Nextcloud 13 behind HA Proxy with letsencrypt – all in Docker containers

I want to have an Nextcloud server for my family and friends and I want to have it behind a reversed proxy so that I’ll get SSL termination and the reversed proxy can in addition serve other http-based services that I later want to expose externally or only internally.

Tasks:

  1. Setup bradjonesllc/docker-haproxy-letsencrypt docker container
  2. Setup Nextcloud 13 docker container
  3. Configure HA Proxy and Nextcloud

1. Setup the HA Proxy container

I’m already using the duckdns.org service for dynamically updating my IP-address to a domain name and I want a frontend reverse proxy for SSL traffic to Nextcloud. I.e. for routing https://mydomain.duckdns.org/nextcloud/ to the Nexcloud 13 container that I will install and to have a valid SSL certificate that is generated by the Letsencrypt service.

First I’ve setup a routing in my switch (Ubiquiti EdgeRouter X) of port 80 and 443 to the ports that I plan to expose from the reverse proxy docker container:

  • External port 80 maps to port 9980 of the HA proxy container
  • External port 443 (SSL) maps to port 9981 of the HA proxy container

Next is to create a couple of external folders, to the container, where I want to keep the haproxy.cfg configuration file and the certificates that are being generated.

  • /volume1/docker/letsencrypt/
  • /volyme1/docker/haproxy/

To work the configuration file for HA Proxy I’m copying the haproxy.cfg file from the repo: https://github.com/BradJonesLLC/docker-haproxy-letsencrypt (I could have created a copy from the container but then I don’t have to start up one in order to do so).

Copy the haproxy.cfg file to the /volume1/docker/haproxy/ folder.

Now it is time to start the container…

docker run -t -e CERTS=mydomain.duckdns.org -e EMAIL=my@mail.com -v /volume1/docker/letsencrypt/:/etc/letsencrypt -v /volume1/docker/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg -p 9980:80 -p 9981:443 --name haproxy bradjonesllc/docker-haproxy-letsencrypt

If everything is starting up fine – certificates are created as they should – let’s move on to the next step of setting up Nextcloud. Please note that you must have

2. Setup the Nextcloud 13 container

I’ll be using a separate MySQL db and will link that to the Nextcloud container to avoid using SQLlite that comes with.

docker run --name nextcloud-mysql -e MYSQL_ROOT_PASSWORD=my-secret-pw -d mysql:latest

Again, create the necessary folders to keep the most important data out of the container when it is time to upgrade.

  • /volume1/docker/nextcloud/apps
  • /volume1/docker/nextcloud/config
  • /volume1/docker/nextcloud/data

Start the docker container and wait until you can reach the logon page on port 8102. E.g. http://192.168.2.10:8102

docker run -d -v /volume1/docker/nextcloud/apps/:/var/www/html/custom_apps/ -v /volume1/docker/nextcloud/config/:/var/www/html/config/ -v /volume1/docker/nextcloud/data/:/var/www/html/data/ -p 8102:80 --link nextcloud-mysql:mysql --name mynextcloud nextcloud:latest

When you can reach the webpage, follow the wizard and use MySQL as a datasource with hostname “mysql” as shown below.

Screen Shot 2018-05-03 at 11.25.00

Finish the setup wizard.

3. Final touches

Now we need to fix so that HA Proxy and Nextcloud works together and Nextcloud is accessible externally with a proper SSL certificate.

Open /volyme1/docker/haproxy/haproxy.cfg and below is my configuration file that will redirect to SSL, include SSL termination to backend services and forward any requests from /nextcloud/ to http://192.168.2.10:8102 – my Nextcloud docker container.

global
 maxconn 256
 lua-load /usr/local/etc/haproxy/acme-http01-webroot.lua
 chroot /jail
 ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
 ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
 tune.ssl.default-dh-param 4096

defaults
 mode http
 timeout connect 5000ms
 timeout client 50000ms
 timeout server 50000ms
 option forwardfor
 option http-server-close

frontend http
 bind *:80
 mode http
 acl url_acme_http01 path_beg /.well-known/acme-challenge/
 http-request use-service lua.acme-http01 if METH_GET url_acme_http01
 redirect scheme https code 301 if !{ ssl_fc }

 default_backend www-backend

frontend ft_ssl_vip
 bind *:443 ssl crt /usr/local/etc/haproxy/certs/ no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11
 rspadd Strict-Transport-Security:\ max-age=15768000

#Adjust paths
 acl missing_nc_path path /nextcloud
 http-request redirect location /nextcloud/ if missing_nc_path

# App definitions
acl is_nc path_beg /nextcloud
 use_backend nextcloud if is_nc

backend www-backend
 redirect scheme https code 301 if !{ ssl_fc }

backend nextcloud
 reqrep ^([^\ :]*)\ /nc/(.*) \1\ /\2
 reqadd X-Script-Name:\ /nextcloud
 option httpclose
 option forwardfor
 server node1 192.168.2.10:8102

Restart the HA Proxy container.

Last but not least, we need to update the config.php file of Nextcloud.

Open /docker/nextcloud/config/config.php file in an editor and add/replace the following values:

 'trusted_domains'=>
array (
 0 => '192.168.2.10:8102',
 1 => 'mydomain.duckdns.org',
 ),
 'trusted_proxies' =>
 array (
 0 => '192.168.2.10',
 ),
 'overwrite.cli.url' => 'https://mydomain.duckdns.org/nextcloud',
 'overwriteprotocol' => 'https',
 'overwritehost' => 'mydomain.duckdns.org',
 'overwritewebroot' => '/nextcloud',

I hope that I have covered it all in my translation of the process into this blog entry..  The server should now be accessible on https://mydomain.duckdns.org/nextcloud/

EDIT: Incorrect cipher setting in haproxy.cfg

Post my installation I tested with the Nextcloud app to reach my server and I received an SSL Initialization error. After googling the error this appears to be a common issue but after validating with the Mozilla SSL Configuration Generator I now have a working configuration and I’ve updated the haproxy.cfg file above.

Advertisements

6 min video with norelite

To get a quick start with norelite I’ve made a short video that explains the core components and how to quickly design the flows required to implement 3 rules that will turn on/off a switch if:

  1. It is dark outside and it is before 23:00
  2. It is dark outside and I’m watching the TV – It might be that I’m watching the TV after 23:00 and I also want the lamp to be on 15 mins after I’ve turned off the TV
  3. It is dark outside and there is movement in the house – I.e. getting the input from a PIR detector and whenever it triggers and it is dark outside the lamp will turn on for 5 mins. E.g. if I wake up during the night and want to go and get a glass of water…

If any of the above rules are true, the lamp will be on and if not it will turn it off.