Skip to main content

How to Configure HAProxy for Docker-based Nextcloud AIO

Purpose

Set up HAProxy to terminate SSL and properly reverse proxy to Nextcloud AIO (Apache container on port 11000), based on our hands-on configuration today.

1. Install HAProxy on Ubuntu

bash
sudo apt update sudo apt install haproxy -y

2. Basic HAProxy Configuration File

We edited the default HAProxy configuration at:

sudo nano /etc/haproxy/haproxy.cfg

Global Settings:

global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon ca-base /etc/ssl/certs crt-base /etc/ssl/private ssl-default-bind-ciphers PROFILE=SYSTEM ssl-default-bind-options no-sslv3

Defaults:

defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http

3. Frontend Configuration

HTTP - Redirect to HTTPS:

frontend http-in bind *:80 redirect scheme https code 301 if !{ ssl_fc }

HTTPS - SSL Termination:

frontend https-in bind *:443 ssl crt /etc/ssl/private/mydomain.pem mode http option forwardfor http-request set-header X-Forwarded-Proto https if { ssl_fc } default_backend nextcloud_backend

Replace mydomain.pem with your actual SSL combined certificate (fullchain + private key).

4. Backend Configuration

Forward traffic internally to the Apache container at port 11000:

backend nextcloud_backend server nextcloud 127.0.0.1:11000 check

This points to Nextcloud AIO Apache container's internal port 11000 (NOT container IP, just localhost).

5. Certificates

We manually combined the certificate like this:

cat fullchain.pem privkey.pem > /etc/ssl/private/mydomain.pem

Permissions were secured:

sudo chmod 600 /etc/ssl/private/mydomain.pem

6. Restart and Enable HAProxy

bash
sudo systemctl restart haproxy sudo systemctl enable haproxy

7. Verify Setup

  • Access Nextcloud over https://yourdomain.com.
  • Check the SSL padlock in browser.
  • Test basic uploads, logins, and app features.
  • Ensure Talk/TURN works through port 3478 if configured.

✅ Summary

  • HAProxy listens on 80 and 443.
  • HTTP (80) redirected automatically to HTTPS (443).
  • SSL termination is done at HAProxy using a single .pem file.
  • Internal traffic forwards to Docker Nextcloud Apache (port 11000).
Back to top