Skip to main content

How to Configure HAProxy for Docker-based Nextcloud AIO

Purpose

Configure HAProxy on pfSense to terminate SSL and securely reverse-proxy public HTTPS traffic to an internal Docker Nextcloud AIO server behind your firewall.

1. HAProxy Package Installation on pfSense

On pfSense, go to:

  • System → Package Manager → Available Packages
  • Search for HAProxy and install haproxy (not haproxy-devel unless needed).

2. Create SSL Certificate (or Import)

In pfSense:

  • System → Certificate Manager → Certificates
  • Import or create an SSL certificate for your domain (example: nextcloud.mydomain.com).

3. HAProxy Settings

Go to Services → HAProxy and configure:

Global Settings

  • Enable HAProxy
  • Set the SSL/TLS cipher suite to "Intermediate" (recommended for compatibility and security)

Frontend (Public Side)

Name: frontend-https Bind address: WAN Address (or "any") Port: 443 Type: SSL Offloading (HTTPS) SSL Certificate: [Select imported Let's Encrypt or custom cert]

Actions:

  • Condition: Match on Host Header = nextcloud.mydomain.com
  • Action: Use Backend: backend-nextcloud

Optional:

  • Add another frontend to redirect port 80 to 443 if you want forced HTTPS

4. HAProxy Backend (Internal Docker Host)

Name: backend-nextcloud Mode: HTTP (or HTTPS if you terminate SSL at the container) Server list: Name: nextcloud-docker Address: 192.168.100.19 Port: 11000 Health Check Method: HTTP-OPTIONS

Important Backend Options:

  • Check "Use HTTP/1.1"
  • Forward host headers (preserve client IP)
  • Add header X-Forwarded-Proto: https

5. Nextcloud Trusted Proxy Configuration

On the Nextcloud server, we modified the trusted proxies:

sudo docker exec -it nextcloud-aio-nextcloud bash cd /var/www/html/config nano config.php

Add or verify these lines inside config.php:

'trusted_proxies' => ['192.168.100.1'], 'overwritehost' => 'nextcloud.mydomain.com', 'overwriteprotocol' => 'https', 'overwrite.cli.url' => 'https://nextcloud.mydomain.com',

Note: Replace 192.168.100.1 with your pfSense LAN IP if different.

6. Restart Docker Nextcloud Container

docker restart nextcloud-aio-nextcloud

✅ Summary

  • pfSense HAProxy listens on WAN 443 (HTTPS)
  • SSL terminated at pfSense, traffic forwarded to Docker Nextcloud Apache 11000
  • Client IP preserved using X-Forwarded-For headers
  • Nextcloud properly recognizes reverse proxy and HTTPS URL

🛠️ Additional Notes

  • HAProxy + pfSense reduces public attack surface on your Docker server
  • Remember to update SSL certificates if using Let's Encrypt (can be automated)
  • Use Health Checks to monitor Nextcloud availability
  • Backup your pfSense HAProxy config after working setup
No Comments
Back to top