Caddy Reverse Proxy Issue with Nextcloud All-in-One

1. The Problem I’m Having

I am trying to set up Caddy as a reverse proxy for Nextcloud All-in-One (AIO). However, I am encountering a “connection refused” error.

• I can access the Nextcloud AIO container directly via my server’s IP and port. From which I was able to download other nextcloud containers.
• Other services are successfully proxied through Caddy without issues.
• The problem seems to be specific to proxying the Nextcloud AIO container.

2. Error Messages and Full Log Output

Here is the error log from Caddy:

{"level":"debug","ts":1740318299.1760828,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"146.70.99.219","remote_port":"37363","subjects":["ncaio.datanotch.website"],"managed":true,"expiration":1747857216,"hash":"598237a32531d1c14f19a557e0dc70969d06d58d1e1f3851d4343257080e8941"}
{"level":"debug","ts":1740318299.4637141,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"nextcloud-aio-mastercontainer:11000","total_upstreams":1}
{"level":"debug","ts":1740318299.466965,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"nextcloud-aio-mastercontainer:11000","duration":0.002803152,"request":{"remote_ip":"146.70.99.219","remote_port":"37363","client_ip":"146.70.99.219","proto":"HTTP/2.0","method":"GET","host":"ncaio.datanotch.website","uri":"/","headers":{"Cache-Control":["max-age=0"],"Sec-Fetch-Site":["cross-site"],"Sec-Ch-Ua":["\"Not(A:Brand\";v=\"99\", \"Brave\";v=\"133\", \"Chromium\";v=\"133\""],"X-Forwarded-Host":["ncaio.datanotch.website"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-User":["?1"],"X-Forwarded-For":["146.70.99.219"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Priority":["u=0, i"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Upgrade-Insecure-Requests":["1"],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"],"Sec-Gpc":["1"],"X-Forwarded-Proto":["https"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"ncaio.datanotch.website"}},"error":"dial tcp 172.21.0.3:11000: connect: connection refused"}
{"level":"error","ts":1740318299.467332,"logger":"http.log.error","msg":"dial tcp 172.21.0.3:11000: connect: connection refused","request":{"remote_ip":"146.70.99.219","remote_port":"37363","client_ip":"146.70.99.219","proto":"HTTP/2.0","method":"GET","host":"ncaio.datanotch.website","uri":"/","headers":{"Sec-Fetch-Site":["cross-site"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Mode":["navigate"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Gpc":["1"],"Sec-Fetch-User":["?1"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Dest":["document"],"Cache-Control":["max-age=0"],"Sec-Ch-Ua":["\"Not(A:Brand\";v=\"99\", \"Brave\";v=\"133\", \"Chromium\";v=\"133\""],"Accept-Encoding":["gzip, deflate, br, zstd"],"Priority":["u=0, i"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"ncaio.datanotch.website"}},"duration":0.003587865,"status":502,"err_id":"uyij28cys","err_trace":"reverseproxy.statusError (reverseproxy.go:1373)"}

Caddy Version

I am running Caddy v2.9.1 (v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=).

How I Installed and Ran Caddy

###Dockerfile for Custom Caddy Image

FROM caddy:builder AS builder

RUN xcaddy build \
    --with github.com/lucaslorentz/caddy-docker-proxy/v2 \
    --with github.com/caddy-dns/cloudflare

FROM caddy:alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
CMD ["caddy", "docker-proxy"]

Docker Compose for Caddy

services:
  caddy:
    image: caddy-image:1  # Custom Caddy image
    container_name: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile  # Optional: Static Caddyfile
      - ./certs:/certs                    # Volume for certificates
      - ./config:/config                  # Volume for Caddy configuration
      - ./data:/data                      # Volume for Caddy data
      - ./sites:/srv                      # Volume for serving static files
      - /var/run/docker.sock:/var/run/docker.sock:ro  # Required for caddy-docker-proxy
    environment:
      - CADDY_DOCKER_PROXY_NETWORK=caddy_network  # Specify the network for caddy-docker-proxy
    networks:
      - caddy_network

networks:
  caddy_network:
    driver: bridge
    name: caddy_network
    external: true

Docker Compose for Nextcloud AIO

services:
  nextcloud:
    image: nextcloud/all-in-one:latest
    restart: unless-stopped
    container_name: nextcloud-aio-mastercontainer
    ports:
      - "8081:8080"
    environment:
      - APACHE_PORT=11000
      - APACHE_IP_BINDING=0.0.0.0
      - SKIP_DOMAIN_VALIDATION=false
      - NEXTCLOUD_UPLOAD_LIMIT=20G
      - NEXTCLOUD_MAX_TIME=3000
      - NEXTCLOUD_MEMORY_LIMIT=2024M
      - TALK_PORT=3478
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - caddy_network

networks:
  caddy_network:
    external: true
    name: caddy_network

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

Complete Caddy Configuration

Here is my Caddyfile:

{
        debug
        email xxxxxxxxxxxxxxxxxxx
        acme_ca https://acme-v02.api.letsencrypt.org/directory
        acme_dns cloudflare xxxxxxxxxxxxxxxxxxxxxxxxx
        default_sni datanotch.website
}

*.datanotch.website {
        tls {
                dns cloudflare xxxxxxxxxxxxxxxxxxxx
        }
}
https://caddy.datanotch.website:443 {
        respond "Hello, world!"
}

https://upk.datanotch.website:443 {
        reverse_proxy uptime-kuma:3001

https://ncaio.datanotch.website:443 {
        reverse_proxy nextcloud-aio-mastercontainer:11000
}

ADDITIONAL INFORMATIONS

The error dial tcp 172.21.0.3:11000: connect: connection refused suggests that Caddy cannot reach the Nextcloud AIO container at nextcloud-aio-mastercontainer:11000. I have modified my Caddyfile for nextcloud-aio block as this :

https://ncaio.datanotch.website:443 {
        reverse_proxy nextcloud-aio-apache:11000
}

and

https://ncaio.datanotch.website:443 {
        reverse_proxy nextcloud-aio-mastercontainer:8081
}

and

https://ncaio.datanotch.website:443 {
        reverse_proxy nextcloud-aio-apache:8081
}

Neither worked, I either got a timeout error or connection refused error

https://ncaio.datanotch.website:443 {
        reverse_proxy nextcloud-aio-mastercontainer:11000
}

In case you didn’t know, listing https://ncaio.datanotch.website:443 is redundant. Caddy’s Caddyfile automatically uses the site block’s domain alone to do HTTPS. The exception is when you use http://. There are other instances listed here.

Nextcloud is using port 11000 by default to serve the Apache server. That server is allows all the containers for each Nextcloud service to be accessed. Nextcloud is using port 8080 in the AIO container for the AIO interface. This is what you are having trouble accessing.

You need to leave your Caddyfile as is to access the actual Nextcloud service. However, if you want to access the AIO interface publicly, you need to explicitly have a separate site block for Nextcloud’s AIO container. That would look like this:

https://ncaio.datanotch.website:8443 {
    reverse_proxy localhost:8081 {
        transport http {
            tls_insecure_skip_verify
        }
    }
}

Listing port 8443 in the site block is for public access (outside local network). You could optionally use a different subdomain.


Because you published port 8081 for Nextcloud’s port 8080, this is what should be used to access the AIO interface with Nextcloud’s self-signed certificate. You should not need to reverse_proxy this unless doing the above example. After starting AIO, you should be able to access the AIO Interface via https://ip.address.of.the.host:8080. There is an option in there to validate a domain that you have configured, which would be ncaio.datanotch.website. If you do that, you could then access the AIO container with that domain name instead of an IP address.

Nextcloud’s Docker Compose example lists a few details with each compose.yaml option.

Thanks for your response. I adjusted my Caddyfile with the following configuration:

https://ncaio.datanotch.website:8443 {
    reverse_proxy nextcloud-aio-mastercontainer:11000 {
        transport http {
            tls_insecure_skip_verify
        }
    }
}

After making this change, Nextcloud now loads a blank page, and there are no errors in the logs.

My sincere apologies, I missed the notification to your reply.

I’m moved away from Nextcloud for various reasons, but I’m not entirely sure why there would be no indication on Caddy’s log for the improper loading, unless it was Nextcloud being the source of the problem after Caddy sends back the information.

If you’re trying to access the AIO interface, then my previous Caddyfile would be correct. If you’re trying to access Nextcloud directly (Apache server), then you would have your Caddyfile as this:

https://ncaio.datanotch.website:443 {
        reverse_proxy nextcloud-aio-mastercontainer:11000
}

https://ncaio.datanotch.website:8443 {
    reverse_proxy localhost:8081 {
        transport http {
            tls_insecure_skip_verify
        }
    }
}

To reiterate, the site block with the port suffix of 8443 and the localhost reverse proxy is for the AIO interface. That’s fine to run with Nextcloud’s own certificate that it provides, which is the reason for transport http { tls_insecure_skip_verify }. Nextcloud as a file server is accessed through the Nextcloud Apache container through port 11000.