Using Nextcloud AIO via Cloudflare Argo tunnel

Hi folks,

I’m trying to set up AIO to allow access via an Argo tunnel.

This was working on an older version of Nextcloud, but I can’t for the life of me get the installer to recognize the domain name from the setup page on the AIO machine.

I am installing from the ova image running on xcp-ng and have the tunnel installed and running OK it seems, but the installer refuses to see it.

I have tried pointing nextcloud.mydomain.com to localhost:80, localhost:443, localhost:8080 and localhost:8443 but none of these seem to be recognized by installer.

Any ideas what port I should be pointing to? I think that’s the problem.

Ta
Peter.

If I point the tunnel to <IP_OF_HOST>:8080 I get
Jun 28 05:24:46 nextcloud cloudflared[31201]: 2022-06-28T05:24:46Z ERR error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: cannot validate certificate for 192.168.44.137 because it doesn’t contain any IP SANs” cfRay=7223ff7ceb4b5ab8-MEL ingressRule=0 originService=https://192.168.44.137:8080
Jun 28 05:24:46 nextcloud cloudflared[31201]: 2022-06-28T05:24:46Z ERR Request failed error=“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: x509: cannot validate certificate for 192.168.44.137 because it doesn’t contain any IP SANs” connIndex=1 dest=https://nextcloud.mydomain.com.au/index.php/apps/photos/service-worker.js type=http

So I must be close :slight_smile:

So you already managed to run AIO behind your cloudflare tunnel or only a simple Nextcloud instance?

It was just a simple instance, installed from the web.

I see. However AIO is different and sorry to say but I remember some reports that people weren’t able to get it running behind a cloudflare tunnel…

However I’ll try to give you some guidance.

First of all the OVA is very limited in its options. It is probably not possible to run it behind a cloudflare tunnel at all. (or you need to remove the container and recreate it using the correct command).

Second, you need to install AIO by following the reverse proxy documentation because a cloudflare tunnel works like a reverse proxy: all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub

You then need to point your cloudflare tunnel at the chosen apache_port so e.g. http://<IP_OF_HOST>:11000.

Then you should access the aio interface at https://<IP_OF_HOST>:8080, type in the domain that you configured in cloudflare that points at http://<IP_OF_HOST>:11000 and hope that it accepts the domain.

If not, there should hopefully be some debug logs in AIO that may help you figure out what the problem is.

Fantastic @szaimen, thanks for the pointers. I did wonder about the image, I thought it might be easier. I’ll blow it all away and start again I think. Not too much of a loss there.

I did get the tunnel connected OK (had to install packages and took a while to get the network sorted out with out vi being installed), but no major loss.

I’ll let you know how I go tomorrow.

OK, for those following along at home.

I did a fresh install with caddy as a reverse proxy.

Then the magic seems to be to point the argo tunnel to http://localhost:11000 (note http NOT https).

Containers are now installing.

I’ll have to see what ports I can close now (I suspect all of them) on the firewall.

P.

So you were not able to make it work with the cloudflare tunnel only?

No. I gave up on that. The tunnel pointing to the proxy seems to do the trick.

I see. What I do not understand is, did you use caddy to get it working and now you are removing it again and only use the argo tunnel?

If yes, we probably should introduce a way to disable the domain validation for use cases like this… WDYT?

No. I couldn’t get it working without the proxy at all. So I’m pointing the argo tunnel to http://localhost:11000 and that did the trick.

okay, so do I understand correctly that you used caddy to get it running and now point the argo tunnel at http://localhost:11000 which works for you?

That’s correct. I couldn’t get the connection to work directly.

All right! I just added an option to skip the domain validation and added some documentation how to get it running behind cloudflare: allow to skip the domain verification and add documentation for cloud… by szaimen · Pull Request #873 · nextcloud/all-in-one · GitHub
Feedback is appreciated! :slight_smile:

No problems. Glad to help in some tiny way. It’s working really well this way and I’m going to spin up a few more for clients.