Unable to setup Nextcloud AIO local instance with reverse proxy

I want to setup Nextcloud locally, not exposed to the internet!
I can鈥檛 get past domain verification. Either i get that port 443 is not open or that reverse proxy is not configured correctly.

The server is ubuntu 22.04, with docker 24.0.2.
The server is behind NAT with public static ipv4. I use duckdns.org to get a domain.
The all-in-one/local-instance.md at main 路 nextcloud/all-in-one 路 GitHub doc is ambiguous to me. Like step 2 where port 80 should only be opened? The domain check seems to want only 443鈥
Please help!
I did try setting the env SKIP_DOMAIN_VALIDATION=true but the ui is not working (can鈥檛 click anything)

This is my docker-compose.yml:

version: "3.8"

services:
  caddy:
    image: caddy:alpine
    restart: unless-stopped
    container_name: caddy
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./certs:/certs
      - ./config:/config
      - ./data:/data
      - ./sites:/srv
    network_mode: "host"

  nextcloud:
    image: nextcloud/all-in-one:latest
    restart: unless-stopped
    container_name: nextcloud-aio-mastercontainer
    ports:
      - "8080:8080"
    environment:
      - APACHE_PORT=11000
      - APACHE_IP_BINDING=127.0.0.1
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    depends_on:
      - caddy

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

The Caddyfile:

[mysub].duckdns.org {
    reverse_proxy localhost:11000
}

I cannot see this being set in your docker-compose file. Where did you set it?

Also, did you follow step 3 and 4 already? That is needed if you do not want do disable the domain validation.

I removed it when i pasted here because i am not 100% sure i set it up, to be skipping. I mean, if i try to access nextcloud through the domain it doesn鈥檛 work 鈥淓RR_SSL_PROTOCOL_ERROR鈥, i can access it using port 8080 but my browser blocks it without option to continue with the risk.

Yes, i did. I set a new static dns record in my router.
The nslookup resolved to my private ip server.

All right. Was the reverse proxy able to get a certificate for your domain and did you open port 80 and 443 in the firewall of the server?

I did open the ports.
How would the reverse proxy get a certificate? The config doesn鈥檛 include one鈥

I was able to finally access the platform via domain.

I created manually the certificates and copied them to /certs directory, and then updated the Caddyfile.

[*].duckdns.org {
    reverse_proxy localhost:11000
    tls /certs/cert.pem /certs/privkey.pem
}

Caddy usuall gets the certificate automatically via port 80.