Nextcloud AiO behind HAProxy

Started by Maginos, March 13, 2025, 09:11:09 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 13, 2025, 09:11:09 PM
Hi guys,

I have a question concerning hosting a Nextcloud AiO behind HAProxy.
On the github page of the Nextcloud AiO I found this guide.

I tried to set it up in OPNSense, but unfortunately, the error "503 Service unavailable" occurs.

Now I would like to ask, if you could check my configuration and help me to set it up correctly.
For this, I put my current configuration in the annex.

If you need more information, just ask.


Thank you for your help.

Maginos
March 13, 2025, 09:24:53 PM #1
I actually host my own instance of Nextcloud and proxy it out with OPNSense's HAProxy. I'll say this much; I wouldn't even bother trying to tweak Nextcloud's proxy settings for any reason. I've learned that it tends to make things a bit messy. If all you need is hosting capabilities so you can access it from outside of your home network, setting it up in OPNSense/HAProxy should be a breeze. I certainly wouldn't be hosting anything via HTTP (80) even for redirection purposes, but that's just me. From a cybersecurity analyst's perspective, I'd lock that down to exclusively use HTTPS and use an ACME-generated certificate. Do you know for a fact that you are calling the correct address/sub-domain when trying to resolve to your service? I just can't tell when all you've posted is your Public Service and not your condition, rule, backend config, etc.
March 13, 2025, 09:45:13 PM #2
post your haproxy config here by adding the picture to the post, not as an attachment. I for one won't be clicking on it.
I have just resolved the last gnarly bit of my setup. My nextcloud is in a freebsd jail on another host to OPN. Haproxy on OPN does the reverse proxy and terminates the TLS and I am leaving nextcloud on http internally.
March 14, 2025, 08:45:40 AM #3
Hi guys and thank you for your replies.

@cookiemonster: Since I was not able to paste images directly in the post, I made another PDF with further screenshots of my config. I can understand, that you don't trust my PDF, so how can I show you the screenshots in a way, that works for you?

@petrij98: I just want the NC to be accessible from outside my home network. I have an LE certificate for the subdomain and yes, I am sure, that I call the correct subdomain. I even checked with DNSchecker, that public DNS resolvers point to my public IPv4 for that domain.



March 14, 2025, 09:25:26 AM #4
Instead of a PDF just attach a PNG or JPEG and it will be shown right in the forum view.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 14, 2025, 09:50:13 AM #5
@Patrick M. Hausen thank you for the tip.
So here are the screenshots for the backend pool, rule and condition.
March 14, 2025, 09:53:01 AM #6
And here are bigger screenshots for the backend pool
March 14, 2025, 02:59:15 PM #7
This is only the setup of the haproxy backend so it is very hard to know where there might be a problem. Please know that I do not do docker, have no interest whatsoever in it. If anything I want to run is docker-only, I move on looking for an alternative that does have "old style" application configurations.
So now let's establish the overall setup. By the way mine is very largely based on this haproxy-on-opn-tutorial-by-thehellsite.
Take a look at the picture to figure out if you are on the same setup and if different, please explain it. But you can follow that as a basis for an uncomplicated setup: create real server (your nextcloud), create a backend containing that server, create a front end WITH A TLS CERT, create firewall rules to allow the front end to be accessed. Here your haproxy --> backend server can be http or https but if you do https, then you have to deal with those certs separately. Makes sense?
March 14, 2025, 03:14:01 PM #8
Hmm... The only thing I can really think of is just making sure your backend, condition, and rule are all named differently (i.e. nextcloud-back, nextcloud-condition, nextcloud-rule). It wouldn't surprise me if HAProxy completely craps out because of something as insignificant as that. Also, did you make sure to change the port you access OPNSense on? If it's still 443, that could explain what's happening.
March 14, 2025, 03:34:34 PM #9
It doesn't. The names of rules and conditions can be totally random and still be used in evaluations. They get issued an internal identifier like acl acl_67ced2068d01c7.64292703 . Useful is the "test syntax". Bad settings will be shown with errror. Warnings and Notices but all ending with a "configuration is valid" will not crash it.
March 14, 2025, 06:04:53 PM #10
Quote from: cookiemonster on March 14, 2025, 02:59:15 PMBy the way mine is very largely based on this haproxy-on-opn-tutorial-by-thehellsite.
Take a look at the picture to figure out if you are on the same setup and if different, please explain it. But you can follow that as a basis for an uncomplicated setup: create real server (your nextcloud), create a backend containing that server, create a front end WITH A TLS CERT, create firewall rules to allow the front end to be accessed. Here your haproxy --> backend server can be http or https but if you do https, then you have to deal with those certs separately. Makes sense?

Thank you for the link, I will compare configurations. I followed the overall setup guides for other services, so NC is not the first service I want to access from outside. Other services work fine for 95% of the time.


@petrij98: The port of OPNSense was changed. As I wrote above, I have several other services, which are accessible through HAProxy.
March 14, 2025, 06:46:54 PM #11
Quote from: cookiemonster on March 14, 2025, 02:59:15 PMPlease know that I do not do docker, have no interest whatsoever in it. If anything I want to run is docker-only, I move on looking for an alternative that does have "old style" application configurations.
So now let's establish the overall setup. By the way mine is very largely based on this haproxy-on-opn-tutorial-by-thehellsite.
Take a look at the picture to figure out if you are on the same setup and if different, please explain it. But you can follow that as a basis for an uncomplicated setup: create real server (your nextcloud), create a backend containing that server, create a front end WITH A TLS CERT, create firewall rules to allow the front end to be accessed. Here your haproxy --> backend server can be http or https but if you do https, then you have to deal with those certs separately. Makes sense?

So you set up NC with a LAMP Stack, I guess? Unfortunately this doesn't help me, because I already have a running NC instance from a Linuxserver Docker Container. This instance works, but the AiO Setup does not.

I set up haproxy with following videos:




So my configuration differs in several ways from the setup of the link you posted above.

And now I'm not sure, if my configuration is wrong/disadvantageous.
March 14, 2025, 10:37:28 PM #12
Hi. I've not watched these but from the titles they seem to be how-to setup haproxy on OPNSense.
My config is simple but to simplify it a bit more: I have a server on the LAN that hosts nextcloud. It has its own ip address in the LAN space 192.168.5.158. On it is a kind of LAMP stack yes, apache as the webserver, mysql database and redis. Nothing other than the nextcloud requirements except the data, database and configs are on zfs datasets.
The important part for your question is that on OPN's haproxy, all I do is reverse proxy the connections to that ip.

So in your case to reverse proxy from haproxy to your nextcloud installation, you create your backend and real server. Your pictures there show the backend, looks right although I have added the required:
Code Select
acl carddav-endpoint path_beg /.well-known/carddav     
http-request set-path /remote.php/dav if carddav-endpointas passthrough options. Note this is something you might want but is not why you would get an http 503, that you are dealing with.
you need to revise your "real server" on haproxy settings. It needs to be the ip of the webserver of nextcloud.
March 14, 2025, 10:55:41 PM #13
Quote from: Maginos on March 14, 2025, 09:50:13 AMSo here are the screenshots for the backend pool, rule and condition.
You showed a rule though, however, where is it used?

Also your condition doesn't show the value. And is there any reason for configuring a "host stars with" condition? For a single hostname, I's rather use a "host is" condition.
March 15, 2025, 10:15:02 AM #14
Quote from: cookiemonster on March 14, 2025, 10:37:28 PMyou need to revise your "real server" on haproxy settings. It needs to be the ip of the webserver of nextcloud.

Yes, I understand that. In this case, it is the IP address of my docker host. And also port 11000 is correct. Maybe it has something to do with SSL, I'm not sure. The "SSL" box is checked, "Verify SSL" is not. Should be right. I have the same setting for the linuxserver container on the same docker host, so this should be ok. Do you have any other ideas, where the problem could be?

Quote from: viragomann on March 14, 2025, 10:55:41 PMYou showed a rule though, however, where is it used?

Also your condition doesn't show the value. And is there any reason for configuring a "host stars with" condition? For a single hostname, I's rather use a "host is" condition.

The rule is used at the "Public Service".

Yes, the condition shows no value, because there's my domain written and I don't want make it public.

I changed the "host starts with" setting to "host matches", but that didn't change a thing, unfortunately. I still get the error 503.

Do you have any other ideas?
Print
Go Up Pages1 2
User actions