Nextcloud Bad Gateway

  • I setup Nextcloud using the docker compose file from this tutorial: https://youtu.be/aemqzgNbMPg And I followed the steps from Techno Dad Life here: https://youtu.be/4HPXGKfFibc Both tutorials are very similar. I've tried to setup Nextcloud twice now and both times, upon completing the tutorial I get "502 Bad Gateway" when I attempt to go to my DuckDNS url. I've searched around for other solutions but I haven't found one yet. Thanks in advance for any help.

  • Agricola

    Approved the thread.
    • Official Post

    I setup Nextcloud using the docker compose file from this tutorial: https://youtu.be/aemqzgNbMPg And I followed the steps from Techno Dad Life here: https://youtu.be/4HPXGKfFibc Both tutorials are very similar. I've tried to setup Nextcloud twice now and both times, upon completing the tutorial I get "502 Bad Gateway" when I attempt to go to my DuckDNS url. I've searched around for other solutions but I haven't found one yet. Thanks in advance for any help.

    Funny you bring this up, I just rewrote my compose file for nextcloud and duckdns yesterday and tested it.


    If you don't get an answer tonight, I'll post it in the morning (working tonight)

    • Official Post

    I setup Nextcloud using the docker compose file from this tutorial: https://youtu.be/aemqzgNbMPg And I followed the steps from Techno Dad Life here: https://youtu.be/4HPXGKfFibc Both tutorials are very similar. I've tried to setup Nextcloud twice now and both times, upon completing the tutorial I get "502 Bad Gateway" when I attempt to go to my DuckDNS url. I've searched around for other solutions but I haven't found one yet. Thanks in advance for any help.

    This post has underwent some heavy editing to bring it more in line with macom's tutorial and hopefully make it flow a little easier. It 100% works, so if it does not work for you, then there is something you're doing wrong or a problem unique to your network.


    OK, here's how I do it. not saying it's the only way, it's just simple and should have you up and running in about 15min. Everything that starts with a # needs to be adjusted for your system and then the # erased. Nothing other than those lines need to be changed despite what you've seen in other tutorials. DO NOT ADJUST THE ##network_mode at this time. That will come later when we set up the proxy. Again, do not mix this with other tutorials, you'll just fail and be frustrated. All of the below assumes you have a basic understanding of containers and command line (config paths, data paths, PUID/PGID, changing directories, nano, etc.)



    You can use this in docker-compose or in a stack in portainer (I'd recommend using a stack as it will show if you have formatting errors. As I proceed I will assume you're using this in a stack.):


    1. Create your directories and make adjustments to the stack below (you might want to delete old directories from previous attempts if you've been at this several times). Start with only the nextcloud and nextclouddb sections and don't worry about swag for now. When done, deploy the stack.. It takes this container a minute to setup, so watch the logs (docker logs -f nextcloud) and also watch the database container (docker logs -f nextclouddb) and wait for both to indicate they are done. Use Cntrl +C to exit the logs. DO NOT ADJUST THE ##network_mode at this time. That will come later when we set up the reverse proxy


    (A note about your "YOUR_MYSQL_PASSWORD" line 26 above. Due to some issues with how the password is hashed, this password should be alphanumeric only. See posts 165-171 of this thread for an explanation)



    2. When done, go to nextcloud UI (https://your.omv.ip:450 , must use https and accept security risk)

    3. Enter an admin user/password

    4. Click setup database then mysql/mariadb database

    user: root

    password (see stack, line 26 above)

    database name is nextcloud

    localhost is nextclouddb

    5. Click Finish (this will take a few minutes as it downloads apps and sets up the database, be patient). Note: IF it 504's after it sets up, this is very likely due to Nextcloud's App Store being down, as it frequently is. Give the containers a couple minutes to finish setting up, then simply use the back button on your browser and you should be logged in to the Nextcloud interface


    Once you're logged in you can complete a basic setup of Nextcloud, or move on to set it up the reverse proxy with swag and a free duckdns subdomain. Proceeding assumes you have set up a free duckdns account, have setup your free subdomain on this account and have access to your duckdns token. If you don't understand this, stop, post and ask or Google it till you do. It's also recommended at this time, if you don't have an SSH session at this time, start one as this will require some command line work. A note about using a duckdns subdomain. Through the trials and tribulations of another user, it appears when using duckdns and swag, ONLY a gmail login will allow you to fetch a cert. This particular user had used his github login to set up his duckdns subdomain, and repeatedly failed to get a cert despite everything in his swag container being correct. Once he logged in with his gmail account and set up his subdomain under it... he got a cert without issue.


    If you use this set up exactly, in your router you'll need to make sure port 444 is forwarded to 443 and port 82 is forwarded to 80 (note: 444/82 are internal ports, 443/80 are external)


    6. In Portainer, Add a new stack.

    7. Name the stack swag

    8. Copy/paste the swag compose file below and make necessary adjustments. Remember, only the # lines need adjusted and the # removed


    9. Deploy the swag stack.

    10. Use your SSH session to watch your swag log and make sure you get a Congratulations message that a key was received. Use Cntrl + c to exit the log.

    Code
    docker logs -f swag


    11. When your key is successfully received, you can navigate to https://www.YOUR-SUBDOMAIN.duckdns.org and you should see the swag park page secured with SSL (padlock by the URL). This tells you the reverse proxy is set up properly. Now, we simply need to route nextcloud through the swag container. Note: If you have made several failed attempts to get a key, and the log throws an error that it could not retrieve a key due to to many attempts, see this post for a simple fix, then redeploy the stack.

    12. In the command line, Navigate to /config/swag/nginx/proxy-confs

    13. Copy swags sample nextcloud.subdomain.conf, and drop the .sample extension

    Code
    cp nextcloud.subdomain.conf.sample nextcloud.subdomain.conf

    14. docker restart swag

    15. Navigate to: /config/nextcloud/www/nextcloud/config

    16. nano config.php

    17. Under trusted domains array add your domain (you should see your local IP address there as 0), be sure to add it before the ),

    Code
    1 => 'nextcloud.yoursubdomain.duckdns.org', 


    18. Add or edit the lines below, after the ), and before the );


    Code
    'overwrite.cli.url' => 'https://nextcloud.yoursubdomain.duckdns.org',
    'overwritehost' => 'nextcloud.yoursubdomain.duckdns.org',
    'overwriteprotocol' => 'https',

    When you're done, your config.php will look something like this (11, 23, 24, 25 are the lines I added in. A couple of those lines will already be there.. so you can either edit them as appropriate or delete them and add them in at the end like I did, either way just make sure there are no duplicates and it looks similar to the below)


    19. Save and close (Cntrl x then Y to save)

    20. In Portainer, go to your nextcloud stack

    21. Uncomment the ##network modes in the stack (make sure you remove them under nextcloud and mariadb). If you've followed this exactly, your swag network is going to be named swag_default. If you're unsure or maybe you've taken multiple cracks at this, simply click Networks on the left, and see what network name is assigned to the swag stack and if it is different, then make the appropriate change.

    22. Deploy the nextcloud stack.

    23. Navigate to https://nextcloud.yoursubdomain.duckdns.org and log in.


    This is optional, but once you're done and you can log in to your subdomain properly and securely... If you want to disable insecure access from your local network, go back to your stack and make this adjustment under the "nextcloud" portion


    Code
        ports:
          - 450:443
    
    to this
    
        #ports:
          #- 450:443

    Then redeploy the stack and you'll no longer have local access.


    You're done.


    A few solutions to some common "issues"..


    Log in as Admin, Go to Settings/Overview. You'll likely notice that there are some "warnings" regarding your setup...


    Code
    There are some warnings regarding your setup.
    
    The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.
    
    Your installation has no default phone region set. This is required to validate phone numbers in the profile settings without a country code. To allow numbers without a country code, please add "default_phone_region" with the respective ISO 3166-1 code ↗ of the region to your config file.

    Thanks to oopenmediavault for pointing these out. There were a few typos in his instructions that caused an error when the containers were redeployed, so they are restated here...


    These two are very simple fixes...

    1.) Navigate to /config/swag/nginx/

    2.) nano ssl.conf

    3.) Remove hashtag from from the front following line.

    #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

    4.) Cntrl + x to save

    5.) docker restart swag


    Country codes are defined in following norm:

    ISO 3166-1 alpha-2 - Wikipedia

    1.) Navigate to /config/nextcloud/www/nextcloud/config/

    2.) nano config.php

    3.) Add the following to the end, before the );

    Code
    'default_phone_region' => 'COUNTRY_CODE',  
    
    ##(note: do not miss the comma on the end of this line)

    4.) docker restart nextcloud


    Refresh your nextcloud admin page, and those two errors should be gone.


    Some users may also get this error.


    Code
    There are some warnings regarding your setup.
    
    The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.

    If you read it, this isn't an error at all and simply confirms you're accessing nextcloud from a trusted proxy. However, to clear this, is very simple.


    1. navigate to /config/nextcloud/www/nextcloud/config

    2. nano config.php

    3. Add the following at the end, before the );

    Code
      'trusted_proxies' =>
      array (
        0 => 'your.ip:450',
        1 => 'nextcloud.YOUR_SUBDOMAIN.duckdns.org',
      ),

    4. docker restart nextcloud

    5. When done, refresh your nextcloud settings page and all errors should be clear.


    Something I overlooked, since I do not use duckdns. If you do not have a static IP address from your provider... You will need to create a stack for this container. All this does, is whenever your IP address changes, this will update your duckdns domain with your new IP address... otherwise your nextcloud instance (or anything else you have running through swag) will not be available until you manually update your IP address in your duckdns account. Once again, you only need to change the things that start with #


    With the upgrade a couple weeks ago, a new "issue" will flag on the Basic settings. It's not an issue, but simply is a warning about mail notifications. If you don't use mail notifications (I peronally do not).. and want to remove this error.


    1. Log in to your nextcloud instance as Admin

    2. Click profile and add an email for your admin user. It doesn't have to be real, just an email address (ie, admin@nowhere.com works fine)

    3. Go to Administration/Basic Settings

    4. Under the Email Server section, change as follows


    Send Mode: sendmail

    Sendmail: pipe (-t)


    Then click the "Send Email" button to send a "test email" (obviously it will go nowhere). You should get a green message that an email was Sent. Go back to your overview, and you should get an "All Checks Cleared" message again. From looking on the nextcloud forums, I believe this is a temporary fix and in the next version it will be enabled/disabled with a check box... or so I read.


    If you complete a Nextcloud security scan, its very likely you're going to get an A+, or occasionally an A if Linuxserver hasn't pushed an update for the nextcloud container yet.


    Installing the swag dashboard

    Sorry, been meaning to add this for a while and forgot. This is really more a swag thing than Nextcloud. A while ago swag came out with a sort of "dashboard".. that will tell you interesting things about your domain (how often it's getting hit, what countries it's getting hit from, network traffic, etc.). Understand, this is information, and isn't something to manage your proxies... It's all basically nerd info and if it doesn't interest you then that's fine. If you have just set up, I've updated the compose and instructions already and you can just skip down to Accessing the Dashboard. If you've got every thing setup and working well and want to add this... reference the compose above and you'll need to change these two things:


    Under environments for the swag container, add this enivonrment variable:


    Code
    - DOCKER_MODS=linuxserver/mods:swag-dashboard

    Under Ports, add a new port entry


    Code
    - 81:81

    Note: If you orginally forwarded port 81:80 for swag, you'll need to update that to a new port and change it in your router (I've changed the instructions to use 82:80 due to this). For whatever reason, last I tried the dashboard would not forward to another port, so if you want to try it, you're' kinda stuck with port 81 (or it may have been because I was forwarding 81 to 80, and trying to forward say 85:81 in the compose, just didn't work).


    Accessing the dashboard:


    Simply in your browser, go to http://server.ip:81


    It will take a moment to load. Then you'll see the dashboard.

    Some info that can be useful:


    A list of containers that are running and whether they are proxied via swag (not my complete list, but you get the idea). As well as if F2B has banned any IP's.



    Then if you scroll down there's tons of graphs, etc. about how much data has moved on your domain, how many times it's been hit, etc. Click the Pinwheel on the left and there's more options you an add/remove to customize it to your liking.


    Like I said, this isn't a management tool like npm, etc. Swag is still 100% command line based. This is more an information tool.

    • Official Post

    KM0201 I’m curious. You don’t have a duckdns section in your stack. I’ve always wondered why it was there since the pertinent information is repeated under swag. Is the duckdns container not necessary?


    Also, you used port 457 in a couple of places and then 450 later on. Is that a typo?

    System Backup Typo alert: Under the Linux section the command should be sudo umount /dev/sda1 NOT sudo unmount /dev/sda1

    Backup Data Disk to Backup Disk on Same Machine: In a Scheduled Job:rsync -av --delete /srv/dev-disk-by-uuid-f8814ed9-9a5c-4e1c-8830-426968c20ea3/ /srv/dev-disk-by-uuid-e67439d5-00a3-4942-bd5f-b84ab86aa850/ Don't forget trailing slashes, and BE CAREFUL. (HT: Getting Started with OMV5)

    Equipment - Thinkserver TS140, NanoPi M4 (v.1), Odroid XU4 (Using DietPi): PiHole

    • Official Post

    KM0201 I’m curious. You don’t have a duckdns section in your stack. I’ve always wondered why it was there since the pertinent information is repeated under swag. Is the duckdns container not necessary?


    Also, you used port 457 in a couple of places and then 450 later on. Is that a typo?

    the duckdns container is not required now as best I can tell... the swag container essentially has a duckdns "plugin", and will basically handle what the old duckdns docker used to handle (in the older how to)


    The 450/457... 450, is local only since it is not forwarded in my router (since nextcloud seems to require https even for insecure local connections). I used this just for a basic set up, then set up my subdomain after I basically had my database and admin user logged in. 457 is what actually gets forwarded in your router to allow duckdns, letsencrypt, etc. to all work together. Obviously you can choose any port you want... I chose 457 years ago so I ride or die with it. :)


    At the very end I mentioned if you didn't need local access, once the subdomain is setup and working properly, you can comment out the ports under the nextcloud portion of the container.

    • Official Post

    The last part, that is what confused me. Thanks for the info on duckdns. Nice to know and really makes more sense.

    System Backup Typo alert: Under the Linux section the command should be sudo umount /dev/sda1 NOT sudo unmount /dev/sda1

    Backup Data Disk to Backup Disk on Same Machine: In a Scheduled Job:rsync -av --delete /srv/dev-disk-by-uuid-f8814ed9-9a5c-4e1c-8830-426968c20ea3/ /srv/dev-disk-by-uuid-e67439d5-00a3-4942-bd5f-b84ab86aa850/ Don't forget trailing slashes, and BE CAREFUL. (HT: Getting Started with OMV5)

    Equipment - Thinkserver TS140, NanoPi M4 (v.1), Odroid XU4 (Using DietPi): PiHole

    • Official Post

    The last part, that is what confused me. Thanks for the info on duckdns. Nice to know and really makes more sense.

    I think w/ the old letsencrypt container, it was required (as technodad and some of the others used the duckdns container)... when the new "swag" container (I swear I loathe that name)... it apparently has plugins available to it if you read the container details (duckdns, cloudflare, etc..).. so in this instance it basically makes the duckdns container no longer necessary.


    https://hub.docker.com/r/linuxserver/swag

    • Official Post

    I don’t much care for the name either, and I really don’t like the Linuxserver blogpost that introduced it. In that blogpost they say “At this point, the SWAG and letsencrypt images are 100% compatible and we plan to keep SWAG backwards compatible as long as we can.” I wonder if that is still the case. At what point will it be necessary to advise switching to swag, especially if it is a brand new install that is having trouble getting started? Surely Linuxserver will let us know.

    System Backup Typo alert: Under the Linux section the command should be sudo umount /dev/sda1 NOT sudo unmount /dev/sda1

    Backup Data Disk to Backup Disk on Same Machine: In a Scheduled Job:rsync -av --delete /srv/dev-disk-by-uuid-f8814ed9-9a5c-4e1c-8830-426968c20ea3/ /srv/dev-disk-by-uuid-e67439d5-00a3-4942-bd5f-b84ab86aa850/ Don't forget trailing slashes, and BE CAREFUL. (HT: Getting Started with OMV5)

    Equipment - Thinkserver TS140, NanoPi M4 (v.1), Odroid XU4 (Using DietPi): PiHole

    • Official Post

    I don’t much care for the name either, and I really don’t like the Linuxserver blogpost that introduced it. In that blogpost they say “At this point, the SWAG and letsencrypt images are 100% compatible and we plan to keep SWAG backwards compatible as long as we can.” I wonder if that is still the case. At what point will it be necessary to advise switching to swag, especially if it is a brand new install that is having trouble getting started? Surely Linuxserver will let us know.

    If the name wasn't a common acronym for "some wild ass guess".. it wouldn't bother me so much. As it stands it looks like some 13yr old came up with it.


    As for the compatibility... I'm assuming it is still compatible... the only reason I switched in my new compose, is because when I looked at linuxserver/letsencrypt, it hadn't been updated in almost a month and there was a clear notice it was deprecated. I didn't really see any reason to put off getting current since I was redoing my compose files anyway. Love it or hate it, swag was updated 2 days ago.

  • When you say forward ports 457 to 443 and 91 to 80, you mean that 457 and 91 are the internal ports and 443 and 80 are the external ports correct?

    Edited 2 times, last by KM0201: Fixed typo in config,php that you quoted ().

    • Official Post

    When you say forward ports 457 to 443 and 91 to 80, you mean that 457 and 91 are the internal ports and 443 and 80 are the external ports correct?

    Should have clarified that...


    That is correct, 457 and 91 are internal, 443 and 80 are external.

  • KM0201 You have helped me get further into getting Nextcloud up and running than anyone else. I have so much gratitude for your help. I have a question related to this portion of your phenomenal guide:

    Once that is done, you can complete a basic setup of Nextcloud, or move on to set it up with duckdns subdomains.

    6. Navigate to /config/swag/nginx/prox-confs

    7. nano nextcloud.subdomain.conf.sample

    8. Change subdomain to duckdns subdomain name (ie.. yoursubdomain.* )

    When I navigate to /config/swag/nginx/prox-confs my nextcloud.subdomain.conf.sample file looks like this:



    Could you show me exactly where I should input my duckdns subdomain into the file?

    • Official Post

    That is how mine currently looks.


    Edit: in cae it isn't clear, 192.168.1.166:450 is my local IP address... Yours will be different there.

    • Official Post

    seekr the file above that KM0201 has listed is his config.php file. Pattern yours after his. The file you showed is your nextcloud.subdomain.conf file. The only thing you need to do with it is replace server_name nextcloud.*; with server_name yoursubdomain.*; That is assuming you are attempting to have an address like this: yoursubdomain.duckdns.org That is how I have mine set up. That is how KM0201 has his php.config set up. See his lines 11, 16, 20, and 21.

    System Backup Typo alert: Under the Linux section the command should be sudo umount /dev/sda1 NOT sudo unmount /dev/sda1

    Backup Data Disk to Backup Disk on Same Machine: In a Scheduled Job:rsync -av --delete /srv/dev-disk-by-uuid-f8814ed9-9a5c-4e1c-8830-426968c20ea3/ /srv/dev-disk-by-uuid-e67439d5-00a3-4942-bd5f-b84ab86aa850/ Don't forget trailing slashes, and BE CAREFUL. (HT: Getting Started with OMV5)

    Equipment - Thinkserver TS140, NanoPi M4 (v.1), Odroid XU4 (Using DietPi): PiHole

    • Official Post

    seekr the file above that KM0201 has listed is his config.php file. Pattern yours after his. The file you showed is your nextcloud.subdomain.conf file. The only thing you need to do with it is replace server_name nextcloud.*; with server_name yoursubdomain.*;

    Damn you're right... I showed him the wrong file.


    All you need to change is nextcloud.* (but that was in 6, 7 and 8 I put above..)

    • Official Post

    All of those comments in the first 14 lines confused me the first time I saw it. But I figured you were distracted or something. I wasn't trying to school you. Just a friendly nudge. Kind of like when my wife puts an elbow to my ribs when I doze off in church.

    System Backup Typo alert: Under the Linux section the command should be sudo umount /dev/sda1 NOT sudo unmount /dev/sda1

    Backup Data Disk to Backup Disk on Same Machine: In a Scheduled Job:rsync -av --delete /srv/dev-disk-by-uuid-f8814ed9-9a5c-4e1c-8830-426968c20ea3/ /srv/dev-disk-by-uuid-e67439d5-00a3-4942-bd5f-b84ab86aa850/ Don't forget trailing slashes, and BE CAREFUL. (HT: Getting Started with OMV5)

    Equipment - Thinkserver TS140, NanoPi M4 (v.1), Odroid XU4 (Using DietPi): PiHole

    • Official Post

    All of those comments in the first 14 lines confused me the first time I saw it. But I figured you were distracted or something. I wasn't trying to school you. Just a friendly nudge. Kind of like when my wife puts an elbow to my ribs when I doze off in church.

    I was actually sitting in stalled traffic when I copied it from another post..lol

  • seekr the file above that KM0201 has listed is his config.php file. Pattern yours after his. The file you showed is your nextcloud.subdomain.conf file. The only thing you need to do with it is replace server_name nextcloud.*; with server_name yoursubdomain.*; That is assuming you are attempting to have an address like this: yoursubdomain.duckdns.org That is how I have mine set up. That is how KM0201 has his php.config set up. See his lines 11, 16, 20, and 21.

    Thanks Agricola! You have been extremely helpful for a noob like me. Sorry to keep peppering you with questions but when it comes to replacing server_name nextcloud.*; with server_name yoursubdomain.*; my subdomain indeed is something like yoursubdomain.duckdns.org. This means that what I insert will look something like my_server_name yoursubdomain.duckdns.org.*; correct? My second question feels really dumb to ask but where can I look to find my server name?


    Again, thank you for the remedial training. Also, as a preacher myself, I am grateful for your wife's jabs to keep you awake.8o

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!