Hello,

I am installing nextcloud “all in one” behing a proxy (haproxy).
In general the setup with haproxy is really quite simple. haproxy
gets the https request and forwards it to http.

While reading the documentation here I am getting really confused

The documentation shows a setup like this:

For Linux:

sudo docker run
–init
–sig-proxy=false
–name nextcloud-aio-mastercontainer
–restart always
–publish 8080:8080
–env APACHE_PORT=11000
–env APACHE_IP_BINDING=0.0.0.0
–volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config
–volume /var/run/docker.sock:/var/run/docker.sock:ro
nextcloud/all-in-one:latest

Why is the content over port 8080 still served over https?
Why is there documentation on the apache port / binding while that port is not exposed?

See the README for details.

Thank you for the link to this information.
From reading this I see the following

• --publish 80:80 This means that port 80 of the container should get published on the host using port 80. It is used for getting valid certificates for the AIO interface if you want to use port 8443. It is not needed if you run AIO behind a web server or reverse proxy and can get removed in that case as you can simply use port 8080 for the AIO interface then.
• --publish 8080:8080 This means that port 8080 of the container should get published on the host using port 8080. This port is used for the AIO interface and uses a self-signed certificate by default. You can also use a different host port if port 8080 is already used on your host, for example --publish 8081:8080 (only the first port can be changed for the host, the second port is for the container and must remain at 8080).
• --publish 8443:8443 This means that port 8443 of the container should get published on the host using port 8443. If you publish port 80 and 8443 to the public internet, you can access the AIO interface via this port with a valid certificate. It is not needed if you run AIO behind a web server or reverse proxy and can get removed in that case as you can simply use port 8080 for the AIO interface then.

From reading this it appears that indeed port 8080 is still served over https and this is not compatible with how hapxory operates (nextcloud should be served over http). Hence I do not understand.

What is the purpose of the APACHE_PORT=11000 if the port is not exposed?
If as documented port 8080 is served over https how can this be disabled?

First of all, it’s of course possible to serve https backends that are using self-signed certificates via HA Proxy (ssl verify none in the backend config should do the trick), but in this case that’s not actually necessary because Nextcloud is not served on port 8080, it’s served on 11000 or whatever port you specify in the APACHE_PORT environment variable.

Port 8080 is used to serve the AIO admin interface, which by default is accessible on https://<IP_ADDRESS>:8080. However, in my humble opinion, admin interfaces shouldn’t be exposed to the public anyways.

If you absolutely need to expose it, see here: all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub

Thank you @bb77 for the clarification.

After some more research it appears that the port that is uses in my setup is port 8000 for some reason

Screenshot 2024-11-05 2147112559×1677 266 KB

I’m by no means a Docker expert, but I’m pretty sure that the ports that are used by services inside the container are not relevant for the reverse proxy configuration, but the ports that the container publishes to the host system.

This is what it looks like on my AIO test instance: (The command must be run on the host, not inside the container)

docker port nextcloud-aio-mastercontainer

80/tcp -> 0.0.0.0:80
80/tcp -> [::]:80
8080/tcp -> 0.0.0.0:8080
8080/tcp -> [::]:8080
8443/tcp -> 0.0.0.0:8443
8443/tcp -> [::]:8443

Also, as far as I understand it, the nextcloud-aio-mastercontainer only serves the AIO admin interface. Nextcloud itself is served by the nextcloud-aio-apache container, and that one should only have port 11000 published according to your docker run command. You can check with the following command:

docker port nextcloud-aio-apache

There is some truth in there.
I think that the nextcloud-aio-mastercontainer has launched the second container that is listening on port 11000 after I connected to the admin interface.

root@elite:~/bin# docker ps
CONTAINER ID   IMAGE                              COMMAND       CREATED      STATUS                PORTS                                                                        NAMES
d94417e4b06e   nextcloud/aio-domaincheck:latest   "/start.sh"   2 days ago   Up 2 days (healthy)   0.0.0.0:11000->11000/tcp                                                     nextcloud-aio-domaincheck
79fff788d649   nextcloud/all-in-one:latest        "/start.sh"   2 days ago   Up 2 days (healthy)   0.0.0.0:8000->8000/tcp, 80/tcp, 8443/tcp, 9000/tcp, 0.0.0.0:8080->8080/tcp   nextcloud-aio-mastercontainer

I can also connect though the proxy but will not get further as the UI insists that this is not true.

For future reference.

I solved the issue by installing a more basic version (that does not deal with certificates) basically followed cherryservers install nextcloud starting step 10 (creation of a docker compose file)

My setup is the following:

• I connect to my network using wireguard
• nextcloud is running on the server on port 8080 over http (not https)
• I am using a public dns server to resolve my local addresses e.g. nextcloud.mydomain.com resolves to a wireguard IP address
• I have setup a wildcard certificate on *.mydomain.com that terminates in haxproxy

I renew my certificates using certbot and use the dns authentication method

certbot certonly \
  --non-interactive \
  --authenticator dns-standalone \
  --email admin@example.com \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --agree-tos -d "*.mydomain.com" \
  --dns-standalone-address=192.168.2.100 -v