Unable to install Nextcloud AIO with docker behind apache reverse proxy

gabrielctn · September 12, 2023, 5:03pm

There is something I don’t get with the installation of Nextcloud AIO with docker compose behind an Apache reverse proxy.
I followed the documentation about reverse proxy (https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md) but I still get an issue…
So I basically copy pasted the Apache configuration and only changed the domain to my own subdomain: nextcloud.domain.fr
I left the port 11000 as it was set:

<VirtualHost *:80>
    ServerName  nextcloud.domain.fr

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    RewriteCond %{SERVER_NAME} =nextcloud.domain.fr [OR]
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

<VirtualHost *:443>
  ServerName  nextcloud.domain.fr
  ServerSignature Off

  RewriteEngine On
  ProxyPreserveHost On
  AllowEncodedSlashes NoDecode

  ProxyPass / http://localhost:11000/ nocanon
  ProxyPassReverse / http://localhost:11000/

  RewriteCond %{HTTP:Upgrade} websocket [NC]
  RewriteCond %{HTTP:Connection} upgrade [NC]
  RewriteCond %{THE_REQUEST} "^[a-zA-Z]+ /(.*) HTTP/\d+(\.\d+)?$"
  RewriteRule .? "ws://127.0.0.1:11000/%1" [P,L]

  Protocols h2 h2c http/1.1

  # Solves slow upload speeds caused by http2
  H2WindowSize 5242880

  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile /etc/letsencrypt/live/nextcloud.domain.fr/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.domain.fr/privkey.pem

  # Disable HTTP TRACE method.
  TraceEnable off
  <Files ".ht*">
    Require all denied
  </Files>

  # Support big file uploads
  LimitRequestBody 0

  ErrorLog /var/log/apache2/nextcloud-error.log
  CustomLog /var/log/apache2/nextcloud-access.log combined

</VirtualHost>

Then I built the docker-compose.yml file like this:

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 8080:8080
    environment:
      - APACHE_PORT=11000
      - APACHE_IP_BINDING=127.0.0.1
      - COLLABORA_SECCOMP_DISABLED=false
      - NEXTCLOUD_UPLOAD_LIMIT=10G
      - NEXTCLOUD_MAX_TIME=3600
      - NEXTCLOUD_MEMORY_LIMIT=2048M
      - NEXTCLOUD_ADDITIONAL_APKS=imagemagick
      - NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick
      - TALK_PORT=3478

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

The problem is that I get this error after running docker compose up -d:

Error response from daemon: driver failed programming external connectivity on endpoint nextcloud-aio-mastercontainer (d07380be0fea2dd51dac70563f7cb890d82f28a3dd8487b1a4a9c9ff72179139): Bind for 0.0.0.0:8080 failed: port is already allocated

So I changed the left port in the docker-compose.yml file from 8080 to 11000, and now the docker starts but when I go to https://nextcloud.domain.fr I get:

Here are some debugging elements:

$ docker compose logs -f
nextcloud-aio-mastercontainer  | Trying to fix docker.sock permissions internally...
nextcloud-aio-mastercontainer  | Creating docker group internally with id 998
nextcloud-aio-mastercontainer  | Initial startup of Nextcloud All-in-One complete!
nextcloud-aio-mastercontainer  | You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
nextcloud-aio-mastercontainer  | E.g. https://internal.ip.of.this.server:8080
nextcloud-aio-mastercontainer  |
nextcloud-aio-mastercontainer  | If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
nextcloud-aio-mastercontainer  | https://your-domain-that-points-to-this-server.tld:8443
nextcloud-aio-mastercontainer  | [Tue Sep 12 17:00:06.471648 2023] [mpm_event:notice] [pid 166:tid 140392593234760] AH00489: Apache/2.4.57 (Unix) OpenSSL/3.1.2 configured -- resuming normal operations
nextcloud-aio-mastercontainer  | [Tue Sep 12 17:00:06.471715 2023] [core:notice] [pid 166:tid 140392593234760] AH00094: Command line: 'httpd -D FOREGROUND'
nextcloud-aio-mastercontainer  | {"level":"info","ts":1694538006.5152645,"msg":"using provided configuration","config_file":"/Caddyfile","config_adapter":""}
nextcloud-aio-mastercontainer  | [12-Sep-2023 17:00:06] NOTICE: fpm is running, pid 171
nextcloud-aio-mastercontainer  | [12-Sep-2023 17:00:06] NOTICE: ready to handle connections

$ docker compose ps
NAME                            IMAGE                         COMMAND             SERVICE                         CREATED             STATUS                   PORTS
nextcloud-aio-mastercontainer   nextcloud/all-in-one:latest   "/start.sh"         nextcloud-aio-mastercontainer   2 minutes ago       Up 2 minutes (healthy)   80/tcp, 8443/tcp, 9000/tcp, 0.0.0.0:11000->8080/tcp, :::11000->8080/tcp

I don’t know how to make it work from now …

szaimen · September 12, 2023, 8:32pm

Hi, can you follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#6-how-to-debug-things?

gabrielctn · September 12, 2023, 8:40pm

Hi, yes I did follow the steps before posting actually I forgot to mention.
For example, when I do nc -z localhost 11000; echo $? from the host (on which the reverse proxy runs and on which the nextcloud-aio docker also runs) I get: 0 so the reverse proxy (not running in a container) can reach the provided apache port 11000.

In fact, the main question, I think, is what port should I set on the left-side of this line in the docker-compose file of nextcloud-aio:

    ports:
      - 8080:8080

szaimen · September 12, 2023, 8:44pm

Did you already do step four?

github.com

nextcloud/all-in-one/blob/main/reverse-proxy.md#4-open-the-aio-interface

# Reverse Proxy Documentation

A [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) is basically a web server that enables computers on the internet to access a service in a [private subnet](https://en.wikipedia.org/wiki/Private_network).

**Please note:** Publishing the AIO interface with a valid certificate to the public internet is **not** the goal of this documentation! Instead, the main goal is to publish Nextcloud with a valid certificate to the public internet which is **not** running inside the mastercontainer but in a different container! If you need a valid certificate for the AIO interface, see [point 5](#5-optional-get-a-valid-certificate-for-the-aio-interface).

In order to run Nextcloud behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else), you need to specify the port that AIO's Apache container shall use, add a specific config to your web server or reverse proxy and modify the startup command a bit. All examples below will use port `11000` as example Apache port which will be exposed on the host to receive unencrypted HTTP traffic from the reverse proxy. Modify the port to your needings.

**Attention:** The process to run Nextcloud behind a reverse proxy consists of at least steps 1, 2 and 4:
1. **Configure the reverse proxy! See [point 1](#1-add-this-to-your-reverse-proxy-config)**
1. **Use the in this document provided startup command! See [point 2](#2-use-this-startup-command)**
1. Optional: If the reverse proxy is installed on the same host and in the host network, you should limit the apache container to only listen on localhost. See [point 3](#3-limit-the-access-to-the-apache-container)
1. **Open the AIO interface. See [point 4](#4-open-the-aio-interface)**
1. Optional: Get a valid certificate for the AIO interface! See [point 5](#5-optional-get-a-valid-certificate-for-the-aio-interface)
1. Optional: How to debug things? See [point 6](#6-how-to-debug-things)

## 1. Add this to your reverse proxy config

**Please note:** Since the Apache container gets created by the mastercontainer, there is **NO** way to provide custom docker labels or custom environmental variables for the Apache container. So please do not attempt to do this because you will fail! Only the documented way will work!

This file has been truncated. show original

gabrielctn · September 12, 2023, 10:21pm

No because I cannot launch the docker with external port 8080, it is already taken.
I cannot launch the AIO interface with a specific port such as https://nextcloud.domain.fr:port since I use a reverse proxy, which role is to redirect the domain nextcloud.domain.fr to the internal port 11000 which the docker should listen to, if I understand correctly ?

szaimen · September 12, 2023, 10:39pm

Then just use e.g. this and open the AIO interface on port 8081.

gabrielctn · September 12, 2023, 11:45pm

Ah ok I understand, I need to connect to the localhost first and then it configures the containers that will run on the domain… I thought it was working like the plain nextcloud docker which works out-of-the-box without having to open the interface locally before.
It is not super friendly because I need to connect to the server via ssh and then open a distant firefox session etc, but eventually it worked, thanks for your help !