How to Install Nextcloud-AIO with an External Proxy
I would like to start by complimenting the Nextcloud team with their documentation. It is in great depth and has details for every exception to the standard deployment, however, because of this, it can be intimidating for a new comer trying to Nextcloud trying to figure something out. Once I began to understand the Nextcloud ecosystem a bit more, the documentation becuase invaluable. Therefore, I hope this post, can be a bridge to easier consumption of the documentation.
Configuration
This is the basic flow for my configuration.
- Internal DNS providing the address via pihole
- Users connect to Caddy that has self signed certificates
- Note: certificate chains are already set up on my machine, so the certificates are "valid". That may not be the case for you.
- Caddy passes through a firewall
- Requests hit Docker container engine hosted in Unraid
Important Points to Know
- The default mode is proxy mode for the AIO (All in One; in case you missed it.)
- The AIO image spins up other containers for addition apps and services
- There are two serivces that are very important.
- The "apache" service - this is for end user connection
- The "master" container - a little dated term, but, this is for admin. I will refer to this as the "AIO Container"
- The master container needs access to the docker. I know, I am not a fan either, but, this is how it spins up the other containers.
- We will be "flip flopping" proxy configurations because, well, it seemed to make the most sense to me, so read carefully. If you think it is a typo, it probably isn't.
Steps
These steps will mostly be theoretical and have code snippets specific to minor configuration changes. The process is the trickier part as opposed to the technology.
Deploy the Nextcloud-AIO Image
These details will not be included. If you haven't deployed an image before, you should probably start a little more basic for some practice! You will have to do a bunch of port configuring and networking. It is important to understand those concepts!
This is where it is important to note the APACHE_PORT. You will need it.
Also, disable
Configure the Proxy to Connect to the AIO Container
Just reiterating, this is the configuration for Caddy. That is my proxy of choice. Their documentation for other proxies is in great detail, however, like I stated earlier the ecosystem might make it complicated.
This is an example configuration that worked. With the following changes being made:
- DOMAIN: the domain you will access nextcloud with.
- IP: the external IP of the docker host of the AIO container
- PORT: the exposed port of the AIO container
- tls: this should be configured to your certificates
DOMAIN {
tls /certs/tls.crt /certs/tls.key
header {
Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
}
reverse_proxy https://IP:PORT {
transport http {
tls_insecure_skip_verify
}
}
}
Now to answer some questions, why are we proxied to an https server? Well, the AIO Container runs with a self signed certificate deployed. This is why we are proxying to it and skipping the verification.
Setup the AIO Container
Go through the setup process. Ensure you are using the domain you want to connect to. From what I remember reading, it isn't very simple to change the domain after the fact (couldn't tell you why, sorry.).
Once you have completed the setup and you go to login, you will notice you get directed to a page that won't let you log in. This is a good sign and very annoying! This is why I wrote this guide.
Configure the Proxy to Connect to the Apache Service
Once you have gotten stuck at the login loop, we re-configure the "end user" connection to the Apache service. Recall the notes, I wrote earlier. Take note of the admin user and initial password before you re-setup the proxy.
- DOMAIN: the domain you will access nextcloud with.
- IP: the external IP of the docker host of the new Apache container (should be the same as above - unless you doing custom docker stuff)
- APACHE_PORT: the exposed Apache port of the new Apache container
- tls: this should be configured to your certificates
DOMAIN {
tls /certs/tls.crt /certs/tls.key
header {
Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
}
reverse_proxy http://IP:APACHE_PORT
}
As you can see, we are now connecting via http. That is not a typo.
Login?!
In theory, you should be connecting to the appropriate service now and being prompted to login via a username/password box! This is where we want to be! Congrats!
If you didn't get the lovely login screen, attempt the following:
- Did you wait for all the containers to start up? Go back a step and ensure all containers are up.
- Did all the images required get deployed? On my setup I ran out of space at one point which didn't allow images to be pulled.
- Try incognito, old faithful here.
Limitations
- Other Apps will require custom configurations
- Talk requires specific ports
- Office (Collabora backend) requires specific access for configuration
- Non-docker deployments become complex
- I wanted to do the AIO image on k8s, but, it didn't seem worth attempting.
- How do I access the AIO Container? Three different ways:
- Set the proxy back to connect to the AIO container
- Setup another proxy configuration to connect to it (might required additional work)
- Access it via IP on the network of the docker machine (this was my route if I really needed to)
Conclusion
At this point, you should be able to run basic Nextcloud functionality. Things like file operations and using built in tooling of Nextcloud should be fine. As listed in the limitations, operations that require custom, backend services may require some work and tweaking. I think at the end of the day, this might not be the right solution for me, since, I do have a lot of overlapping services and this might be overkilling a simple problem I have. It was definitely an interesting learning experience.
This took way longer to figure out than it should have. It came from a lack of knowledge on the Nextcloud ecosystem. Hopefully this can help speed run people interested in Nextcloud. Also, this was written off the top of my head, so if I missed any useful points or left dead ends feel free to contact me. Happy Clouding!