Using Nextcloud Desktop on the Nextcloud server itself (which is reverse proxied by Nginx)

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can.

The Basics

• Nextcloud Server version (e.g., 29.x.x):

  • 32.0.3

• Operating system and version (e.g., Ubuntu 24.04):

  • Ubuntu 24.04.3 LTS

• Web server and version (e.g, Apache 2.4.25):

  • Apache/2.4.58 (Ubuntu)

• Reverse proxy and version _(e.g. nginx 1.27.2)

  • nginx/1.24.0 (Ubuntu)

• PHP version (e.g, 8.3):

  $ php -v
  PHP 8.3.6 (cli) (built: Jul 14 2025 18:30:55) (NTS)
  Copyright (c) The PHP Group
  Zend Engine v4.3.6, Copyright (c) Zend Technologies
  with Zend OPcache v8.3.6, Copyright (c), by Zend Technologies
  

  $ php8.3 -v
PHP 8.3.6 (cli) (built: Jul 14 2025 18:30:55) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.3.6, Copyright (c) Zend Technologies
with Zend OPcache v8.3.6, Copyright (c), by Zend Technologies

• Is this the first time you’ve seen this error? (Yes / No):

  • Yes

• When did this problem seem to first start?

  • Has never worked.

• Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)

  • Bare Metal/Archive

• Are you using CloudfIare, mod_security, or similar? (Yes / No)

  • No

Summary of the issue you are facing:

I have installed Nextcloud on Ubuntu 24.04.3 TLS following the manual installation guide on docs[.]nextcloud[.]com. Apache2 is configured to listen on port 81 and 444. I then also installed nginx and have a server defined in there, listens on 80/443, proxies over to 127.0.0.1:81$request_uri. Lego is used to get my SSL certificate for nginx’s use. This is for my internal network clients.

For external access, I am using Pangolin on an Azure VM running Ubuntu, just to try it out. The resource in Pangolin proxies also to 127.0.0.1:81.

From any other systems than the server itself (Ubuntu laptop, Ubuntu desktop, Android phone, I can connect both via browser and the Nextcloud app, to my FQDN via HTTPS and Nextcloud works perfectly.

The one place where Linux Nextcloud Desktop cannot connect from is on the server itself (Ubuntu 24.04.3 LTS). It is Ubuntu desktop, not server, and I’ve tried both the AppImage as well as the apt install nextcloud-desktop. The same error from both:

Connection Failed

Failed to connect to the secure server address https_//my_domain_tld. How do you wish to proceed?

If I switch the server address to http_//127.0.0.1 it almost works but in the browser (Firefox) it keeps on redirecting me to https_//127.0.0.1 every step along the way and eventually fails to capture the state token because it gets lost when the http>https redirect happens (“Access forbidden”, “State token missing”).

At this point I can’t find any logs, monitor network connections doesn’t seem helpful either. I’m wondering where I might find logs for this specific scenario?

By the way, browser/ Firefox on the server works just fine to https[://]my.domain.tld and I toggle a website exception for DNS over HTTPs to control whether Firefox is resolving the public DNS IP which is my Pangolin instance, or my internal IP (which is a local DNS entry in my Pi-Hole DNS server running on same Ubuntu desktop server), going to this server’s IP, where nginx is listening on 443. It works perfectly fine in both cases (Pangolin/external and back, nginx/internal) and I can confirm which avenue Firefox is connected via using netstat:

sudo netstat -ptan

Any help would be much appreciated. I’m a little new to Linux but pretty seasoned so able to troubleshoot with a bit of direction. Thanks in advance.

Steps to replicate it (hint: details matter!):

1. In Nextcloud Desktop on the 1st / initial page, enter the server address https_//my.domain.tld and press Next.

2. Error is immediate: “Failed to connect to the secure server address https_//my.domain.tld. How do you wish to proceed?”

3. It works in the browser from the same computer, or works from the desktop app on two other computers, and Android app, and from the browser as well on any of those. Just this one spot, specifically Nextcloud Desktop (Linux, AppImage/apt package) is experiencing the problem.

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

Even on Debug logging level, I don’t see anything in Nextcloud log related to the connection attempts (this gives me hope it’s something between nginx/apache).

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

As I mentioned, the browser works fine to connect via https (trusts the valid Lets Encrypt cert covering *.mydomain.tld) and Nextcloud works great in there. If I switch the server address in Nextcloud desktop to http_//127.0.0.1:81 (apache2, Nextcloud), it works as much as to send me to firefox, but then it flips me over from http to https, which doesn’t work, so I manually change it back to http, get one step further, login via Nextcloud user/password, get flipped back to https, manually change back to http, successfully to TOTP MFA, get flipped back to https, manually change back to http, hit the “Grant Access” button, get flipped to https, manually change back to http, finally receive “Access forbidden” / “state token missing” page and the Nextcloud Desktop client does not proceed from the state where it has the “Copy link” and “Browser” buttons.

**All that said, I really would rather not shim this problem by setting Nextcloud Desktop to connect to 127.0.0.1, I’d rather just put in the domain name and let it do the SSL proper.

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

# tail -f /var/log/nginx/access.log while trying to connect from Nextcloud Desktop, on same computer as Nextcloud server:
::1 - - [08/Jan/2026:21:56:28 -0400] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xDA\xA6<\x17on\xA4S\x1F[\x16\x13\xD5\xB9\xE2\xB4\x9B\x0E%F#" 400 166 "-" "-"
::1 - - [08/Jan/2026:21:56:28 -0400] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x18\x93\xF5`\xA8\xDB~q]\xA7g!'HI\xD7\xD7\x1BM\xAE%dO\xB4:1\x1BK\x05\xF9\xA3\x1F /\xB4VF\xE5\xD8a\x09\xC8\xE9Un\x01\xED\xB5w\xE5\xD1\xBCD\xC5\xB2\x9A\xB9\xA7\xD4\x87\xB9\x99=\xCC\x8F\x00r\x13\x02\x13\x03\x13\x01\xC0,\xC00\x00\x9F\xCC\xA9\xCC\xA8\xCC\xAA\xC0+\xC0/\x00\x9E\xC0$\xC0(\x00k\xC0#\xC0'\x00g\xC0" 400 166 "-" "-"
::1 - - [08/Jan/2026:21:56:48 -0400] "GET /status.php HTTP/1.1" 200 170 "-" "Mozilla/5.0 (Linux) mirall/4.0.4-20251216.090813.fbff567a0f-1.0~noble1 (Nextcloud, ubuntu-6.14.0-37-generic ClientArchitecture: x86_64 OsArchitecture: x86_64)"
::1 - - [08/Jan/2026:21:56:48 -0400] "GET / HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Linux) mirall/4.0.4-20251216.090813.fbff567a0f-1.0~noble1 (Nextcloud, ubuntu-6.14.0-37-generic ClientArchitecture: x86_64 OsArchitecture: x86_64)"
::1 - - [08/Jan/2026:21:56:48 -0400] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xA4d[\x9A\xE3\xB3\x94T\x7F#\xDF\xCE]\x17\x9C\xF9\xD6kSq\xAC" 400 166 "-" "-"
::1 - - [08/Jan/2026:21:56:48 -0400] "GET /ocs/v2.php/cloud/capabilities?format=json HTTP/1.1" 200 447 "-" "Mozilla/5.0 (Linux) mirall/4.0.4-20251216.090813.fbff567a0f-1.0~noble1 (Nextcloud, ubuntu-6.14.0-37-generic ClientArchitecture: x86_64 OsArchitecture: x86_64)"
::1 - - [08/Jan/2026:21:56:49 -0400] "POST /index.php/login/v2 HTTP/1.1" 200 326 "-" "MyHostname (Desktop Client - Linux)"
::1 - - [08/Jan/2026:21:56:56 -0400] "POST /index.php/login/v2 HTTP/1.1" 200 326 "-" "MyHostname (Desktop Client - Linux)"
::1 - - [08/Jan/2026:21:57:05 -0400] "\x16\x03\x01\x07d\x01\x00\x07`\x03\x03\x01\x81|\xE8`\xBFk\xAD\x88\x9B\x90/\x8E\x7F\xDA\x0F\x04\xCF\xFB\xE8" 400 166 "-" "-"
::1 - - [08/Jan/2026:21:57:05 -0400] "\x16\x03\x01\x02\x93\x01\x00\x02\x8F\x03\x036\x98\xA7@\xBA\x96*\xA7\xC2\xCE\xDA\x5C\xE3\x9D\xD2}\xF5\xDAi\x9A\x16\xC8~`\x5Cw\xA2\x86\x05v*\x01 \x90(\xCF\x0F\xC9_\x890\xF2\xC0\x9A\xF6\xD9vH\xC5\xBA\x94\xFD\x97\xADu\xF3S\xAF&\xC8NS\xC9\xF3\xF4\x00\x22\x13\x01\x13\x03\x13\x02\xC0+\xC0/\xCC\xA9\xCC\xA8\xC0,\xC00\xC0" 400 166 "-" "-"
::1 - - [08/Jan/2026:21:57:06 -0400] "\x16\x03\x01\x07d\x01\x00\x07`\x03\x03\xD4\x9D\x8D\xBD\x08b\xA9M\x17oc\xB2\xF2g\xBCU\xFC\xFC$\xCBMr\x82\x88\x07-[q1\xAF\x0B\xE5 .\xCBX\x15\x1D\x7F(u\x8C\xFB^\x10\x02i%zvr\x96a\xAE \xA2*1^\xB9*[" 400 166 "-" "-"
::1 - - [08/Jan/2026:21:57:06 -0400] "\x16\x03\x01\x02\x93\x01\x00\x02\x8F\x03\x03\xBE \xE1" 400 166 "-" "-"
::1 - - [08/Jan/2026:21:57:26 -0400] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xC9|\xF9`\xE9Dd\xC1s\x15f\x87F\x86\xBBo\xB8\x9DK\x10\xEC\x83&\x95=\xCF\xEA\xF8\xD1\xE6\x08N \xBC\xD4\x1Fl#\xDD\x90XPd\xFE\xB6U\x91\xE0Qc\xBCQ=\xCE\x83\xC4k\xD1\xDE\xE6\xBA\xAF\xF0\xB1\x81\x00r\x13\x02\x13\x03\x13\x01\xC0,\xC00\x00\x9F\xCC\xA9\xCC\xA8\xCC\xAA\xC0+\xC0/\x00\x9E\xC0$\xC0(\x00k\xC0#\xC0'\x00g\xC0" 400 166 "-" "-"
::1 - - [08/Jan/2026:21:56:28 -0400] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03-\x9F\x99(\xBA\x9Fg0\xA8`\xFA\x9F\x99C GB\x92\x9E\xF1#\xD8\xF1{\x85|\xFEcL\x9B\x93t \x84\xF6b\x01\xE8\x15q\x994~-\xA6\x03^\xC8\x7F\xB3\xD4w\x9D\x9C\xBF\x9E\xE2\xA5\xE8\xC0[\x1A\x8FF\x18\x00r\x13\x02\x13\x03\x13\x01\xC0,\xC00\x00\x9F\xCC\xA9\xCC\xA8\xCC\xAA\xC0+\xC0/\x00\x9E\xC0$\xC0(\x00k\xC0#\xC0'\x00g\xC0" 400 166 "-" "-"
::1 - - [08/Jan/2026:21:56:48 -0400] "PROPFIND /remote.php/dav/files// HTTP/1.1" 401 630 "-" "Mozilla/5.0 (Linux) mirall/4.0.4-20251216.090813.fbff567a0f-1.0~noble1 (Nextcloud, ubuntu-6.14.0-37-generic ClientArchitecture: x86_64 OsArchitecture: x86_64)"

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

/var/www/nextcloud$ sudo -E -u www-data php occ config:list system
{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "my.domain.tld"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "http:\/\/my.domain.tld",
        "overwriteprotocol": "https",
        "overwritewebroot": "\/",
        "overwritecondaddr": "127.0.0.1",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "32.0.3.2",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": [],
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_smtpauth": true,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***"
    }
}
Apps

/var/www/nextcloud$ sudo -E -u www-data php occ app:list
Enabled:
  - activity: 5.0.0-dev.0
  - admin_audit: 1.22.0
  - app_api: 32.0.0
  - bruteforcesettings: 5.0.0-dev.0
  - circles: 32.0.0
  - cloud_federation_api: 1.16.0
  - comments: 1.22.0
  - contactsinteraction: 1.13.1
  - cookbook: 0.11.5
  - dashboard: 7.12.0
  - dav: 1.34.2
  - federatedfilesharing: 1.22.0
  - federation: 1.22.0
  - files: 2.4.0
  - files_downloadlimit: 5.0.0-dev.0
  - files_pdfviewer: 5.0.0-dev.0
  - files_reminders: 1.5.0
  - files_sharing: 1.24.1
  - files_trashbin: 1.22.0
  - files_versions: 1.25.0
  - firstrunwizard: 5.0.0-dev.0
  - logreader: 5.0.0-dev.0
  - lookup_server_connector: 1.20.0
  - nextcloud_announcements: 4.0.0-dev.0
  - notes: 4.12.4
  - notifications: 5.0.0-dev.0
  - oauth2: 1.20.0
  - password_policy: 4.0.0-dev.0
  - photos: 5.0.0-dev.1
  - privacy: 4.0.0-dev.0
  - profile: 1.1.0
  - provisioning_api: 1.22.0
  - recommendations: 5.0.0-dev.0
  - related_resources: 3.0.0-dev.0
  - serverinfo: 4.0.0-dev.0
  - settings: 1.15.1
  - sharebymail: 1.22.0
  - support: 4.0.0-dev.0
  - survey_client: 4.0.0-dev.0
  - systemtags: 1.22.0
  - text: 6.0.1
  - theming: 2.7.0
  - twofactor_backupcodes: 1.21.0
  - twofactor_nextcloud_notification: 6.0.0-dev.0
  - twofactor_totp: 14.0.0
  - updatenotification: 1.22.0
  - user_status: 1.12.0
  - viewer: 5.0.0-dev.0
  - weather_status: 1.12.0
  - webhook_listeners: 1.3.0
  - workflowengine: 2.14.0
Disabled:
  - encryption: 2.20.0
  - files_external: 1.24.0
  - suspicious_login: 10.0.0-dev.0
  - twofactor_webauthn: 2.4.1
  - user_ldap: 1.23.0

Well, in having spent time gathering the details to update this post for the support details, I managed to find a solution. In my nginx website config file in /etc/nginx/sites-available (linked to sites-enabled), I commented out the listen line for [::]:443, to disable listening for IPv6. This is because in the nginx access.log entries (which I put in the OP) I saw that the client IP in this case was ::1 (IPv6 loopback). Meanwhile all the other logs for other clients who have no issues, showed their IPv4 addresses. So I just wondered if maybe it was related, and turns out it is.

I checked and confirmed IPv6 is disabled on the physical NIC, only my loopback adapter “lo”, and my veth’s (I think those are Newt’s or Docker’s maybe) have inet6 addresses. Where the DNS query would return an IPv4 address, I feel nginx somehow was deciding, maybe opportunistically to respond back initially in IPv6.

I think the solution I’ve done is adequate (disable listening for IPv6 on the nginx website/server for reverse proxying Nextloud-on-Apache) is sufficient but I guess in case there’s any advice to do more or something else, please do share.

It might be best at this point to just delete this entire post.

Not sure why you would disable IPv6 in the first place.

Well the only reason is that I was troubleshooting and I said how I spotted the client IP showing to be the IPv6 loopback address (::1), on the nginx access log.

And then disabling it fixed the problem.

It’s not that I want or care to disable IPv6 for no reason. It’s simply that I don’t know how to make the local Nextcloud Desktop client NOT connect via IPv6.

I’d be up for another solution.

Meanwhile, I don’t see any reason why IPv6 should be enabled if Nextcloud is the only website I’m hosting. The site domain is in DNS as an IPv4 address.

I’m confused why you would be confused. I’ve laid all explanatory details on the table.

Btw, if you’re referring to how I mentioned IPv6 is disabled on the physical NIC, this is the default state, I would have configured a static IPv4 when installing Ubuntu. IPv6 was left unconfigured and I didn’t check the box to disable it so I assume Ubuntu did that my default. And also mentioned how the loop back adapter had IPv6 enabled.

I guess your response really confused me. In my head I didn’t disable IPv6 to cause the problem. It was something I disabled after opening this thread and entering all the details, as a logical troubleshooting step and I covered that.

Yeah, Ubuntu does not enable it by in netplan by default for some IMHO obscure reasons.

Maybe I misunderstood, I was under the impression that it did not work over IPv6, because IPv6 was only partly enabled and not all the way through.

I still find it pretty strange that it works just because you disable IPv6 on the NIC. It should not really matter if NGINX listens to on IPv6 or 4, if it proxy passes to localhost over IPv6 or 4 and so on…

Ok I see now where I caused the confusion. IPv6 was disabled on the nic by default. Where I disabled IPv6 and after which the problem went away, was in my website conf file in /etc/nginx/sites-available/mywebsite.conf

In there, in the server {} block for proxying to nextcloud, it had both “listen 443;" and “listen [::]443;" (I think I just typod that but it was close). I removed that 2nd listen statement to stop ngnjnx from listening for IPv6. And that fixed my issue.

I didn’t make any other changes to IPv6 before or after that, and only made that change after making my original post above.

The thing that gave me the hint to try that, was the nginx access.log where the client IP (left most field in the log) was showing as “::1" on the lines where it also showed “Nextcloud Desktop".

I’ve been staying up too late!! But it’s all all working great now!

Appreciate that you’re here helping me.

That also does not really explain why it helped. Or I am too dense to see it

Why would it matter if NGINX is listening on IPv6 or not?

And why do you see ::1 in the logs nextcloud (?) logs?