# How to Configure HAProxy for Docker-based Nextcloud AIO ## Purpose Configure **HAProxy on pfSense** to terminate SSL and securely reverse-proxy public HTTPS traffic to an internal **Docker Nextcloud AIO server** behind your firewall. --- ## 1. HAProxy Package Installation on pfSense On pfSense, go to: - **System → Package Manager → Available Packages** - Search for **HAProxy** and install `haproxy` (not haproxy-devel unless needed). --- ## 2. Create SSL Certificate (or Import) In pfSense: - **System → Certificate Manager → Certificates** - Import or create an SSL certificate for your domain (example: `nextcloud.mydomain.com`). --- ## 3. HAProxy Settings Go to **Services → HAProxy** and configure: ### Global Settings - Enable HAProxy - Set the SSL/TLS cipher suite to "Intermediate" (recommended for compatibility and security) ### Frontend (Public Side) ``` Name: frontend-https Bind address: WAN Address (or "any") Port: 443 Type: SSL Offloading (HTTPS) SSL Certificate: [Select imported Let's Encrypt or custom cert] ``` ### Actions: - **Condition:** Match on `Host Header` = `nextcloud.mydomain.com` - **Action:** Use Backend: `backend-nextcloud` ### Optional: - Add another frontend to redirect port 80 to 443 if you want forced HTTPS --- ## 4. HAProxy Backend (Internal Docker Host) ``` Name: backend-nextcloud Mode: HTTP (or HTTPS if you terminate SSL at the container) Server list: Name: nextcloud-docker Address: 192.168.100.19 Port: 11000 Health Check Method: HTTP-OPTIONS ``` ### Important Backend Options: - **Check "Use HTTP/1.1"** - **Forward host headers (preserve client IP)** - **Add header X-Forwarded-Proto: https** --- ## 5. Nextcloud Trusted Proxy Configuration On the Nextcloud server, we modified the trusted proxies: ``` sudo docker exec -it nextcloud-aio-nextcloud bash cd /var/www/html/config nano config.php ``` Add or verify these lines inside `config.php`: ``` 'trusted_proxies' => ['192.168.100.1'], 'overwritehost' => 'nextcloud.mydomain.com', 'overwriteprotocol' => 'https', 'overwrite.cli.url' => 'https://nextcloud.mydomain.com', ``` > *Note: Replace `192.168.100.1` with your pfSense LAN IP if different.* --- ## 6. Restart Docker Nextcloud Container ``` docker restart nextcloud-aio-nextcloud ``` --- ## ✅ Summary - pfSense HAProxy listens on WAN 443 (HTTPS) - SSL terminated at pfSense, traffic forwarded to Docker Nextcloud Apache 11000 - Client IP preserved using X-Forwarded-For headers - Nextcloud properly recognizes reverse proxy and HTTPS URL --- ## 🛠️ Additional Notes - HAProxy + pfSense reduces public attack surface on your Docker server - Remember to update SSL certificates if using Let's Encrypt (can be automated) - Use Health Checks to monitor Nextcloud availability - Backup your pfSense HAProxy config after working setup