Nextcloud fails to log in behind Caddy; is disabling caching called for?

1. The problem I’m having:

I have installed Nextcloud-AIO in a Docker container on my server, and used its built-in setup flow to set its URL to cloud.xanderwhart.us.

In a separate container, which shares a Docker network with the Nextcloud-AIO container, I am running Caddy as a reverse proxy.

When I attempt to log in to Nextcloud-AIO using the default provided admin credentials, I get an error message:

Temporary error.
Please try again.

I am posting this issue here because this GitHub issue of people with similar errors has several people saying they were able to fix this issue by disabling caching on their reverse proxy, which suggests to me that my reverse proxy (Caddy) might also somehow be implicated.

2. Error messages and/or full log output:

I apologize for truncating the log; however, I’ve been trying to solve this issue for a month and have had the log in debug mode the entire time; the full thing is nearly 1GB in size and something like 2.5 million lines.

This appears to be relevant log entries from around the time I submitted a Nextcloud login request:

caddy-1  | {"level":"debug","ts":1738361687.3796778,"logger":"http.stdlib","msg":"http: TLS handshake error from 98.246.122.50:43680: no certificate available for 'xanderwhart.us'"}
caddy-1  | {"level":"debug","ts":1738361687.4044147,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"nextcloud-aio-apache:11000","total_upstreams":1}
caddy-1  | {"level":"debug","ts":1738361687.405074,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"nextcloud-aio-apache:11000","duration":0.000631304,"request":{"remote_ip":"98.246.122.50","remote_port":"43624","client_ip":"98.246.122.50","proto":"HTTP/2.0","method":"GET","host":"cloud.xanderwhart.us","uri":"/apps/theming/img/background/jenna-kim-the-globe.webp","headers":{"Cookie":["REDACTED"],"Sec-Fetch-Site":["same-origin"],"Priority":["u=4, i"],"X-Forwarded-For":["98.246.122.50"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Dest":["image"],"Sec-Fetch-Mode":["no-cors"],"Te":["trailers"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["cloud.xanderwhart.us"],"Accept-Language":["en-US,en;q=0.5"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"],"Accept":["image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"cloud.xanderwhart.us"}},"headers":{"Referrer-Policy":["no-referrer"],"Last-Modified":["Fri, 31 Jan 2025 20:28:19 GMT"],"Content-Length":["98876"],"Content-Type":["image/webp"],"Strict-Transport-Security":["max-age=31536000;"],"X-Frame-Options":["SAMEORIGIN"],"X-Permitted-Cross-Domain-Policies":["none"],"X-Robots-Tag":["noindex, nofollow"],"Accept-Ranges":["bytes"],"Date":["Fri, 31 Jan 2025 22:14:47 GMT"],"Etag":["\"1823c-62d06621e5f59\""],"X-Content-Type-Options":["nosniff"],"X-Xss-Protection":["1; mode=block"],"Cache-Control":["max-age=15778463"]},"status":200}
caddy-1  | {"level":"warn","ts":1738361687.4059002,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","upstream":"nextcloud-aio-apache:11000","duration":0.000631304,"request":{"remote_ip":"98.246.122.50","remote_port":"43624","client_ip":"98.246.122.50","proto":"HTTP/2.0","method":"GET","host":"cloud.xanderwhart.us","uri":"/apps/theming/img/background/jenna-kim-the-globe.webp","headers":{"Cookie":["REDACTED"],"Sec-Fetch-Site":["same-origin"],"Priority":["u=4, i"],"X-Forwarded-For":["98.246.122.50"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Dest":["image"],"Sec-Fetch-Mode":["no-cors"],"Te":["trailers"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["cloud.xanderwhart.us"],"Accept-Language":["en-US,en;q=0.5"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"],"Accept":["image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"cloud.xanderwhart.us"}},"error":"writing: http2: stream closed"}
caddy-1  | {"level":"debug","ts":1738361687.40595,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"nextcloud-aio-apache:11000","total_upstreams":1}
caddy-1  | {"level":"debug","ts":1738361687.4059675,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"nextcloud-aio-apache:11000","duration":0.000003567,"request":{"remote_ip":"98.246.122.50","remote_port":"43624","client_ip":"98.246.122.50","proto":"HTTP/2.0","method":"GET","host":"cloud.xanderwhart.us","uri":"/core/img/logo/logo.svg","headers":{"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Dest":["image"],"Accept":["image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5"],"Sec-Fetch-Mode":["no-cors"],"Sec-Fetch-Site":["same-origin"],"Priority":["u=4, i"],"Te":["trailers"],"Accept-Language":["en-US,en;q=0.5"],"Cookie":["REDACTED"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"],"X-Forwarded-For":["98.246.122.50"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["cloud.xanderwhart.us"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"cloud.xanderwhart.us"}},"error":"context canceled"}
caddy-1  | {"level":"debug","ts":1738361688.2332754,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"nextcloud-aio-apache:11000","total_upstreams":1}
caddy-1  | {"level":"debug","ts":1738361688.2887018,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"nextcloud-aio-apache:11000","duration":0.055354094,"request":{"remote_ip":"98.246.122.50","remote_port":"43624","client_ip":"98.246.122.50","proto":"HTTP/2.0","method":"GET","host":"cloud.xanderwhart.us","uri":"/nextcloud/index.php/apps/files/preview-service-worker.js","headers":{"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"],"X-Forwarded-For":["98.246.122.50"],"X-Forwarded-Host":["cloud.xanderwhart.us"],"Te":["trailers"],"Cache-Control":["no-cache"],"Accept-Language":["en-US,en;q=0.5"],"Cookie":["REDACTED"],"Sec-Fetch-Dest":["serviceworker"],"Priority":["u=4"],"Accept":["*/*"],"Service-Worker":["script"],"Pragma":["no-cache"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Mode":["same-origin"],"Sec-Fetch-Site":["same-origin"],"X-Forwarded-Proto":["https"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"cloud.xanderwhart.us"}},"headers":{"X-Content-Type-Options":["nosniff"],"X-Permitted-Cross-Domain-Policies":["none"],"Cache-Control":["no-cache, no-store, must-revalidate"],"Referrer-Policy":["no-referrer"],"Set-Cookie":["REDACTED"],"X-Request-Id":["m2meOmL81LClKxM482KC"],"Content-Length":["4734"],"Content-Type":["text/html; charset=UTF-8"],"Feature-Policy":["autoplay 'self';camera 'self';fullscreen 'self' https://cloud.xanderwhart.us;geolocation 'none';microphone 'self';payment 'none'"],"Date":["Fri, 31 Jan 2025 22:14:48 GMT"],"X-Frame-Options":["SAMEORIGIN"],"X-Robots-Tag":["noindex, nofollow"],"Content-Security-Policy":["default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-7K5CBxai72YGXt6GFqexe5gcwE4eT7VlF84bZ+xX3fA=' blob:;script-src-elem 'strict-dynamic' 'nonce-7K5CBxai72YGXt6GFqexe5gcwE4eT7VlF84bZ+xX3fA=' blob:;style-src 'self' 'unsafe-inline';img-src 'self' data: blob: https://*.tile.openstreetmap.org https://cloud.xanderwhart.us;font-src 'self' data:;connect-src 'self' blob: cloud.xanderwhart.us:3478 wss://cloud.xanderwhart.us;media-src 'self' blob:;frame-src 'self' nc: https://cloud.xanderwhart.us;child-src blob: 'self';frame-ancestors 'self' https://cloud.xanderwhart.us;worker-src blob: 'self';form-action 'self' https://cloud.xanderwhart.us"],"Strict-Transport-Security":["max-age=31536000;"],"X-Xss-Protection":["1; mode=block"]},"status":404}

3. Caddy version:

v2.9.1

4. How I installed and ran Caddy:

a. System environment:

  • Operating system: OpenMediaVault 7.4.16-1 (Sandworm), which is based on Debian 12 (Bookworm)
  • Architecture: x86_64
  • Docker version: 27.5.1, build 9f9e405

b. Command:

n/a

c. Service/unit/compose file:

services:
  caddy:
    image: serfriz/caddy-cloudflare-ddns-crowdsec-geoip-security-dockerproxy:2.9.1
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    environment:
      - CADDY_INGRESS_NETWORKS=caddy,nextcloud-aio
      - CADDY_DOCKER_CADDYFILE_PATH=/etc/caddy/Caddyfile
    networks:
      - caddy
      - nextcloud-aio
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./Caddyfile:/etc/caddy/Caddyfile
      #- ./site:/srv
      - caddy_data:/data
      - caddy_config:/config

networks:
  caddy:
    external: true
  nextcloud-aio:
    external: true

volumes:
  caddy_data:
  caddy_config:

d. My complete Caddy config:

{
        debug
        dynamic_dns {
                provider cloudflare {env.CF_API_TOKEN}
                domains {
                        xanderwhart.us *
                        motley.club
                        motley.rocks *
                        spencerdub.me *
                }
        }
}


(cloudflare) {
        tls {
                dns cloudflare {env.CF_API_TOKEN}
        }
}

https://cloud.xanderwhart.us:443 {
        import cloudflare
        reverse_proxy nextcloud-aio-apache:11000
}

e. Nextcloud-AIO Docker Compose file:

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 5050:8080
    environment:
      # - APACHE_ADDITIONAL_NETWORK=caddy
      - APACHE_PORT=11000
      - APACHE_IP_BINDING=127.0.0.1
      - NEXTCLOUD_DATADIR=/akhet/system/appdata/nextcloud_data
    networks:
      - caddy
      
volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

networks:
  caddy:
    external: true

5. Links to relevant resources:

I am deeply grateful for all help that you can provide. Thank you.

A few things from documentation I was reading:

Use this environment variable during the initial startup of the mastercontainer to make the apache container only listen on localhost: --env APACHE_IP_BINDING=127.0.0.1. Attention: This is only recommended to be set if you use localhost in your reverse proxy config to connect to your AIO instance. If you use an ip-address instead of localhost, you should set it to 0.0.0.0

The reverse-proxy container needs to be connected to the nextcloud containers. This can be achieved one of these 3 ways:

  1. Utilize host networking instead of docker bridge networking: Specify --network host option (or network_mode: host for docker-compose) as setting for the reverse proxy container to connect it to the host network. If you are using a firewall on the server, you need to open ports 80 and 443 for the reverse proxy manually. With this setup, the default sample configurations with reverse-proxy pointing to localhost:$APACHE_PORT should work directly.
  2. Connect nextcloud’s external-facing containers to the reverse-proxy’s docker network by specifying env variable APACHE_ADDITIONAL_NETWORK. With this setup, the reverse proxy can utilize Docker bridge network’s DNS name resolution to access nextcloud at http://nextcloud-aio-apache:$APACHE_PORT. :warning::warning::warning: Note, the specified network must already exist before Nextcloud AIO is started. Otherwise it will fail to start the container because the network is not existing.
  3. Connect the reverse-proxy container to the nextcloud-aio network by specifying it as a secondary (external) network for the reverse proxy container. With this setup also, the reverse proxy can utilize Docker bridge network’s DNS name resolution to access nextcloud at http://nextcloud-aio-apache:$APACHE_PORT .

I would try to change your reverse_proxy directive from nextcloud-aio-apache:11000 to localhost:11000

Thank you, I just tried this. When I did and revisited cloud.xanderwhart.us, instead of seeing the login page, I saw a blank white page. The inspector in Firefox reported an error 502.

Do you have a specific configuration for Docker’s caddy network? Can you post your new output for the Caddy logs?

Do you have a specific configuration for Docker’s caddy network?

The only configuration I’ve set is in defining the network in Caddy’s Docker Compose file:

networks:
  caddy:
    external: true

Can you post your new output for the Caddy logs?

Here’s some Caddy logs after changing the reverse_proxy argument to localhost:11000. (That is a new file; it doesn’t have the millions of lines of logs I’d previously recorded.)

So this log is pretty showing of the problem.

["Wed, 05 Feb 2025 23:32:42"],"User-Agent":["COOLWSD HTTP Agent 24.04.11.2"],"If-None-Match":["6a9510773efb48dcb319801889dfb3a1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","server_name":"cloud.xanderwhart.us"}},"duration":0.000526125,"status":502,"err_id":"ua8xq4vwd","err_trace":"reverseproxy.statusError (reverseproxy.go:1373)"} 

nextcloud-aio-apache:11000 should be pointing to the IP for that hostname. [::1] or 127.0.0.1 is a loopback address, so it sounds like something isn’t right in NextCloud’s configuration. Previously I read:
Use this environment variable during the initial startup of the mastercontainer to make the apache container only listen on localhost: --env APACHE_IP_BINDING=127.0.0.1. Attention: This is only recommended to be set if you use localhost in your reverse proxy config to connect to your AIO instance. If you use an ip-address instead of localhost, you should set it to 0.0.0.0


So I'm not sure if you did change this:
    environment:
      # - APACHE_ADDITIONAL_NETWORK=caddy
      - APACHE_PORT=11000
      - APACHE_IP_BINDING=127.0.0.1

to this:

    environment:
      # - APACHE_ADDITIONAL_NETWORK=caddy
      - APACHE_PORT=11000
      - APACHE_IP_BINDING=0.0.0.0


So for some details: Bad Gateway error is an HTTP status code that occurs when a server (Caddy) acting as a gateway or proxy receives an invalid or faulty response from another server in the communication chain. This error indicates a problem with the communication between the involved servers and can result in disruption of internet services.

An external network means the network is not managed by Docker Compose. That’s why I asked if you had a specific configuration. If changing the Apache IP binding didn’t work, could you could list the network parameters? You should only need to do this:

docker network inspect caddy

Also, make sure to use netstat -tulnp | grep 11000 or ss -tulnp | grep 11000 to ensure that NextCloud is indeed listening.



Did you happen to see this by chance?
{"level":"error","ts":1738798353.1772404,"logger":"dynamic_dns","msg":"unable to lookup current IPs from DNS records","error":"got error status: HTTP 400: [{Code:6003 Message:Invalid request headers ErrorChain:[{Code:6111 Message:Invalid format for Authorization header}]}]"}
caddy-1  | {"level":"warn","ts":1738798353.336557,"logger":"dynamic_dns.ip_sources.simple_http","msg":"no IP found; consider disabling this IP version","type":"IPv6"}

I’m not sure if this is causing the Error 502 (Bad Gateway) problem, but just making sure you saw it.


I also saw the error:

caddy-1  | {"level":"info","ts":1738798382.5108666,"logger":"docker-proxy","msg":"Process Caddyfile","logs":"[ERROR]  Removing invalid block: parsing caddyfile tokens for 'reverse_proxy': parsing upstream 'ws://mqtt:9001': the scheme ws:// is only supported in browsers; use http:// instead, at Caddyfile:25\nmqtt.xanderwhart.us {\n\treverse_proxy ws://mqtt:9001\n}\n\n"}

Either your Caddyfile is truncated or it’s changed since your original post. Basically, it just means change ws://mqtt:9001: to http://mqtt:9001

1 Like

This is an incredibly thorough response, and I appreciate you taking the time. I’m going to work through it, but I wanted to express my gratitude before I go any further and let you know I’ve seen it.

1 Like

I’m gonna bounce around a little bit in my response.

1. The “caddy” network

I started using the caddy network when following configuration instructions for the caddy-docker-proxy plugin. When I went back to review the instructions for this, I realized I missed the very first line under “Basic usage example:”

$ docker network create caddy

I didn’t do that manually, as far as I know. So just now, I stopped all my containers that were connected to the caddy network, deleted the network, and then ran that command, and began bringing the containers back up.

At the time that I re-upped these containers, the relevant portion of my Caddyfile read:

https://cloud.xanderwhart.us:443 {
    import cloudflare
    reverse_proxy localhost:11000
}

This did not change anything with the Nextcloud-AIO container’s behavior: still the blank page and error 502.

Here’s what docker network inspect caddy yields:

[
    {
        "Name": "caddy",
        "Id": "aeb4aad8aa26e7a47b04daf8d35bd5f5d052e95c9e021c0ba832f546873612e2",
        "Created": "2025-02-05T20:23:38.11206548-08:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.20.0.0/16",
                    "Gateway": "172.20.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "066ebae82b919b59572b3d4e82f900733cdb33570846b3ea170d5c6d2a554164": {
                "Name": "mealie",
                "EndpointID": "ec57e8c44d41ca4fced2e98a5bb01c65d01bb67146da18140c4318bc2b8387e3",
                "MacAddress": "02:42:ac:14:00:04",
                "IPv4Address": "172.20.0.4/16",
                "IPv6Address": ""
            },
            "2202a62dabcb40ffe078dec5936ec0d25ac89a9c4f09a1f098eb1a6714fee81d": {
                "Name": "navidrome",
                "EndpointID": "c34fedeb354515d45d1883c5edcb706e8f438a6f08b452f6b849633e6657c5e1",
                "MacAddress": "02:42:ac:14:00:05",
                "IPv4Address": "172.20.0.5/16",
                "IPv6Address": ""
            },
            "62c22b7566600239d529b84bfb334160c9b112ba0ff0991d9c11eea9665ee10c": {
                "Name": "nextcloud-aio-apache",
                "EndpointID": "28fff2c163b265a56ceb336648a9d98044fe095fd3f763ef79bbcd65828901b5",
                "MacAddress": "02:42:ac:14:00:08",
                "IPv4Address": "172.20.0.8/16",
                "IPv6Address": ""
            },
            "72bc3996055ac1597c72aedbaedad4f06b48787384b667407df0ae6f2f818302": {
                "Name": "calibre-web-automated",
                "EndpointID": "f6e4d5d3d8a5f7396c4b81f6c9735831ad2554315d1665218170910e9b573b7b",
                "MacAddress": "02:42:ac:14:00:03",
                "IPv4Address": "172.20.0.3/16",
                "IPv6Address": ""
            },
            "7b6278963ef45960088b97ba02ec98a84bc580e42509f48dc3df83fed00a5e01": {
                "Name": "caddy-caddy-1",
                "EndpointID": "b236fcf3fafe13865562ac2a9d32074c44ea110d7a823a3a8ae7371b80327c9e",
                "MacAddress": "02:42:ac:14:00:02",
                "IPv4Address": "172.20.0.2/16",
                "IPv6Address": ""
            },
            "9dabacd664170a4648d6015ee5e6c0bf5b8622be2b02db0f2e9d4fb81ecee646": {
                "Name": "wallabag",
                "EndpointID": "f9c202ee0577915186f55b86142dfb6967c51690623d1a88ab7735230c131285",
                "MacAddress": "02:42:ac:14:00:06",
                "IPv4Address": "172.20.0.6/16",
                "IPv6Address": ""
            },
            "f9854a22c39b76ca61391a15eafcc35cdc88f9fd9442f8a8e9c016ad71506ad3": {
                "Name": "nextcloud-aio-mastercontainer",
                "EndpointID": "8a5fd0ec4d6a98c342244c4a0ac48f0e1c44238a3ae7f14a404c935341d99163",
                "MacAddress": "02:42:ac:14:00:07",
                "IPv4Address": "172.20.0.7/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]

Sure thing:

$ ss -tulnp | grep 11000
tcp   LISTEN 0      0                        127.0.0.1:11000      0.0.0.0:*    users:(("docker-proxy",pid=153889,fd=4)) 

2. Nextcloud Docker Compose configuration

Since the Nextcloud-AIO reverse proxy instructions that you highlight say that the pairings should be either:

  1. APACHE_IP_BINDING=127.0.0.1 and reverse_proxy localhost:11000; or
  2. APACHE_IP_BINDING=0.0.0.0 and reverse_proxy [IP address]

…I made these changes:

Docker Compose file for Nextcloud-AIO:

#...
    ports:
      - 5050:8080
    environment:
      - APACHE_PORT=11000
      - APACHE_IP_BINDING=0.0.0.0
      - NEXTCLOUD_DATADIR=/akhet/system/appdata/nextcloud_data
    networks:
      - caddy
      
#...

networks:
  caddy:
    external: true

Caddyfile:

#...
https://cloud.xanderwhart.us:443 {
        import cloudflare
        reverse_proxy nextcloud-aio-apache:11000
}

(Just to be crystal clear, the commented ellipses (#...) are not there in the actual files, I’m just trying to indicate that these are excerpts of the relevant sections we’re talking about, not the full text of either of these files.)

This time, the Nextcloud login at https://cloud.xanderwhart.us does load—no Error 502 here. But I’m back to the same issue at the start: if I submit login credentials, the login fails with a “Temporary error. Please try again later.”

Here are, to my best effort, the logs isolated from this most recent login attempt (with reverse_proxy nextcloud-aio-apache:11000 and APACHE_IP_BINDING=0.0.0.0). I notice a couple of entries (lines 3 and 5) that end with a status 404. Clearly, I’m a pretty inexperienced home server admin, but I recognize a 404!

3. Other miscellaneous errors

Thank you. I may have had my settings for the caddy-dynamicdns module misconfigured in my Caddyfile. I’ve modified the global options block:
Caddyfile:

{
        debug
        dynamic_dns {
                provider cloudflare {env.CF_API_TOKEN}
                domains {
                        xanderwhart.us
                        motley.club
                        motley.rocks
                        spencerdub.me
                }
                versions ipv4
                dynamic_domains
        }
}

Still no change to the encountered login error.


One other piece of the puzzle. I recognize that this is a Caddy support forum and not Nextcloud, but I checked the Nextcloud logs. Seemingly corresponding with my login attempts, I see messages like this in the logs:

{"reqId":"DaMNn69qCv5nKViXjD6b","level":3,"time":"2025-02-06T06:02:54+00:00","remoteAddr":"172.20.0.2","user":"--","app":"no app in context","method":"POST","url":"/login","message":"Could not decrypt or decode encrypted session data","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0","version":"30.0.5.1","exception":{"Exception":"Exception","Message":"HMAC does not match.","Code":0,"Trace":[{"file":"/var/www/html/lib/private/Security/Crypto.php","line":98,"function":"decryptWithoutSecret","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/Session/CryptoSessionData.php","line":70,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/Session/CryptoSessionData.php","line":47,"function":"initializeSession","class":"OC\\Session\\CryptoSessionData","type":"->","args":[]},{"file":"/var/www/html/lib/private/Session/CryptoWrapper.php","line":94,"function":"__construct","class":"OC\\Session\\CryptoSessionData","type":"->","args":[{"__class__":"OC\\Session\\Internal"},{"__class__":"OC\\Security\\Crypto"},"*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/base.php","line":402,"function":"wrapSession","class":"OC\\Session\\CryptoWrapper","type":"->","args":[{"__class__":"OC\\Session\\Internal"}]},{"file":"/var/www/html/lib/base.php","line":664,"function":"initSession","class":"OC","type":"::","args":[]},{"file":"/var/www/html/lib/base.php","line":1134,"function":"init","class":"OC","type":"::","args":[]},{"file":"/var/www/html/index.php","line":22,"args":["/var/www/html/lib/base.php"],"function":"require_once"}],"File":"/var/www/html/lib/private/Security/Crypto.php","Line":162,"message":"Could not decrypt or decode encrypted session data","exception":{},"CustomMessage":"Could not decrypt or decode encrypted session data"}}
{"reqId":"YIcTJ5g7rffJIMLbV8k7","level":3,"time":"2025-02-06T06:03:20+00:00","remoteAddr":"172.20.0.2","user":"--","app":"no app in context","method":"GET","url":"/nextcloud/index.php/apps/files/preview-service-worker.js","message":"Could not decrypt or decode encrypted session data","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0","version":"30.0.5.1","exception":{"Exception":"Exception","Message":"HMAC does not match.","Code":0,"Trace":[{"file":"/var/www/html/lib/private/Security/Crypto.php","line":98,"function":"decryptWithoutSecret","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/Session/CryptoSessionData.php","line":70,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/Session/CryptoSessionData.php","line":47,"function":"initializeSession","class":"OC\\Session\\CryptoSessionData","type":"->","args":[]},{"file":"/var/www/html/lib/private/Session/CryptoWrapper.php","line":94,"function":"__construct","class":"OC\\Session\\CryptoSessionData","type":"->","args":[{"__class__":"OC\\Session\\Internal"},{"__class__":"OC\\Security\\Crypto"},"*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/base.php","line":402,"function":"wrapSession","class":"OC\\Session\\CryptoWrapper","type":"->","args":[{"__class__":"OC\\Session\\Internal"}]},{"file":"/var/www/html/lib/base.php","line":664,"function":"initSession","class":"OC","type":"::","args":[]},{"file":"/var/www/html/lib/base.php","line":1134,"function":"init","class":"OC","type":"::","args":[]},{"file":"/var/www/html/index.php","line":22,"args":["/var/www/html/lib/base.php"],"function":"require_once"}],"File":"/var/www/html/lib/private/Security/Crypto.php","Line":162,"message":"Could not decrypt or decode encrypted session data","exception":{},"CustomMessage":"Could not decrypt or decode encrypted session data"}}

Perhaps this is a detail that’s completely unrelated to Caddy, but I’ll share it here just in case.

To be honest, I didn’t know about some of the things in those logs. But the HMAC error is indicating, I believe, that NextCloud is the problem, something with session management. HMAC (Hash-based Message Authentication Code) is used to ensure the integrity of session data. A mismatch means that the session data has been tampered with or corrupted.

The Caddy logs show that it’s successfully proxying requests to the Nextcloud backend (nextcloud-aio-apache:11000). The context canceled error in Caddy’s log usually indicates that the client (your browser) disconnected or the connection was interrupted before the full response was received from the upstream server (Nextcloud). This is also likely a consequence of the Nextcloud session problem.

What I’m reading from searching the internet, is the session data stored on the server might be corrupted. This can happen during odd restarts, file system issues, or bugs in Nextcloud. There also could be a misconfiguration in Nextcloud related to session storage or encryption keys. The file system where Nextcloud stores session data can also be an issue.

It seems some versions of NextCloud have had issues because of some config files. What version are you running?

Here’s NextCloud’s documentation on memory caching. I also found some general troubleshooting that may apply to you.

Connection closed / Operation cancelled -> This could be caused by wrong KeepAlive settings within your Apache config. Make sure that KeepAlive is set to On and also try to raise the limits of KeepAliveTimeout and MaxKeepAliveRequests.

No basic authentication headers were found -> This error is shown in your data/nextcloud.log file. Some Apache modules like mod_fastcgi, mod_fcgid or mod_proxy_fcgi are not passing the needed authentication headers to PHP and so the login to Nextcloud via WebDAV, CalDAV and CardDAV clients is failing.

If you get any headway, at least with new logs, post here and I’ll try to help.

1 Like

Well, I solved the issue, but not in a way that’s particularly satisfying.

I stopped the Caddy container and followed these directions to reset the Nextcloud-AIO instance. Then I set up Nginx Proxy Manager and configured Nextcloud-AIO with that as my reverse proxy instead.

In the process, I also identified that a lot of traffic was coming to my Nextcloud instance because I had previously hosted a different Nextcloud instance at that domain, and my devices were still trying to log in. Three months ago, cloud.xanderwhart.us would have successfully pointed to a Nextcloud server in my home network—just not the one I was currently setting up. So in the process, I also hunted down the rogue devices still trying to log in and disconnected them. There was a brief period in this process where Nextcloud (new) was up, proxied by Nginx Proxy Manager and I could log in, but only briefly; I was frequently ejected and returned to the login screen.

With all that done, Nextcloud is now working properly: I can log in and do everything I’d want, and I am not spontaneously ejected.

I suspect the rogue devices were the primary issue. However, having dealt with them, I’ve also experimented with stopping Nginx Proxy Manager, starting Caddy in its place, and seeing if Caddy does the job. When I did that, I got SSL errors. Maybe Nextcloud-AIO is holding onto the SSL certificate that Nginx generated, and Caddy was using a different one?

I’m not taking a hard stance that Caddy was the issue here, and I hold out hope that one day I might be able to return to a Caddy configuration. But for now, things are working with Nginx Proxy Manager, so I’m hesitant to tinker more.

@TheRettom, thank you for all your help here. Even though I didn’t get it working in Caddy this time, I learned a lot, and really appreciate you taking the time.

For posterity, here are the configuration details for what’s working now, even though it’s for Nginx Proxy Manager and not Caddy:

Make an external network:

docker network create npm-nw

Nginx Proxy Manager Docker Compose file:

# from: https://www.howtoforge.com/how-to-install-and-use-nginx-proxy-manager/
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    container_name: npm
    restart: unless-stopped
    ports:
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
      # Add any other Stream port you want to expose
      # - '21:21' # FTP
    environment:
      # Mysql/Maria connection parameters:
      DB_MYSQL_HOST: <SENSITIVE DATA OMITTED>
      DB_MYSQL_PORT: 3306
      DB_MYSQL_USER: <SENSITIVE DATA OMITTED>
      DB_MYSQL_PASSWORD: <SENSITIVE DATA OMITTED>
      DB_MYSQL_NAME: <SENSITIVE DATA OMITTED>
      # Uncomment this if IPv6 is not enabled on your host
      DISABLE_IPV6: 'true'
    volumes:
      - ./data:/data
      - /akhet/system/appdata/letsencrypt:/etc/letsencrypt
    networks:
      - npm-nw
      - npm-internal
    depends_on:
      - db
  db:
    image: 'jc21/mariadb-aria:latest'
    restart: unless-stopped
    environment:
      MYSQL_ROOT_PASSWORD: <SENSITIVE DATA OMITTED>
      MYSQL_DATABASE: <SENSITIVE DATA OMITTED>
      MYSQL_USER: <SENSITIVE DATA OMITTED>
      MYSQL_PASSWORD: <SENSITIVE DATA OMITTED>
      MARIADB_AUTO_UPGRADE: '1'
    volumes:
      - /akhet/system/appdata/nginxproxymanager/mysql:/var/lib/mysql
    networks:
      - npm-internal

networks:
  npm-internal:
  npm-nw:
    external: true

Nextcloud-AIO Docker Compose File:

services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 5050:8080
    environment:
      - APACHE_PORT=11000
      - APACHE_ADDITIONAL_NETWORK=npm-nw
      - NEXTCLOUD_DATADIR=/akhet/system/appdata/nextcloud_data
    networks:
      - npm-nw
      
volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

networks:
  npm-nw:
    external: true

Nginx Proxy Manager Proxy Settings:

  • Details Tab:
    • Domain Names: cloud.xanderwhart.us
    • Scheme: http
    • Forward Hostname/IP: nextcloud-aio-apache
    • Forward Port: 11000
    • Cache Assets: OFF
    • Block Common Exploits: ON
    • Websockets Support: ON
  • SSL Tab:
    • Generate certificate using Let’s Encrypt
    • Force SSL: ON
    • HTTP/2 Support: ON
    • HSTS Enabled: ON
    • HSTS Subdomains: OFF
  • Advanced Tab:
    • Custom Nginx Configuration: (see below)
client_body_buffer_size 512k;
proxy_read_timeout 86400s;
client_max_body_size 0;
proxy_no_cache 1;
proxy_cache_bypass 1;
proxy_cache off;

Again, thanks for all the help.

1 Like

What SSL errors were you getting, exactly?