Nextcloud Bad Gateway

I have for the first time in several attempts successfully installed nextcloud using this method, many thanks. But I'm having a problem with swag.

In your instructions it says you should get a congratulations message in swag log, I havent seen one. Not sure what is going wrong with how I set it up.

Here is my swag log

-------------------------------------

GID/UID

-------------------------------------

User uid: 1001

User gid: 100

-------------------------------------

[cont-init.d] 10-adduser: exited 0.

[cont-init.d] 20-config: executing...

[cont-init.d] 20-config: exited 0.

[cont-init.d] 30-keygen: executing...

generating self-signed keys in /config/keys, you can replace these with your own keys if required

Generating a RSA private key

.......+++++

..................................................+++++

writing new private key to '/config/keys/cert.key'

-----

[cont-init.d] 30-keygen: exited 0.

[cont-init.d] 50-config: executing...

Variables set:

PUID=1001

PGID=100

TZ=

URL=

SUBDOMAINS=wildcard

EXTRA_DOMAINS=

ONLY_SUBDOMAINS=false

VALIDATION=duckdns

CERTPROVIDER=

DNSPLUGIN=

EMAIL=

STAGING=

Please pass your URL as an environment variable in your docker run command. See docker info for more details.

Is it possible that fritz.box 4040 does not allow access from the web?

After about 2 weeks of frustration trying to reverse-proxy my homeserver with NPM+PiHole+Cloudflare, I tried this method with DuckDNS to no success. I have recently changed ISP and they gave me a fritz.box 4040 that seems to bounce external access, either landing on router login page, or (disabling it) to a generic error page. I've been suggested to try PiHole as DNS Server, and it works by itself, but still does not allow me to resolve my domain to my IP. It doesn't talk to Ngnix Proxy-Manager.

So I have done everything described in post #4 of this thread, but as I reach point 11, no, I cannot see anything, just an error page.

I've started from scratch in docker/portainer using the stacks compose.

The containers do work, I've got the certificate, I managed to overcome 0770 permission error of /data folder setting it to root/root.

Both NextCloud and Swag show their page and work, logs are fine. They are up and running.

Nevertheless I cannot open Nextcloud from my DuckDNS domain. Nor www.[mydomain].duckdns.org

Nslookup to my duckdns domain shows my public IP instead of server IP.

Ports 443 and 80 are open and mapped to 4443 and 8088 (left the same I used with NPM).

I'm on OMV6, everything works fine, I have many services running, the only thing I cannot do Is access them from outside LAN.

The 0770 permission issue happened as I assigned a path to the wrong absolute path in OMV. Then I corrected that with another exclusively created with root/root permission. This never happens when I assign paths to containers, so it was a first time for me. It was not obvious that it could happen.

Swag and Nextcloud work in the terms that I can access them via local IP/port, NOT duckdns domain.

Since the same happened with cloudflare and NPM, I wondered if it's possible that fritz.box 4040 has some lock, like it's given to customers just to navigate and not selfhosting.

Too many inconsistencies on what you're posting.

The first place you should have gone is:

FRITZ!Box 4040 Help - FRITZ!Box Services (avm.de)

Fritz box access to itself (to access the GUI) is done by port 443 which means you need to change that port to something else or it will confilct with any webserver/proxy you have. (as it is happening)

Then you need to make port forward to the services you need (if you go SWAG with DuckDNS way, you only need 443 but we also use 80):

After you get to the start page of SWAG (with certificate), then it's time to start accessing Nextcloud (whatever other services you want)

The only port that will be in use will be port 443 on the WAN (but you can redirect to whatever port you want for SWAG)

Now, about this:

Zitat von jan_axhell

Then I corrected that with another exclusively created with root/root permission.

The Nextcloud /data folder SHOULD NOT EXIST prior to launch the container UNLESS it belongs to the exact SAME ID of the user that owns the container.

Nextcloud container will be launched with a specific UID:GID that will take over that folder on creation time.

And this will have several other permissions that shouldn't be touched outside the container.

For eg:

services:
  nextcloud:
    image: linuxserver/nextcloud:latest
    container_name: nextcloud
    environment:
      - PUID=1000
      - PGID=100
.....
    volumes:
      - /srv/dev-disk-by-label-sd_configs/@appdata/nextcloud/config:/config 
      - /srv/dev-disk-by-label-wolf1/@data/nextcloud/data:/data # This will be owned by user above 1000:100 and it didn't exist when the container was 1st launched. Docker will make it.

You spoke about NPM+PiHole+Cloudfalre.

To make all of that work, you need to learn more about how it interacts with the main host (all of it gives more headaches than they deserve)

Try SWAG first and then, move on.

I know what port-forwarding is and set 443 to 4443 as I wrote.

I was already reading the manual, all I obtain is reaching SWAG page with MyFritz URL, but not with my DuckDNS URL.

It is confusing because it offers 2 options: enable My Fritz / enable Ports. The first one creates a HTTPS server and accepts one port (default is 443, I set it to 4443), the second forwards ports to what I want, like 4443 to 443, but doesn't work at all. At least MyFritz URL set to 4443 shows SWAG page.

I have got the certificate as I wrote as well.

Ok, didn't know /data folder should not exist, again I'm used to create them before containers, and this is a first. Never had permission problems with 50+ containers.

I will try again NOT creating /data folder before container and check back.

Zitat von jan_axhell

At least MyFritz URL set to 4443 shows SWAG page.

I have got the certificate as I wrote as well.

What do you mean by MyFritz URL???

Zitat von Soma

What do you mean by MyFritz URL???

This. It's the same as public IP+443

Zitat von KM0201

Now I'm super confused. Admittedly I know nothing about Fritzboxes... but if you're trying to route it through your fritzbox url, why are you using swag?

If you're using swag, the only ports you should need to forward, are ports for 80, and 443.. which you've apparently already done. I'm not seeing why the fritzbox needs to come into play.

Never said I want to use that url, only that while I am trying, that works while my Duckdns url doesn't. Friztbox out of the box points your public IP to its Login page and has a DNS rebind function that blocks any domain except those you specify. Nevertheless this was not enough to reach my server. A couple of persons on Reddit suggested to try PiHole+NPM to bypass any possible fritzbox block, but while PiHole as a DNS server works fine, I've been unable to make it talk to NPM. So I've looked for a different way to try it, this tutorial.

I was just postponing to tomorrow, anyway here they are:

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'oc8u4kf61p9x',
  'passwordsalt' => '0QO+cyb+oBGmFC+KrWMVDLkBmyXiF/',
  'secret' => 'dVk/xovNSaiv7PzTj7A7LRHoUEN0v2oJPAfNdNYgs4IRJk5V',
  'trusted_domains' => 
  array (
    0 => '192.168.1.94:450',
    1 => 'nextcloud.janaxhell.duckdns.org',
  ),
  'dbtype' => 'mysql',
  'version' => '24.0.1.1',
  'overwrite.cli.url' => 'https://nextcloud.janaxhell.duckdns.org',
  'overwritehost' => 'nextcloud.janaxhell.duckdns.org',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',
  'dbhost' => 'nextclouddb',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'oc_jan_axhell',
  'dbpassword' => '[redacted]',
  'installed' => true,
  'default_phone_region' => 'IT',
  'trusted_proxies' =>
  array (
    0 => 'your.ip:450',
    1 => 'nextcloud.janaxhell.duckdns.org',   ),
);

version: "2.2"
services:
  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=998
      - PGID=100
      - URL=janaxhell.duckdns.org
      - DUCKDNSTOKEN=[redacted]
      - SUBDOMAINS=wildcard
      - VALIDATION=duckdns
      - EMAIL=[redacted]
    volumes:
      - /srv/dev-disk-by-uuid-5b67514d-485e-4306-873e-b1cbb54ccf99/Config/Swag:/config
      - /etc/localtime:/etc/localtime:ro
    ports:
      - 4443:443
      - 8088:80
    restart: unless-stopped

I have to ask again:

Did you create a portforward on the fritz box from WAN 443 to swagip LAN 4443 and WAN 80 to swagip LAN 8088?

All this discussion is leading to nowhere. If you got a certificate (#82) most of it is working, as otherwise you would not have gotten a certificate.

Do not confuse internal network traffic and external network traffic.

Do you have enabled the MyFritz URL? If yes, what do you see, if you try to access the myfritz url from outside your network?

on the cli try

apt install dnsutils
nslookup <myfritz-dns-name>
nslookup <duckdns-name>

The two last comands should resolve to your external IP address

If this works, it is time to set up port forwarding.

Zitat von Soma

I have to ask again:

Did you create a portforward on the fritz box from WAN 443 to swagip LAN 4443 and WAN 80 to swagip LAN 8088?

I did since the beginning of my first post and it did not work. THEN I tried the other HTTPS server option to port 4443 and it showed swag page instead of error page.

Zitat von Zoki

All this discussion is leading to nowhere. If you got a certificate (#82) most of it is working, as otherwise you would not have gotten a certificate.

Do not confuse internal network traffic and external network traffic.

Do you have enabled the MyFritz URL? If yes, what do you see, if you try to access the myfritz url from outside your network?

on the cli try

Code

apt install dnsutils
nslookup <myfritz-dns-name>
nslookup <duckdns-name>

The two last comands should resolve to your external IP address

If this works, it is time to set up port forwarding.

Alles anzeigen

From outside my network I get "page is unreachable"

Here is the cert and the nslookup

grep: /config/nginx/resolver.conf: No such file or directory
Setting resolver to  127.0.0.11
grep: /config/nginx/worker_processes.conf: No such file or directory
Setting worker_processes to 4
Created .donoteditthisfile.conf
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for janaxhell.duckdns.org will be requested
E-mail address entered: [redacted]
duckdns validation is selected
the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for *.janaxhell.duckdns.org
Hook '--manual-auth-hook' for janaxhell.duckdns.org ran with output:
 OKsleeping 60
Hook '--manual-auth-hook' for janaxhell.duckdns.org ran with error output:
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed

   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
 100     2    0     2    0     0      3      0 --:--:-- --:--:-- --:--:--     3

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/janaxhell.duckdns.org/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/janaxhell.duckdns.org/privkey.pem
This certificate expires on 2022-09-05.
These files will be updated when the certificate renews.

root@openmediavault:/# nslookup openmediavault.w49jwrx4ohzlf0t7.myfritz.net                                                                                                               
Server:         1.1.1.1                                                                                                                                                                   
Address:        1.1.1.1#53                                                                                                                                                                
                                                                                                                                                                                          
Non-authoritative answer:                                                                                                                                                                 
Name:   openmediavault.w49jwrx4ohzlf0t7.myfritz.net                                                                                                                                       
Address: 93.188.103.49                                                                                                                                                                    
                                                                                                                                                                                          
root@openmediavault:/# nslookup janaxhell.duckdns.org                                                                                                                                     
Server:         1.1.1.1                                                                                                                                                                   
Address:        1.1.1.1#53                                                                                                                                                                
                                                                                                                                                                                          
Non-authoritative answer:                                                                                                                                                                 
Name:   janaxhell.duckdns.org                                                                                                                                                             
Address: 93.188.103.49   

So you say you have no access from web. How do you think your cert was created then? It is not possible without access from web.

You got a cert,, so external https access to your local network is working

now use nslookup <your_subdomain>.janaxhell.duckdns.org

It sould point to the same IP.

If yes, you got the external stuff working and need to care for the internal config / services.

It points to the same IP. But I don't understand one thing: it uses Cloudflare 1.1.1.1 as resolver, while I have set in OMV, Windows PC and Fritz.box PiHole as DNS resolver at 192.168.1.2 (on a macvlan to bypass port 53 conflict). Why is that so, does nslookup bypass the system DNS resolver?

EDIT: maybe is it because OMV is a different user than root? If yes how do I set root resolver to PiHole as well?

OMV output

root@openmediavault:~# nslookup nextcloud.janaxhell.duckdns.org                                                                                                                           
Server:         1.1.1.1                                                                                                                                                                   
Address:        1.1.1.1#53                                                                                                                                                                
                                                                                                                                                                                          
Non-authoritative answer:                                                                                                                                                                 
Name:   nextcloud.janaxhell.duckdns.org                                                                                                                                                   
Address: 93.188.103.49       

Windows output

C:\Windows\system32>nslookup nexcloud.janaxhell.duckdns.org
Server:  pi.hole
Address:  192.168.1.2

Risposta da un server non autorevole:
Nome:    nexcloud.janaxhell.duckdns.org
Address:  93.188.103.49

your omv is using 1.1.1.1 as DNS. cat /etc/resolv.conf will show.

I am not using DuckDNS, but are you using DNS validation to get the cert or http validation. The first will make letsencrypt ask you dns provider, the later will make requests to your local network.

This message "Wildcard cert for janaxhell.duckdns.org will be requested" makes me think, you are using DNS validation.

To mee it looks like the port 443 / 80 are not open on your router (I tried with the given name).