Nextcloud Bad Gateway

Zitat von seekr

I setup Nextcloud using the docker compose file from this tutorial: https://youtu.be/aemqzgNbMPg And I followed the steps from Techno Dad Life here: https://youtu.be/4HPXGKfFibc Both tutorials are very similar. I've tried to setup Nextcloud twice now and both times, upon completing the tutorial I get "502 Bad Gateway" when I attempt to go to my DuckDNS url. I've searched around for other solutions but I haven't found one yet. Thanks in advance for any help.

Funny you bring this up, I just rewrote my compose file for nextcloud and duckdns yesterday and tested it.

If you don't get an answer tonight, I'll post it in the morning (working tonight)

Maybe this helps. I assume it is also similar.

[How-To] Nextcloud with Letsencrypt using OMV and docker-compose

Zitat von seekr

I setup Nextcloud using the docker compose file from this tutorial: https://youtu.be/aemqzgNbMPg And I followed the steps from Techno Dad Life here: https://youtu.be/4HPXGKfFibc Both tutorials are very similar. I've tried to setup Nextcloud twice now and both times, upon completing the tutorial I get "502 Bad Gateway" when I attempt to go to my DuckDNS url. I've searched around for other solutions but I haven't found one yet. Thanks in advance for any help.

This post has underwent some heavy editing to bring it more in line with macom's tutorial and hopefully make it flow a little easier. It 100% works, so if it does not work for you, then there is something you're doing wrong or a problem unique to your network.

OK, here's how I do it. not saying it's the only way, it's just simple and should have you up and running in about 15min. Everything that starts with a # needs to be adjusted for your system and then the # erased. Nothing other than those lines need to be changed despite what you've seen in other tutorials. DO NOT ADJUST THE ##network_mode at this time. That will come later when we set up the proxy. Again, do not mix this with other tutorials, you'll just fail and be frustrated. All of the below assumes you have a basic understanding of containers and command line (config paths, data paths, PUID/PGID, changing directories, nano, etc.)

You can use this in docker-compose or in a stack in portainer (I'd recommend using a stack as it will show if you have formatting errors. As I proceed I will assume you're using this in a stack.):

1. Create your directories and make adjustments to the stack below (you might want to delete old directories from previous attempts if you've been at this several times). Start with only the nextcloud and nextclouddb sections and don't worry about swag for now. When done, deploy the stack.. It takes this container a minute to setup, so watch the logs (docker logs -f nextcloud) and also watch the database container (docker logs -f nextclouddb) and wait for both to indicate they are done. Use Cntrl +C to exit the logs. DO NOT ADJUST THE ##network_mode at this time. That will come later when we set up the reverse proxy

version: "2.1"
services:
  nextcloud:
    image: ghcr.io/linuxserver/nextcloud:latest
    container_name: nextcloud
    ##network_mode: swag_default
    environment:
      #- PUID=1000
      #- PGID=100
    volumes:
      #- /path/to/nextcloud/config:/config
      #- /path/to/nextcloud-data:/data
      - /etc/localtime:/etc/localtime:ro
    depends_on:
      - mariadb
    ports:
      - 450:443
    restart: unless-stopped
  mariadb:
    image: ghcr.io/linuxserver/mariadb:latest
    container_name: nextclouddb
    ##network_mode: swag_default
    environment:
      #- PUID=1000
      #- PGID=100
      #- MYSQL_ROOT_PASSWORD=YOUR_MYSQL_PASSWORD
    volumes:
      #- /path/to/mariadb/config:/config
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped

(A note about your "YOUR_MYSQL_PASSWORD" line 26 above. Due to some issues with how the password is hashed, this password should be alphanumeric only. See posts 165-171 of this thread for an explanation)

2. When done, go to nextcloud UI (https://your.omv.ip:450 , must use https and accept security risk)

3. Enter an admin user/password

4. Click setup database then mysql/mariadb database

user: root

password (see stack, line 26 above)

database name is nextcloud

localhost is nextclouddb

5. Click Finish (this will take a few minutes as it downloads apps and sets up the database, be patient). Note: IF it 504's after it sets up, this is very likely due to Nextcloud's App Store being down, as it frequently is. Give the containers a couple minutes to finish setting up, then simply use the back button on your browser and you should be logged in to the Nextcloud interface

Once you're logged in you can complete a basic setup of Nextcloud, or move on to set it up the reverse proxy with swag and a free duckdns subdomain. Proceeding assumes you have set up a free duckdns account, have setup your free subdomain on this account and have access to your duckdns token. If you don't understand this, stop, post and ask or Google it till you do. It's also recommended at this time, if you don't have an SSH session at this time, start one as this will require some command line work. A note about using a duckdns subdomain. Through the trials and tribulations of another user, it appears when using duckdns and swag, ONLY a gmail login will allow you to fetch a cert. This particular user had used his github login to set up his duckdns subdomain, and repeatedly failed to get a cert despite everything in his swag container being correct. Once he logged in with his gmail account and set up his subdomain under it... he got a cert without issue.

If you use this set up exactly, in your router you'll need to make sure port 444 is forwarded to 443 and port 82 is forwarded to 80 (note: 444/82 are internal ports, 443/80 are external)

6. In Portainer, Add a new stack.

7. Name the stack swag

8. Copy/paste the swag compose file below and make necessary adjustments. Remember, only the # lines need adjusted and the # removed

version: "2.2"
services:
  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      #- PUID=1000
      #- PGID=100
      #- URL=YOUR_SUBDOMAIN.duckdns.org
      #- DUCKDNSTOKEN=YOUR_TOKEN
      - SUBDOMAINS=wildcard
      - VALIDATION=duckdns
      #- EMAIL=YOUREMAIL
      - DOCKER_MODS=linuxserver/mods:swag-dashboard
    volumes:
      #- /path/to/config:/config
      - /etc/localtime:/etc/localtime:ro
    ports:
      - 444:443
      - 82:80
      - 81:81
    restart: unless-stopped

9. Deploy the swag stack.

10. Use your SSH session to watch your swag log and make sure you get a Congratulations message that a key was received. Use Cntrl + c to exit the log.

docker logs -f swag

11. When your key is successfully received, you can navigate to https://www.YOUR-SUBDOMAIN.duckdns.org and you should see the swag park page secured with SSL (padlock by the URL). This tells you the reverse proxy is set up properly. Now, we simply need to route nextcloud through the swag container. Note: If you have made several failed attempts to get a key, and the log throws an error that it could not retrieve a key due to to many attempts, see this post for a simple fix, then redeploy the stack.

12. In the command line, Navigate to /config/swag/nginx/proxy-confs

13. Copy swags sample nextcloud.subdomain.conf, and drop the .sample extension

cp nextcloud.subdomain.conf.sample nextcloud.subdomain.conf

14. docker restart swag

15. Navigate to: /config/nextcloud/www/nextcloud/config

16. nano config.php

17. Under trusted domains array add your domain (you should see your local IP address there as 0), be sure to add it before the ),

1 => 'nextcloud.yoursubdomain.duckdns.org', 

18. Add or edit the lines below, after the ), and before the );

'overwrite.cli.url' => 'https://nextcloud.yoursubdomain.duckdns.org',
'overwritehost' => 'nextcloud.yoursubdomain.duckdns.org',
'overwriteprotocol' => 'https',

When you're done, your config.php will look something like this (11, 23, 24, 25 are the lines I added in. A couple of those lines will already be there.. so you can either edit them as appropriate or delete them and add them in at the end like I did, either way just make sure there are no duplicates and it looks similar to the below)

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'oc3wozk6kai4',
  'passwordsalt' => '2snos3M0EllfFy1CQH0Lah6kOEPyFC',
  'secret' => 'it8C+qSyNcafTBLDp8nHQCAq9o/Fs9nUOgd/gYNFN5/Ro4pW',
  'trusted_domains' => 
  array (
    0 => 'YOUR_LOCAL_IP:450',
    1 => 'nextcloud.YOURSUBDOMAIN.duckdns.org',
  ),
  'dbtype' => 'mysql',
  'version' => '20.0.6.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'nextclouddb',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'oc_admin',
  'dbpassword' => 'YfPeqGJ8LlsOIkXpgiEtf3bejjLtUK',
  'installed' => true,
  'overwrite.cli.url' => 'https://nextcloud.YOURSUBDOMAIN.duckdns.org',
  'overwritehost' => 'nextcloud.YOURSUBDOMAIN.duckdns.org',
  'overwriteprotocol' => 'https',
  );

19. Save and close (Cntrl x then Y to save)

20. In Portainer, go to your nextcloud stack

21. Uncomment the ##network modes in the stack (make sure you remove them under nextcloud and mariadb). If you've followed this exactly, your swag network is going to be named swag_default. If you're unsure or maybe you've taken multiple cracks at this, simply click Networks on the left, and see what network name is assigned to the swag stack and if it is different, then make the appropriate change.

22. Deploy the nextcloud stack.

23. Navigate to https://nextcloud.yoursubdomain.duckdns.org and log in.

This is optional, but once you're done and you can log in to your subdomain properly and securely... If you want to disable insecure access from your local network, go back to your stack and make this adjustment under the "nextcloud" portion

    ports:
      - 450:443

to this

    #ports:
      #- 450:443

Then redeploy the stack and you'll no longer have local access.

You're done.

A few solutions to some common "issues"..

Log in as Admin, Go to Settings/Overview. You'll likely notice that there are some "warnings" regarding your setup...

There are some warnings regarding your setup.

The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.

Your installation has no default phone region set. This is required to validate phone numbers in the profile settings without a country code. To allow numbers without a country code, please add "default_phone_region" with the respective ISO 3166-1 code ↗ of the region to your config file.

Thanks to oopenmediavault for pointing these out. There were a few typos in his instructions that caused an error when the containers were redeployed, so they are restated here...

These two are very simple fixes...

1.) Navigate to /config/swag/nginx/

2.) nano ssl.conf

3.) Remove hashtag from from the front following line.

#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

4.) Cntrl + x to save

5.) docker restart swag

Country codes are defined in following norm:

ISO 3166-1 alpha-2 - Wikipedia

1.) Navigate to /config/nextcloud/www/nextcloud/config/

2.) nano config.php

3.) Add the following to the end, before the );

'default_phone_region' => 'COUNTRY_CODE',  

##(note: do not miss the comma on the end of this line)

4.) docker restart nextcloud

Refresh your nextcloud admin page, and those two errors should be gone.

Some users may also get this error.

There are some warnings regarding your setup.

The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.

If you read it, this isn't an error at all and simply confirms you're accessing nextcloud from a trusted proxy. However, to clear this, is very simple.

1. navigate to /config/nextcloud/www/nextcloud/config

2. nano config.php

3. Add the following at the end, before the );

  'trusted_proxies' =>
  array (
    0 => 'your.ip:450',
    1 => 'nextcloud.YOUR_SUBDOMAIN.duckdns.org',
  ),

4. docker restart nextcloud

5. When done, refresh your nextcloud settings page and all errors should be clear.

Something I overlooked, since I do not use duckdns. If you do not have a static IP address from your provider... You will need to create a stack for this container. All this does, is whenever your IP address changes, this will update your duckdns domain with your new IP address... otherwise your nextcloud instance (or anything else you have running through swag) will not be available until you manually update your IP address in your duckdns account. Once again, you only need to change the things that start with #

version: "2.1"
services:
  duckdns:
    image: ghcr.io/linuxserver/duckdns
    container_name: duckdns
    environment:
      #- PUID=1000
      #- PGID=1000
      #- SUBDOMAINS=your_duckdns_subdomain
      #- TOKEN=your_token
      - LOG_FILE=false
    volumes:
       - /etc/localtime:/etc/localtime:ro
      #- /NAS/AppData/duckdns:/config
    restart: unless-stopped

With the upgrade a couple weeks ago, a new "issue" will flag on the Basic settings. It's not an issue, but simply is a warning about mail notifications. If you don't use mail notifications (I peronally do not).. and want to remove this error.

1. Log in to your nextcloud instance as Admin

2. Click profile and add an email for your admin user. It doesn't have to be real, just an email address (ie, admin@nowhere.com works fine)

3. Go to Administration/Basic Settings

4. Under the Email Server section, change as follows

Send Mode: sendmail

Sendmail: pipe (-t)

Then click the "Send Email" button to send a "test email" (obviously it will go nowhere). You should get a green message that an email was Sent. Go back to your overview, and you should get an "All Checks Cleared" message again. From looking on the nextcloud forums, I believe this is a temporary fix and in the next version it will be enabled/disabled with a check box... or so I read.

If you complete a Nextcloud security scan, its very likely you're going to get an A+, or occasionally an A if Linuxserver hasn't pushed an update for the nextcloud container yet.

Installing the swag dashboard

Sorry, been meaning to add this for a while and forgot. This is really more a swag thing than Nextcloud. A while ago swag came out with a sort of "dashboard".. that will tell you interesting things about your domain (how often it's getting hit, what countries it's getting hit from, network traffic, etc.). Understand, this is information, and isn't something to manage your proxies... It's all basically nerd info and if it doesn't interest you then that's fine. If you have just set up, I've updated the compose and instructions already and you can just skip down to Accessing the Dashboard. If you've got every thing setup and working well and want to add this... reference the compose above and you'll need to change these two things:

Under environments for the swag container, add this enivonrment variable:

- DOCKER_MODS=linuxserver/mods:swag-dashboard

Under Ports, add a new port entry

- 81:81

Note: If you orginally forwarded port 81:80 for swag, you'll need to update that to a new port and change it in your router (I've changed the instructions to use 82:80 due to this). For whatever reason, last I tried the dashboard would not forward to another port, so if you want to try it, you're' kinda stuck with port 81 (or it may have been because I was forwarding 81 to 80, and trying to forward say 85:81 in the compose, just didn't work).

Accessing the dashboard:

Simply in your browser, go to http://server.ip:81

It will take a moment to load. Then you'll see the dashboard.

Some info that can be useful:

A list of containers that are running and whether they are proxied via swag (not my complete list, but you get the idea). As well as if F2B has banned any IP's.

Then if you scroll down there's tons of graphs, etc. about how much data has moved on your domain, how many times it's been hit, etc. Click the Pinwheel on the left and there's more options you an add/remove to customize it to your liking.

Like I said, this isn't a management tool like npm, etc. Swag is still 100% command line based. This is more an information tool.

KM0201 I’m curious. You don’t have a duckdns section in your stack. I’ve always wondered why it was there since the pertinent information is repeated under swag. Is the duckdns container not necessary?

Also, you used port 457 in a couple of places and then 450 later on. Is that a typo?

Zitat von Agricola

KM0201 I’m curious. You don’t have a duckdns section in your stack. I’ve always wondered why it was there since the pertinent information is repeated under swag. Is the duckdns container not necessary?

Also, you used port 457 in a couple of places and then 450 later on. Is that a typo?

the duckdns container is not required now as best I can tell... the swag container essentially has a duckdns "plugin", and will basically handle what the old duckdns docker used to handle (in the older how to)

The 450/457... 450, is local only since it is not forwarded in my router (since nextcloud seems to require https even for insecure local connections). I used this just for a basic set up, then set up my subdomain after I basically had my database and admin user logged in. 457 is what actually gets forwarded in your router to allow duckdns, letsencrypt, etc. to all work together. Obviously you can choose any port you want... I chose 457 years ago so I ride or die with it.

At the very end I mentioned if you didn't need local access, once the subdomain is setup and working properly, you can comment out the ports under the nextcloud portion of the container.

The last part, that is what confused me. Thanks for the info on duckdns. Nice to know and really makes more sense.

Zitat von Agricola

The last part, that is what confused me. Thanks for the info on duckdns. Nice to know and really makes more sense.

I think w/ the old letsencrypt container, it was required (as technodad and some of the others used the duckdns container)... when the new "swag" container (I swear I loathe that name)... it apparently has plugins available to it if you read the container details (duckdns, cloudflare, etc..).. so in this instance it basically makes the duckdns container no longer necessary.

https://hub.docker.com/r/linuxserver/swag

I don’t much care for the name either, and I really don’t like the Linuxserver blogpost that introduced it. In that blogpost they say “At this point, the SWAG and letsencrypt images are 100% compatible and we plan to keep SWAG backwards compatible as long as we can.” I wonder if that is still the case. At what point will it be necessary to advise switching to swag, especially if it is a brand new install that is having trouble getting started? Surely Linuxserver will let us know.

Zitat von Agricola

I don’t much care for the name either, and I really don’t like the Linuxserver blogpost that introduced it. In that blogpost they say “At this point, the SWAG and letsencrypt images are 100% compatible and we plan to keep SWAG backwards compatible as long as we can.” I wonder if that is still the case. At what point will it be necessary to advise switching to swag, especially if it is a brand new install that is having trouble getting started? Surely Linuxserver will let us know.

If the name wasn't a common acronym for "some wild ass guess".. it wouldn't bother me so much. As it stands it looks like some 13yr old came up with it.

As for the compatibility... I'm assuming it is still compatible... the only reason I switched in my new compose, is because when I looked at linuxserver/letsencrypt, it hadn't been updated in almost a month and there was a clear notice it was deprecated. I didn't really see any reason to put off getting current since I was redoing my compose files anyway. Love it or hate it, swag was updated 2 days ago.

Zitat von seekr

When you say forward ports 457 to 443 and 91 to 80, you mean that 457 and 91 are the internal ports and 443 and 80 are the external ports correct?

Should have clarified that...

That is correct, 457 and 91 are internal, 443 and 80 are external.

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'ocy3p84p4vod',
  'passwordsalt' => 'C+QQ4DKkvFAhEneR778xTnFKdFHAuc',
  'secret' => 'sYvEcHkT47dga32KjPoYAGtdV8TEShdRGIh4LM7/zsxYb1LR',
  'trusted_domains' => 
  array (
    0 => '192.168.1.166:450',
    1 => 'mydomain.duckdns.org',
  ),
  'trusted_proxies' => 
  array (
    0 => '192.168.1.166:450',
    1 => 'mydomain.duckdns.org',
  ),
  'dbtype' => 'mysql',
  'version' => '20.0.6.1',
  'overwrite.cli.url' => 'https://mydomain.duckdns.org',
  'overwritehost' => 'mydomain.duckdns.org',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',
  'dbhost' => 'nextclouddb',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'oc_admin',
  'dbpassword' => '08P1hTXjLxgQ05m+bswsIrj14ZRSqN',
  'installed' => true,
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
);

That is how mine currently looks.

Edit: in cae it isn't clear, 192.168.1.166:450 is my local IP address... Yours will be different there.

seekr the file above that KM0201 has listed is his config.php file. Pattern yours after his. The file you showed is your nextcloud.subdomain.conf file. The only thing you need to do with it is replace server_name nextcloud.*; with server_name yoursubdomain.*; That is assuming you are attempting to have an address like this: yoursubdomain.duckdns.org That is how I have mine set up. That is how KM0201 has his php.config set up. See his lines 11, 16, 20, and 21.

Zitat von Agricola

seekr the file above that KM0201 has listed is his config.php file. Pattern yours after his. The file you showed is your nextcloud.subdomain.conf file. The only thing you need to do with it is replace server_name nextcloud.*; with server_name yoursubdomain.*;

Damn you're right... I showed him the wrong file.

All you need to change is nextcloud.* (but that was in 6, 7 and 8 I put above..)

All of those comments in the first 14 lines confused me the first time I saw it. But I figured you were distracted or something. I wasn't trying to school you. Just a friendly nudge. Kind of like when my wife puts an elbow to my ribs when I doze off in church.

Zitat von Agricola

All of those comments in the first 14 lines confused me the first time I saw it. But I figured you were distracted or something. I wasn't trying to school you. Just a friendly nudge. Kind of like when my wife puts an elbow to my ribs when I doze off in church.

I was actually sitting in stalled traffic when I copied it from another post..lol