How to Configure HAProxy for Docker-based Nextcloud AIO

Purpose

Configure HAProxy on pfSense to terminate SSL and securely reverse-proxy public HTTPS traffic to an internal Docker Nextcloud AIO server behind your firewall.

1. HAProxy Package Installation on pfSense

On pfSense, go to:

System → Package Manager → Available Packages
Search for HAProxy and install haproxy (not haproxy-devel unless needed).

2. Create SSL Certificate (or Import)

In pfSense:

System → Certificate Manager → Certificates
Import or create an SSL certificate for your domain (example: nextcloud.mydomain.com).

3. HAProxy Settings

Go to Services → HAProxy and configure:

Global Settings

Enable HAProxy
Set the SSL/TLS cipher suite to "Intermediate" (recommended for compatibility and security)

Frontend (Public Side)

Name: frontend-https Bind address: WAN Address (or "any") Port: 443 Type: SSL Offloading (HTTPS) SSL Certificate: [Select imported Let's Encrypt or custom cert]

Actions:

Condition: Match on Host Header = nextcloud.mydomain.com
Action: Use Backend: backend-nextcloud

Optional:

Add another frontend to redirect port 80 to 443 if you want forced HTTPS

4. HAProxy Backend (Internal Docker Host)

Name: backend-nextcloud Mode: HTTP (or HTTPS if you terminate SSL at the container) Server list: Name: nextcloud-docker Address: 192.168.100.19 Port: 11000 Health Check Method: HTTP-OPTIONS

Important Backend Options:

Check "Use HTTP/1.1"
Forward host headers (preserve client IP)
Add header X-Forwarded-Proto: https

5. Nextcloud Trusted Proxy Configuration

On the Nextcloud server, we modified the trusted proxies:

sudo docker exec -it nextcloud-aio-nextcloud bash cd /var/www/html/config nano config.php

Add or verify these lines inside config.php:

'trusted_proxies' => ['192.168.100.1'], 'overwritehost' => 'nextcloud.mydomain.com', 'overwriteprotocol' => 'https', 'overwrite.cli.url' => 'https://nextcloud.mydomain.com',

Note: Replace 192.168.100.1 with your pfSense LAN IP if different.

6. Restart Docker Nextcloud Container

docker restart nextcloud-aio-nextcloud

✅ Summary

pfSense HAProxy listens on WAN 443 (HTTPS)
SSL terminated at pfSense, traffic forwarded to Docker Nextcloud Apache 11000
Client IP preserved using X-Forwarded-For headers
Nextcloud properly recognizes reverse proxy and HTTPS URL

🛠️ Additional Notes

HAProxy + pfSense reduces public attack surface on your Docker server
Remember to update SSL certificates if using Let's Encrypt (can be automated)
Use Health Checks to monitor Nextcloud availability
Backup your pfSense HAProxy config after working setup

Revision #3
Created 27 April 2025 02:52:47 by joliveira
Updated 27 April 2025 03:01:13 by joliveira