Upgrade to Nextcloud 14 and add OnlyOffice editor

The upgrade to Nextcloud 14 from 13 was really easy. Just delete the container, recreate the instance with the same command as before and go through the migration of the database.

In my case I ran the following statement:

docker run -d -p 8102:80 --name=nextcloud \
-v /etc/localtime:/etc/localtime:ro \
-v /volume1/docker/nextcloud/apps/:/var/www/html/custom_apps/ \
-v /volume1/docker/nextcloud/config/:/var/www/html/config/ \
-v /volume1/docker/nextcloud/data/:/var/www/html/data/ \
--link nextcloud-mysql:mysql nextcloud:latest

Post upgrading of the container I check for error messages and I received one saying that I needed to apply new indexes on two tables. I ran the occ command as suggested.

docker exec -it --user www-data nextcloud bash
php /var/www/html/occ db:add-missing-indices

Adding OnlyOffice as an in-browser editor to Nextcloud is really easy as it is well documented. I needed to do just one minor modification to the config file that OnlyOffice is providing to terminate SSL for the Document Server of OnlyOffice.

First, lets install the Document Server in a seperate Docker container.

docker run -i -t -d --name onlyoffice -p 8103:80 --restart=always \
-v /volume1/docker/onlyoffice/logs:/var/log/onlyoffice  \
-v /volume1/docker/onlyoffice/data:/var/www/onlyoffice/Data  \
-v /volume1/docker/onlyoffice/lib:/var/lib/onlyoffice \
-v /volume1/docker/onlyoffice/db:/var/lib/postgresql  onlyoffice/documentserver

Next, configure HAProxy for SSL termination and for using a virtual path (e.g. https://myserver.com/onlyoffice/). I have Nextcloud and the Document Server running on the same server.

If you are not running HAProxy as a reverse proxy, OnlyOffice have a number of pre-defined configurations for other proxies here: https://github.com/ONLYOFFICE/document-server-proxy

I have in the frontend defined to redirect /onlyoffice/ paths to the backend definition as follows:

acl is_onlyoffice path_beg /onlyoffice
use_backend onlyoffice if is_onlyoffice

backend onlyoffice
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)]/onlyoffice unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
reqrep ^([^\ :]*)\ /onlyoffice/(.*)     \1\ /\2
server onlyoffice-documentserver

The above code will fix the SSL termination and make sure that Document Server internal references are using HTTPS and it will change the internal routing based on the virtual path.

Lastly, install the OnlyOffice app in Nextcloud and configure it in the administration panel to use the route as you have defined.

Screen Shot 2018-09-20 at 14.59.07

Nextcloud 13 behind HA Proxy with letsencrypt – all in Docker containers

I want to have an Nextcloud server for my family and friends and I want to have it behind a reversed proxy so that I’ll get SSL termination and the reversed proxy can in addition serve other http-based services that I later want to expose externally or only internally.


  1. Setup bradjonesllc/docker-haproxy-letsencrypt docker container
  2. Setup Nextcloud 13 docker container
  3. Configure HA Proxy and Nextcloud

1. Setup the HA Proxy container

I’m already using the duckdns.org service for dynamically updating my IP-address to a domain name and I want a frontend reverse proxy for SSL traffic to Nextcloud. I.e. for routing https://mydomain.duckdns.org/nextcloud/ to the Nexcloud 13 container that I will install and to have a valid SSL certificate that is generated by the Letsencrypt service.

First I’ve setup a routing in my switch (Ubiquiti EdgeRouter X) of port 80 and 443 to the ports that I plan to expose from the reverse proxy docker container:

  • External port 80 maps to port 9980 of the HA proxy container
  • External port 443 (SSL) maps to port 9981 of the HA proxy container

Next is to create a couple of external folders, to the container, where I want to keep the haproxy.cfg configuration file and the certificates that are being generated.

  • /volume1/docker/letsencrypt/
  • /volyme1/docker/haproxy/

To work the configuration file for HA Proxy I’m copying the haproxy.cfg file from the repo: https://github.com/BradJonesLLC/docker-haproxy-letsencrypt (I could have created a copy from the container but then I don’t have to start up one in order to do so).

Copy the haproxy.cfg file to the /volume1/docker/haproxy/ folder.

Now it is time to start the container…

docker run -t -e CERTS=mydomain.duckdns.org -e EMAIL=my@mail.com -v /volume1/docker/letsencrypt/:/etc/letsencrypt -v /volume1/docker/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg -p 9980:80 -p 9981:443 --name haproxy bradjonesllc/docker-haproxy-letsencrypt

If everything is starting up fine – certificates are created as they should – let’s move on to the next step of setting up Nextcloud. Please note that you must have

2. Setup the Nextcloud 13 container

I’ll be using a separate MySQL db and will link that to the Nextcloud container to avoid using SQLlite that comes with.

docker run --name nextcloud-mysql -e MYSQL_ROOT_PASSWORD=my-secret-pw -d mysql:latest

Again, create the necessary folders to keep the most important data out of the container when it is time to upgrade.

  • /volume1/docker/nextcloud/apps
  • /volume1/docker/nextcloud/config
  • /volume1/docker/nextcloud/data

Start the docker container and wait until you can reach the logon page on port 8102. E.g.

docker run -d -v /volume1/docker/nextcloud/apps/:/var/www/html/custom_apps/ -v /volume1/docker/nextcloud/config/:/var/www/html/config/ -v /volume1/docker/nextcloud/data/:/var/www/html/data/ -p 8102:80 --link nextcloud-mysql:mysql --name mynextcloud nextcloud:latest

When you can reach the webpage, follow the wizard and use MySQL as a datasource with hostname “mysql” as shown below.

Screen Shot 2018-05-03 at 11.25.00

Finish the setup wizard.

3. Final touches

Now we need to fix so that HA Proxy and Nextcloud works together and Nextcloud is accessible externally with a proper SSL certificate.

Open /volyme1/docker/haproxy/haproxy.cfg and below is my configuration file that will redirect to SSL, include SSL termination to backend services and forward any requests from /nextcloud/ to – my Nextcloud docker container.

 maxconn 256
 lua-load /usr/local/etc/haproxy/acme-http01-webroot.lua
 chroot /jail
 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
 tune.ssl.default-dh-param 4096

 mode http
 timeout connect 5000ms
 timeout client 50000ms
 timeout server 50000ms
 option forwardfor
 option http-server-close

frontend http
 bind *:80
 mode http
 acl url_acme_http01 path_beg /.well-known/acme-challenge/
 http-request use-service lua.acme-http01 if METH_GET url_acme_http01
 redirect scheme https code 301 if !{ ssl_fc }

 default_backend www-backend

frontend ft_ssl_vip
 bind *:443 ssl crt /usr/local/etc/haproxy/certs/ no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11
 rspadd Strict-Transport-Security:\ max-age=15768000

#Adjust paths
 acl missing_nc_path path /nextcloud
 http-request redirect location /nextcloud/ if missing_nc_path

# App definitions
acl is_nc path_beg /nextcloud
 use_backend nextcloud if is_nc

backend www-backend
 redirect scheme https code 301 if !{ ssl_fc }

backend nextcloud
 reqrep ^([^\ :]*)\ /nc/(.*) \1\ /\2
 reqadd X-Script-Name:\ /nextcloud
 option httpclose
 option forwardfor
 server node1

Restart the HA Proxy container.

Last but not least, we need to update the config.php file of Nextcloud.

Open /docker/nextcloud/config/config.php file in an editor and add/replace the following values:

array (
 0 => '',
 1 => 'mydomain.duckdns.org',
 'trusted_proxies' =>
 array (
 0 => '',
 'overwrite.cli.url' => 'https://mydomain.duckdns.org/nextcloud',
 'overwriteprotocol' => 'https',
 'overwritehost' => 'mydomain.duckdns.org',
 'overwritewebroot' => '/nextcloud',

I hope that I have covered it all in my translation of the process into this blog entry..  The server should now be accessible on https://mydomain.duckdns.org/nextcloud/

EDIT: Incorrect cipher setting in haproxy.cfg

Post my installation I tested with the Nextcloud app to reach my server and I received an SSL Initialization error. After googling the error this appears to be a common issue but after validating with the Mozilla SSL Configuration Generator I now have a working configuration and I’ve updated the haproxy.cfg file above.

Run Nextcloud through a reverse proxy – HAProxy – with a different webroot

I wanted to setup HAProxy as an reverse proxy towards my nextCloud 12 server and I really struggled to find proper information on how to do that. As I have a number of backend services I needed a different webroot to define the request and I finally succeeded and I want to share my configuration settings.

Nextcloud is now accessable from https://myserver.se/nc/


        maxconn 4096
        user haproxy
        group haproxy
        log local0 debug

        log     global
        mode    http
        option  httplog
        option  dontlognull
        retries 3
        option  redispatch
        option  http-server-close
        option  forwardfor
        timeout connect 5000
        timeout client  50000
        timeout server  50000

frontend www-http
        bind *:80
        mode http
        reqadd X-Forwarded-Proto:\ http

        default_backend www-backend

backend www-backend
        #All requests should be in SSL-mode. SSL is terminated in HAProxy
        #and uses HTTP in backend requests
        redirect scheme https code 301 if !{ ssl_fc }

frontend www-https
        #My server certificate
        #Here's a great instruction on how to setup
        # LetsEncrypt with HAProxy https://skarlso.github.io/2017/02/15/how-to-https-with-hugo-letsencrypt-haproxy/
        bind *:443 ssl crt /etc/haproxy/certs/myserver.pem
        mode http
        option forwardfor
        option http-server-close
        option http-pretend-keepalive

        #Only allow some services to be available internally
        acl network_allowed src
        acl restricted_page path_beg /internal
        block if restricted_page !network_allowed

        # App definitions
        acl is_nc path_beg /nc
        use_backend nextcloud if is_nc

backend nextcloud
        reqrep ^([^\ :]*)\ /nc/(.*)  \1\ /\2
        reqadd X-Script-Name:\ /nc
        option httpclose
        option forwardfor
        server node1

And for nextCloud I updated the PHP configuration settings with my domain name “myserver.se” and the HA Proxy IP address “” as explained here https://docs.nextcloud.com/server/12/admin_manual/configuration_server/reverse_proxy_configuration.html



  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => '',
    2 => '',
    3 => 'myserver.se',
  'trusted_proxies' => [''],
  'overwritehost' => 'myserver.se',
  'overwritewebroot' => '/nc',
  'overwritecondaddr' => '^192\.168\.2\.196$',