Unable to connect ANY clients to NEXTCLOUD behind NGINX Reverse Proxy

[TacitTactics]

I am new to using docker. I have searched for hours and it seems that my issues was resolved years ago, but the solutions are not working for me.

My setup:
Reverse Proxy (NGINX) in VPS -> Reverse Proxy (NGINX) internally -> Reverse Proxy (NGINX) on host running NEXTCloud.

NGINX config:

    # HTTPS site
    listen 443 ssl;
    server_name _;
    location / {
        proxy_pass http://localhost:8080/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        access_log off;
    }
    ssl_certificate      /etc/letsencrypt/live/<domain>/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/<domain>/privkey.pem;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  5m;
}

server {
    # Redirect all other traffic to the HTTPS site
    listen 80 default_server;
    location / {
        return 301 https://$host$request_uri;
    }
}

Nextcloud setup:
OS ==> Ubuntu Lite OS 64 on Raspberry PI 5
executing using docker-compose file:

version: '2'

services:
  mariadb:
    image: mariadb
    restart: always
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb-file-per-table=1 --skip-innodb-read-only-compressed
    ports:
      - 9022:3306
    volumes:
      - /media/disk/nextcloud/mariadb:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=<mine>
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=root

  nextcloud:
    image: nextcloud
    restart: always
    ports:
      - 8080:80
    links:
      - mariadb:mysql
    volumes:
      - /media/disk/nextcloud/nextcloud:/var/www/html 
      - /media/disk/nextcloud/apps:/var/www/html/custom_apps 
      - /media/disk/nextcloud/config:/var/www/html/config 
      - /media/disk/ncdata:/var/www/html/data 
      - /media/disk:/media/disk
    environment:
      - MYSQL_PASSWORD=<mine>
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=root
      - MYSQL_HOST=mariadb

  watchtower:
    image: containrrr/watchtower
    container_name: watchtower
    restart: always
    environment:
      - WATCHTOWER_CLEANUP=true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

Scenario 1:
Run as is, web browser works just fine,but Windows, LINUX, and Android clients all fail. The windows and Linux clients

If I use online solution of adding the following lines to config/config.php:

  'overwriteprotocol' => 'https',

Then all clients are redirected to "https://localhost:8080" but this is just wrong because the docker is only listening on 80 http.

Please help... if logs are needed, please leave steps on how to retrieve them so I can provide them. Thank you.

[tzerber]

Several things i see wrong with this setup, i will try to address them as much as i can.

Proxy:
This is sort of trimmed version of my nginx config on the proxy, but keep in mind it's not a working example, because my proxy is using a dedicated docker container, and it's autogenerated for it's most part. I tried to cut it out so you can compare it with yours, and add whatever is missing / different. I would suggest you use a container for your proxy as well.

Nginx configuration , click to expand

map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}

map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
}

map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}
server_names_hash_bucket_size 128;
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
  default off;
  https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent" '
                 '"$upstream_addr"';
access_log off;
                ssl_protocols TLSv1.2 TLSv1.3;
                ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
                ssl_prefer_server_ciphers off;
error_log /dev/stderr;

proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Proxy "";


upstream <domain> {
        server <ip>:80;
        }

server {
        server_name <domain>;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/<domain>.crt;
        ssl_certificate_key /etc/nginx/certs/<domain>.key;
        ssl_dhparam /etc/nginx/certs/<domain>.dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/<domain>.chain.pem;
        add_header Strict-Transport-Security "max-age=31536000" always;
location / {
                proxy_pass http://<domain>;
}

Nextcloud setup:
You are using a very very old compose file and that is also a very bad idea.Keep in mind, the example below is a generic working example, you need to edit it to match your configuration (in particular - your volume paths) and it is using a more recent version of Docker, so you should check what version of docker your RaspberryPi is using.

Also, I would suggest not opening the database port.

Click to expand this example

services:
  db:
    image: mariadb:10.6
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    restart: always
    volumes:
      - db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=
      - MARIADB_AUTO_UPGRADE=1
      - MARIADB_DISABLE_UPGRADE_BACKUP=1

  redis:
    image: redis:alpine
    restart: always

  app:
    image: nextcloud:apache
    restart: always
    ports:
      - 127.0.0.1:8080:80
    volumes:
      - nextcloud:/var/www/html
    environment:
      - MYSQL_HOST=db
      - REDIS_HOST=redis
    depends_on:
      - db
      - redis

  cron:
    image: nextcloud:apache
    restart: always
    volumes:
      - nextcloud:/var/www/html
    entrypoint: /cron.sh
    depends_on:
      - db
      - redis

volumes:
  db:
  nextcloud:

I would get rid of watchtower container if you don't know what exactly is doing and what problems it can create. It's good to have, but only in specific scenarios.

Also, I am assuming you are using valid certificates. Invalid such will cause problems with most browsers, unless you explicitly allow them / add them to the certificate stores of said browsers.

[TacitTactics]

Thank you so much for the reply. I will try out the NGINX Proxy Manager that I have been hearing about. It is a container as well. Thank you for the updated docker-compose file. I try your suggestions and try this again. LEARNING IS HARD :-(

ROFL

[TacitTactics]

also, yes the certificates are valid and from LetsEncrypt

[tzerber]

As a guide ( Iwrote this a while ago, and I'm unsure on how accurate it is) you can use this https://github.com/tzerber/docker_nc_psql_nginx_ssl

Screenshots there will help with nginx-proxy-manager for sure.

[joshtrichards]

Hi @TacitTactics!

Can you post your query on the Help Forum (https://help.nextcloud.com)? This channel is for bug reporting in the image itself and this seems to be a general troubleshooting matter.

Then all clients are redirected to "https://localhost:8080/" but this is just wrong because the docker is only listening on 80 http.

Well, it's closer because you'd like clients to be directed to your external https:// proxy, correct? :)

What are your other overwrite* parameters set to? You can set a port for overwritehost.

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#proxy-configurations
https://github.com/nextcloud/docker?tab=readme-ov-file#using-the-apache-image-behind-a-reverse-proxy-and-auto-configure-server-host-and-protocol

[joshtrichards]

Then all clients are redirected to "https://localhost:8080" but this is just wrong because the docker is only listening on 80 http

Your container is actually listening on 8080 per your config so it's accurate based on what you've told Nextcloud so far.

Keep in mind there are additional overwrite* parameters you will likely need to set, such as the external hostname and port. The overwrite* parameters are all about telling Nextcloud what your externally visible HTTPS host is reachable at. That is presumably, in your case, your outermost reverse proxy that you labeled Reverse Proxy (NGINX) in VPS.

Use the hostname of the Nextcloud vhost on it, its associated port, protocol, etc.

See the Reverse Proxy section of the Nextcloud Admin Manual (https://docs.nextcloud.com) as well as the Docker specific notes here in this repository's README.

I'm going to close this since there isn't anything actionable here for us to do in the image itself. But do feel free to follow-up at the [Community Help Forum]
(https://help.nextcloud.com).

Hope that helps.