Unable to connect ANY clients to NEXTCLOUD behind NGINX Reverse Proxy about docker HOT 6 CLOSED

Several things i see wrong with this setup, i will try to address them as much as i can.

Proxy:
This is sort of trimmed version of my nginx config on the proxy, but keep in mind it's not a working example, because my proxy is using a dedicated docker container, and it's autogenerated for it's most part. I tried to cut it out so you can compare it with yours, and add whatever is missing / different. I would suggest you use a container for your proxy as well.

map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}

map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
}

map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}
server_names_hash_bucket_size 128;
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
  default off;
  https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent" '
                 '"$upstream_addr"';
access_log off;
                ssl_protocols TLSv1.2 TLSv1.3;
                ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
                ssl_prefer_server_ciphers off;
error_log /dev/stderr;

proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Proxy "";


upstream <domain> {
        server <ip>:80;
        }

server {
        server_name <domain>;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/<domain>.crt;
        ssl_certificate_key /etc/nginx/certs/<domain>.key;
        ssl_dhparam /etc/nginx/certs/<domain>.dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/<domain>.chain.pem;
        add_header Strict-Transport-Security "max-age=31536000" always;
location / {
                proxy_pass http://<domain>;
}

Nextcloud setup:
You are using a very very old compose file and that is also a very bad idea.Keep in mind, the example below is a generic working example, you need to edit it to match your configuration (in particular - your volume paths) and it is using a more recent version of Docker, so you should check what version of docker your RaspberryPi is using.

Also, I would suggest not opening the database port.

services:
  db:
    image: mariadb:10.6
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    restart: always
    volumes:
      - db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=
      - MARIADB_AUTO_UPGRADE=1
      - MARIADB_DISABLE_UPGRADE_BACKUP=1

  redis:
    image: redis:alpine
    restart: always

  app:
    image: nextcloud:apache
    restart: always
    ports:
      - 127.0.0.1:8080:80
    volumes:
      - nextcloud:/var/www/html
    environment:
      - MYSQL_HOST=db
      - REDIS_HOST=redis
    depends_on:
      - db
      - redis

  cron:
    image: nextcloud:apache
    restart: always
    volumes:
      - nextcloud:/var/www/html
    entrypoint: /cron.sh
    depends_on:
      - db
      - redis

volumes:
  db:
  nextcloud:

I would get rid of watchtower container if you don't know what exactly is doing and what problems it can create. It's good to have, but only in specific scenarios.

Also, I am assuming you are using valid certificates. Invalid such will cause problems with most browsers, unless you explicitly allow them / add them to the certificate stores of said browsers.

from docker.

Thank you so much for the reply. I will try out the NGINX Proxy Manager that I have been hearing about. It is a container as well. Thank you for the updated docker-compose file. I try your suggestions and try this again. LEARNING IS HARD :-(

ROFL

from docker.

also, yes the certificates are valid and from LetsEncrypt

from docker.

As a guide ( Iwrote this a while ago, and I'm unsure on how accurate it is) you can use this https://github.com/tzerber/docker_nc_psql_nginx_ssl

Screenshots there will help with nginx-proxy-manager for sure.

from docker.

Hi @TacitTactics!

Can you post your query on the Help Forum (https://help.nextcloud.com)? This channel is for bug reporting in the image itself and this seems to be a general troubleshooting matter.

Then all clients are redirected to "https://localhost:8080/" but this is just wrong because the docker is only listening on 80 http.

Well, it's closer because you'd like clients to be directed to your external https:// proxy, correct? :)

What are your other overwrite* parameters set to? You can set a port for overwritehost.

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#proxy-configurations
https://github.com/nextcloud/docker?tab=readme-ov-file#using-the-apache-image-behind-a-reverse-proxy-and-auto-configure-server-host-and-protocol

from docker.

Then all clients are redirected to "https://localhost:8080" but this is just wrong because the docker is only listening on 80 http

Your container is actually listening on 8080 per your config so it's accurate based on what you've told Nextcloud so far.

Keep in mind there are additional overwrite* parameters you will likely need to set, such as the external hostname and port. The overwrite* parameters are all about telling Nextcloud what your externally visible HTTPS host is reachable at. That is presumably, in your case, your outermost reverse proxy that you labeled Reverse Proxy (NGINX) in VPS.

Use the hostname of the Nextcloud vhost on it, its associated port, protocol, etc.

See the Reverse Proxy section of the Nextcloud Admin Manual (https://docs.nextcloud.com) as well as the Docker specific notes here in this repository's README.

I'm going to close this since there isn't anything actionable here for us to do in the image itself. But do feel free to follow-up at the [Community Help Forum]
(https://help.nextcloud.com).

Hope that helps.

from docker.