Nginx-reverseproxy and nextcloud issue

Creating network “nginx-swag_default” with the default driver
Creating reverseproxy … error

ERROR: for reverseproxy Cannot create container for service reverseproxy: invalid CapAdd: unknown capability: “CAP_NET_BIND”

ERROR: for reverseproxy Cannot create container for service reverseproxy: invalid CapAdd: unknown capability: “CAP_NET_BIND”

I have my composer like this:
version: ‘3.3’
services:
reverseproxy:
image: linuxserver/swag
container_name: reverseproxy
restart: unless-stopped
ports:
- “80:80”
- “443:443”
environment:
- VALIDATION=http
- URL=abyss.fi
- PUID=1000
- PGID=1000
- TZ=Europe/London
- SUBDOMAINS=www,cc,zd
volumes:
- ./src/path/to/config:/config:rw
cap_add:
- NET_ADMIN
- CAP_NET_BIND

Ah nvm remove that CAP_NET_BIND thing again.

The other container you could bind to 443? If so you probably still have that one around.

“docker ps -a” should list all containers
“docker rm -f <id_or_name>”

PS G:\servers\nginx-swag> docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6a4d7d1874ac linuxserver/swag “/init” 18 seconds ago Created reverseproxy
8db24f2acab2 nginx:latest “nginx -g 'daemon of…” 2 months ago Exited (0) 4 hours ago abyssnginx

PS G:\servers\nginx-swag> docker-compose up -d
Creating reverseproxy … error

ERROR: for reverseproxy Cannot start service reverseproxy: Ports are not available: listen tcp 0.0.0.0:443: bind: An attempt was made to access a socket in a way forbidden by its access permissions.

443 is still bound by the system. But having it on 9090 and then just declare 443 to be 9090 in router worked. I was able to open abyss.fi in https. But now I want to open Nextcloud in https with address cc.abyss.fi

Try to add something these to the configuration file /path/to/config/nginx/site-confs/default

server_name cc.abyss.fi;

location / {
    proxy_pass http://<your_nextcloud_container_name>:<port>;
    proxy_http_version 1.1;
    proxy_set_header Upgraded $http_upgrade;
    proxy_set_header Connection keep-alive;
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_buffers 64 4k;
    proxy_buffer_size 4k;
 }

client_max_body_size 10G; # probably you want to transfer large files with your nextcloud

Just put it into the block that sais default_server, listen 443. Remove the current location /. If you need more sites for instance probably your default_server should be abyss.fi or www.abyss.fi. You add more blocks very similar to the one that you will have then. Just remove the default_server part and add a different server_name.

Also as said earlier you need to add the this container as trusted_proxy for your nextcloud instance.

## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default

error_page 502 /502.html;

# redirect all traffic to https
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

# main server block
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    root /config/www;
    index index.html index.htm index.php;

    server_name _;

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    # enable for geo blocking
    # See /config/nginx/geoip2.conf for more information.
    #if ($allowed_country = no) {
    #return 444;
    #}

    client_max_body_size 0;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        try_files $uri $uri/ /index.html /index.php?$args =404;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }

# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
#    location ^~ /cp {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
#        include /config/nginx/proxy.conf;
#        proxy_pass http://192.168.1.50:5050/cp;
#    }

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
#    listen 443 ssl http2;
#    listen [::]:443 ssl http2;
#
#    root /config/www;
#    index index.html index.htm index.php;
#
#    server_name cp.*;
#
#    include /config/nginx/ssl.conf;
#
#    client_max_body_size 0;
#
#    location / {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
#        include /config/nginx/proxy.conf;
#        proxy_pass http://192.168.1.50:5050;
#    }
#}

# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
# notice this is a new server block, you need a new server block for each subdomain
#server {
#    listen 443 ssl http2;
#    listen [::]:443 ssl http2;
#
#    root /config/www;
#    index index.html index.htm index.php;
#
#    server_name heimdall.*;
#
#    include /config/nginx/ssl.conf;
#
#    include /config/nginx/ldap.conf;
#
#    client_max_body_size 0;
#
#    location / {
#        # the next two lines will enable ldap auth along with the included ldap.conf in the server block
#        auth_request /auth;
#        error_page 401 =200 /ldaplogin;
#
#        include /config/nginx/proxy.conf;
#        resolver 127.0.0.11 valid=30s;
#        set $upstream_app heimdall;
#        set $upstream_port 443;
#        set $upstream_proto https;
#        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
#    }
#}

# sample reverse proxy config for "heimdall" via subdomain, with Authelia
# Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml
# notice this is a new server block, you need a new server block for each subdomain
#server {
#    listen 443 ssl http2;
#    listen [::]:443 ssl http2;
#
#    root /config/www;
#    index index.html index.htm index.php;
#
#    server_name heimdall.*;
#
#    include /config/nginx/ssl.conf;
#
#    include /config/nginx/authelia-server.conf;
#
#    client_max_body_size 0;
#
#    location / {
#        # the next line will enable Authelia along with the included authelia-server.conf in the server block
#        include /config/nginx/authelia-location.conf;
#
#        include /config/nginx/proxy.conf;
#        resolver 127.0.0.11 valid=30s;
#        set $upstream_app heimdall;
#        set $upstream_port 443;
#        set $upstream_proto https;
#        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
#    }
#}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth


server_name cc.abyss.fi;

location / {
    proxy_pass http://<your_nextcloud_container_name>:<port>;
    proxy_http_version 1.1;
    proxy_set_header Upgraded $http_upgrade;
    proxy_set_header Connection keep-alive;
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_buffers 64 4k;
    proxy_buffer_size 4k;
 }

client_max_body_size 10G; # probably you want to transfer large files with your nextcloud
proxy_cache_path cache/ keys_zone=auth_cache:10m;

This is my nextcloud.conf at the end

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$request_uri;
        # Optional: Don't log access to other assets
        access_log off;
    }
    'trusted_proxies' => ['nginx-swag'],
    'overwrite.cli.url' => 'https://cc.abyss.fi/',
    'overwritehost' => 'cc.abyss.fi',
    'overwriteprotocol' => 'https',

Does it look fine? or did I do something wrong? Also how should the Nextcloud composer file look like and what ports should I assign?

You should put the location / block into the server block that’s starts with

“listen 443 ssl http2 default_server;”

And remove the location / block that’s currently in there. Put the other stuff below the location block (or somewhere else within the server block).

Looks like this now:

# main server block
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    root /config/www;
    index index.html index.htm index.php;

    server_name cc.abyss.fi;

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    # enable for geo blocking
    # See /config/nginx/geoip2.conf for more information.
    #if ($allowed_country = no) {
    #return 444;
    #}

    client_max_body_size 10G; # probably you want to transfer large files with your nextcloud

    location / {
        proxy_pass http://<your_nextcloud_container_name>:<port>;
        proxy_http_version 1.1;
        proxy_set_header Upgraded $http_upgrade;
        proxy_set_header Connection keep-alive;
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffers 64 4k;
        proxy_buffer_size 4k;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }

# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
#    location ^~ /cp {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
#        include /config/nginx/proxy.conf;
#        proxy_pass http://192.168.1.50:5050/cp;
#    }

}

The other stuff you should be keeping like

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

Maybe you did not sure. But looks fine to me otherwise.

Gotta work now though. Hope you can figure this out.

There are probably a lot of guides online on nginx reverse proxy to <insert anything you want> like nextcloud.

It was above the main block

Now, composing the nextcloud. How should the composer look like so I can open cc.abyss.fi and it opens the page?

And the 443 bind, idk, it is not an issue, I just bypass it to 9090 and back to 443.

You need to duplicate the 443 server block for every website i.e. default_server in the end should probably be the website and another block that is not default server with server_name cc.abyss.fi. But try one thing at a time I guess.

The default_server part is where it goes when you don’t have anything for a specific name so it would now default to your nextcloud. Other blocks should mostly look similar except without the default server and different names. Might need slightly different configs based on what service you are proxying to.

This actually borked.

So I moved from using nginx for the website, just to moving the whole structure into G:\servers\nginx-swag\src\path\to\config\www

So I would now need to have a solution to move the cc.abyss.fi to nextcloud page.

I don’t know what you meant, but I tried something, it just returned duplicates in the console.

Haven’t tested yet, but this would be the default file:

## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default

error_page 502 /502.html;

# redirect all traffic to https
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

# main server block
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    root /config/www;
    index index.html index.htm index.php;

    server_name _;

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    # enable for geo blocking
    # See /config/nginx/geoip2.conf for more information.
    #if ($allowed_country = no) {
    #return 444;
    #}

    client_max_body_size 10G; # probably you want to transfer large files with your nextcloud

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        try_files $uri $uri/ /index.html /index.php?$args =404;
    }


    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }

# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
#    location ^~ /cp {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
#        include /config/nginx/proxy.conf;
#        proxy_pass http://192.168.1.50:5050/cp;
#    }

}


server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    root /config/www;
    index index.html index.htm index.php;

    server_name cc;

    client_max_body_size 10G; # probably you want to transfer large files with your nextcloud

    location / {
        proxy_pass http://nextcloud:90;
        proxy_http_version 1.1;
        proxy_set_header Upgraded $http_upgrade;
        proxy_set_header Connection keep-alive;
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffers 64 4k;
        proxy_buffer_size 4k;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }

}


# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
#    listen 443 ssl http2;
#    listen [::]:443 ssl http2;
#
#    root /config/www;
#    index index.html index.htm index.php;
#
#    server_name cp.*;
#
#    include /config/nginx/ssl.conf;
#
#    client_max_body_size 0;
#
#    location / {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
#        include /config/nginx/proxy.conf;
#        proxy_pass http://192.168.1.50:5050;
#    }
#}

# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
# notice this is a new server block, you need a new server block for each subdomain
#server {
#    listen 443 ssl http2;
#    listen [::]:443 ssl http2;
#
#    root /config/www;
#    index index.html index.htm index.php;
#
#    server_name heimdall.*;
#
#    include /config/nginx/ssl.conf;
#
#    include /config/nginx/ldap.conf;
#
#    client_max_body_size 0;
#
#    location / {
#        # the next two lines will enable ldap auth along with the included ldap.conf in the server block
#        auth_request /auth;
#        error_page 401 =200 /ldaplogin;
#
#        include /config/nginx/proxy.conf;
#        resolver 127.0.0.11 valid=30s;
#        set $upstream_app heimdall;
#        set $upstream_port 443;
#        set $upstream_proto https;
#        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
#    }
#}

# sample reverse proxy config for "heimdall" via subdomain, with Authelia
# Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml
# notice this is a new server block, you need a new server block for each subdomain
#server {
#    listen 443 ssl http2;
#    listen [::]:443 ssl http2;
#
#    root /config/www;
#    index index.html index.htm index.php;
#
#    server_name heimdall.*;
#
#    include /config/nginx/ssl.conf;
#
#    include /config/nginx/authelia-server.conf;
#
#    client_max_body_size 0;
#
#    location / {
#        # the next line will enable Authelia along with the included authelia-server.conf in the server block
#        include /config/nginx/authelia-location.conf;
#
#        include /config/nginx/proxy.conf;
#        resolver 127.0.0.11 valid=30s;
#        set $upstream_app heimdall;
#        set $upstream_port 443;
#        set $upstream_proto https;
#        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
#    }
#}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

Not sure if it will work…

Edit:
Doesn’t work

Remove default_server from the site that should not be default. Probably your nextcloud.

listen 443 ssl http2 default_server;

=>

listen 443 ssl http2;

Yea I did that;

Your nextcloud and swag need to be in the same docker-compose.yml for this to work.

You can ofc manually assign docker networks, but docker-compose just does it automatically for services defined in the same file.

By the looks of the screenshot “nextcloud” isnt actually the container name but “nextcloud_app_1”, but I don’t see the swag container.

When you do it with one compose file the swag container should be in the same dropdown with all the rest. You should give the “app” service in your nextcloud compose file a container_name (so it is consistent and not some generated anything, which is the url you can use) and put the service from the swag yml into there too.

I wasn’t able to add them together, it is just not able to find it…

image514×569 158 KB

Here is the composer

version: '3.3'

volumes:
    nextcloud:

services:
  reverseproxy:
    image: linuxserver/swag
    container_name: reverseproxy
    restart: unless-stopped
    ports:
      - "80:80"
      - "9090:443"
    environment:
      - VALIDATION=http
      - URL=abyss.fi
      - PUID=1000
      - PGID=1000
      - TZ=Europe/London
      - SUBDOMAINS=www,cc,zd
    volumes:
      - ./src/path/to/config:/config:rw
    cap_add:
      - NET_ADMIN
  db:
    image: mariadb
    environment:
        - MYSQL_ROOT_PASSWORD=rootpw
        - MYSQL_PASSWORD=pw
        - MYSQL_DATABASE=database
        - MYSQL_USER=name
    volumes: 
        - ./mysql:/var/lib/mysql
    restart: unless-stopped
    
  nextcloud:
    image: nextcloud:fpm
    ports:
        - 90:80
    volumes:
        - nextcloud:/var/www/html
        - ./app/data:/var/www/html/data
        - ./app/config:/var/www/html/config
    restart: unless-stopped

  cron:
    image: rcdailey/nextcloud-cronjob
    environment:
        - NEXTCLOUD_CRON_MINUTE_INTERVAL=15
        - NEXTCLOUD_CONTAINER_NAME=nextcloud
        - NEXTCLOUD_PROJECT_NAME=nextcloudp
    volumes:
        - /var/run/docker.sock:/var/run/docker.sock:ro
        - /etc/localtime:/etc/localtime:ro
    restart: always

Add

container_name: nextcloud

To the nextcloud service. You have a environment variable in that cron config that appears to look for it with that name.

I don’t know:

cron_1 | ERROR: Unable to find the Nextcloud container

is still coming up in the console.

image868×584 79.2 KB

Also I checked cc.abyss.fi it didn’t work. It still showed the main page of abyss.fi

Hm well before it was nextcloud_app_1.

It sais here https://github.com/rcdailey/nextcloud-cronjob

• NEXTCLOUD_CONTAINER_NAME
  Required. This is the name of the running Nextcloud container (or the service, if NEXTCLOUD_PROJECT_NAME is specified).

So remove NEXTCLOUD_PROJECT_NAME=nextcloudp and it should find it hopefully.

image882×576 139 KB

I even capitalized the N, but still nothing.