudflare]
The above command ran without problems, and so I turned to configuring Talk-page in my NC account
I used as my High Performance Backend URL: https://signaling.korkythekat.com:8080/spreed/
It didn’t work. It just got me an “Error; server not found”-message
There was some progress though: over in Admin-Settings the “No HPB backend”-message had been replaced by:
There are some errors regarding your setup.
Error: Cannot connect to server
No recording backend configured
No SIP backend configured
I changed the port in my signaling URL to “8081”. Talk now went into “long think”-mode, but eventually produced the same “Error: server not found”-message
Meanwhile, over on the Log page, we read:
stream_socket_client(): Unable to connect to ssl://signaling.korkythekat.com:8081 (Connection timed out) at /var/www/nextcloud/apps/spreed/lib/Service/CertificateService.php#90 |
|
|---|---|
The details:
[PHP] Warning: stream_socket_client(): Unable to connect to ssl://signaling.korkythekat.com:8081 (Connection timed out) at /var/www/nextcloud/apps/spreed/lib/Service/CertificateService.php#90
GET /ocs/v2.php/apps/spreed/api/v3/signaling/welcome/0
from 192.168.1.237 by azed at Nov 25, 2025, 10:44:18 PM
Is what I’m trying to do here even possible?
Further investigations:
Just for the sake of completeness: after doing some reading, I ran this command, first with port 8081:
# curl -vvv https://signaling.korkythekat.com:8081/standalone-signaling/api/v1/welcome
Result:
- Trying 2606:4700:3032::6815:1457:8081…
- Trying 104.21.20.87:8081…
- connect to 2606:4700:3032::6815:1457 port 8081 failed: Connection timed out
- Trying 2606:4700:3035::ac43:c004:8081…
- connect to 104.21.20.87 port 8081 failed: Connection timed out
- Trying 172.67.192.4:8081…
- After 82147ms connect time, move on!
- connect to 2606:4700:3035::ac43:c004 port 8081 failed: Connection timed out
- After 82147ms connect time, move on!
- connect to 172.67.192.4 port 8081 failed: Connection timed out
- Failed to connect to signaling.korkythekat.com port 8081 after 217853 ms: Connection timed out
- Closing connection 0
curl: (28) Failed to connect to signaling.korkythekat.com port 8081 after 217853 ms: Connection timed out
azed@azed-byte:~$ sudo curl -vvv https://signaling.korkythekat.com:8080/standalone-signaling/api/v1/welcome - Trying 2606:4700:3032::6815:1457:8080…
- Connected to signaling.korkythekat.com (2606:4700:3032::6815:1457) port 8080 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- CAfile: /etc/ssl/certs/ca-certificates.crt
- CApath: /etc/ssl/certs
- TLSv1.0 (OUT), TLS header, Certificate Status (22):
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- (5454) (IN), , Unknown (72):
- error:0A00010B:SSL routines::wrong version number
- Closing connection 0
curl: (35) error:0A00010B:SSL routines::wrong version number
Then with port 8080:
# curl -vvv https://signaling.korkythekat.com:8080/standalone-signaling/api/v1/welcome
- Trying 2606:4700:3032::6815:1457:8080…
- Connected to signaling.korkythekat.com (2606:4700:3032::6815:1457) port 8080 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- CAfile: /etc/ssl/certs/ca-certificates.crt
- CApath: /etc/ssl/certs
- TLSv1.0 (OUT), TLS header, Certificate Status (22):
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- (5454) (IN), , Unknown (72):
- error:0A00010B:SSL routines::wrong version number
- Closing connection 0
curl: (35) error:0A00010B:SSL routines::wrong version number
Hope this is helpful
Again, what I really want to know is this: is what I’m trying to do here - set up a HPB for Talk for a NC set-up behind Cloudflare - even possible, and if it is where have I gone wrong?
Log entries
Find below the o/p of: docker logs nextcloud-talk-hpb
azed@azed-byte:~$ sudo docker logs nextcloud-talk-hpb
[sudo] password for azed:
++ hostname -i
++ head -1
++ grep -oP ‘[0-9]+.[0-9]+.[0-9]+.[0-9]+’
IPv4_ADDRESS_TALK_RELAY=172.17.0.2
++ dig ‘’ IN A +short +search
++ grep ‘
0-9.+$’
++ sort
++ head -n1
dig: ‘’ is not in legal name syntax (unexpected end of input)
IPv4_ADDRESS_TALK=
++ dig ‘’ AAAA +short +search
++ grep ‘
0-9a-f:+$’
++ sort
++ head -n1
dig: ‘’ is not in legal name syntax (unexpected end of input)
IPv6_ADDRESS_TALK=
set +x
IP_BINDING=::
grep -q 1 /sys/module/ipv6/parameters/disable
grep -q 1 /proc/sys/net/ipv6/conf/all/disable_ipv6
grep -q 1 /proc/sys/net/ipv6/conf/default/disable_ipv6
set +x
/usr/lib/python3.12/site-packages/supervisor/options.py:13: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
[33] 2025/11/23 15:12:21.224859 [INF] Starting nats-server
[33] 2025/11/23 15:12:21.224923 [INF] Version: 2.12.1
[33] 2025/11/23 15:12:21.224926 [INF] Git: [fab5f99]
[33] 2025/11/23 15:12:21.224928 [INF] Name: NAXKQRKZNLUSTYINQUGKOFLSGXUO5VDPUAGQW46TXGDKXLIO35OTLAB3
[33] 2025/11/23 15:12:21.224934 [INF] ID: NAXKQRKZNLUSTYINQUGKOFLSGXUO5VDPUAGQW46TXGDKXLIO35OTLAB3
[33] 2025/11/23 15:12:21.225067 [INF] Using configuration file: /etc/nats.conf (sha256:bfa037b94ac399931a51e64559d5b8b099a1777b0832b8f5c14fee855e33b59c)
[33] 2025/11/23 15:12:21.225558 [INF] Listening for client connections on 127.0.0.1:4222
[33] 2025/11/23 15:12:21.225573 [INF] Server is ready
Janus version: 1303 (1.3.3)
Janus commit: 07c61050038c7d745013fae8bc8e99d7365c31f1
Compiled on: Fri Oct 24 08:03:33 UTC 2025
Logger plugins folder: /usr/local/lib/janus/loggers
Starting Meetecho Janus (WebRTC Server) v1.3.3
Checking command line arguments…
Debug/log level is 3
Debug/log timestamps are disabled
Debug/log colors are disabled
[WARN] Janus is deployed on a private address (172.17.0.2) but you didn’t specify any STUN server! Expect trouble if this is supposed to work over the internet and not just in a LAN…
main.go:161: Starting up version 2.0.4~docker/go1.25.0 as pid 34
main.go:168: Using a maximum of 4 CPUs
natsclient.go:108: Connection established to nats://127.0.0.1:4222 (NAXKQRKZNLUSTYINQUGKOFLSGXUO5VDPUAGQW46TXGDKXLIO35OTLAB3)
grpc_common.go:176: WARNING: No GRPC server certificate and/or key configured, running unencrypted
grpc_common.go:178: WARNING: No GRPC CA configured, expecting unencrypted connections
backend_storage_static.go:82: Backend backend-1 added for https://nc.korkythekat.com/
hub.go:243: Using a maximum of 8 concurrent backend connections per host
hub.go:250: Using a timeout of 10s for backend connections
hub.go:283: No trusted proxies configured, only allowing for [127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]
hub.go:324: Not using GeoIP database
hub.go:402: No candidates allowlist
hub.go:413: No candidates blocklist
mcu_common.go:110: Maximum bandwidth 1048576 bits/sec per publishing stream
mcu_common.go:117: Maximum bandwidth 2097152 bits/sec per screensharing stream
mcu_janus.go:164: Using a timeout of 10s for MCU requests
mcu_janus.go:176: No candidates allowlist
mcu_janus.go:188: No candidates blocklist
main.go:265: Could not initialize janus MCU (dial tcp 127.0.0.1:8188: connect: connection refused) will retry in 1s
[WARN] libcurl not available, Streaming plugin will not have RTSP support
[WARN] libogg not available, Streaming plugin will not have file-based Opus streaming
[ERR] [plugins/janus_streaming.c:janus_streaming_init:2784] Can’t add ‘ondemand’ mountpoint ‘file-ondemand-sample’, unsupported format (we only support raw mu-Law and a-Law files right now)
[WARN] No Unix Sockets server started, giving up…
[WARN] The ‘janus.transport.pfunix’ plugin could not be initialized
Exec: /opt/eturnal/erts-15.2.6/bin/erlexec -noinput +Bd -boot /opt/eturnal/releases/1.12.2/start -mode embedded -boot_var SYSTEM_LIB_DIR /opt/eturnal/lib -config /opt/eturnal/releases/1.12.2/sys.config -args_file /opt/eturnal/releases/1.12.2/vm.args -erl_epmd_port 3470 -start_epmd false – foreground
Root: /opt/eturnal
/opt/eturnal
mcu_common.go:110: Maximum bandwidth 1048576 bits/sec per publishing stream
mcu_common.go:117: Maximum bandwidth 2097152 bits/sec per screensharing stream
mcu_janus.go:164: Using a timeout of 10s for MCU requests
mcu_janus.go:176: No candidates allowlist
mcu_janus.go:188: No candidates blocklist
mcu_janus.go:369: Connected to Janus WebRTC Server 1.3.3 by Meetecho s.r.l.
mcu_janus.go:377: Found JANUS VideoRoom plugin 0.0.10 by Meetecho s.r.l.
mcu_janus.go:382: Data channels are supported
mcu_janus.go:386: Full-Trickle is enabled
mcu_janus.go:393: Created Janus session 7304851525772355
mcu_janus.go:400: Created Janus handle 3903668920464143
main.go:297: Using janus MCU
hub.go:454: Using a timeout of 10s for MCU requests
backend_server.go:112: No IPs configured for the stats endpoint, only allowing access from 127.0.0.1
main.go:378: Listening on 0.0.0.0:8081
azed@azed-byte:~$
Web server / Reverse Proxy
I am not using apache / nginx as a reverse proxy (I am trying to reverse proxy behind Cloudflare - the documentation for the NC AIO container suggests that this is possible)