How to Configure HAProxy for Docker-based Nextcloud AIO

Purpose

~~Configure~~Set up HAProxy to ~~act~~terminate asSSL aand ~~secure~~properly reverse proxy ~~for~~to ~~services like~~ Nextcloud AIO ~~inside~~(Apache ~~Docker~~container ~~containers.~~on port 11000), based on our hands-on configuration today.

1. Install HAProxy on Ubuntu

sudo apt update sudo apt install haproxy -y

2. Edit theBasic HAProxy Configuration File

~~Open~~We ~~and edit~~edited the default HAProxy ~~config~~configuration ~~file:~~at:

sudo nano /etc/haproxy/haproxy.cfg

~~Add~~

Global orSettings:

~~modify~~

global thelog following:
/dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon ca-base /etc/ssl/certs crt-base /etc/ssl/private ssl-default-bind-ciphers PROFILE=SYSTEM ssl-default-bind-options no-sslv3

Defaults:

defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http

3. Frontend Configuration

HTTP - Redirect to HTTPS:

frontend https_fronthttp-in bind *:80 redirect scheme https code 301 if !{ ssl_fc }

HTTPS - SSL Termination:

frontend https-in bind *:443 ssl crt /etc/ssl/private/my-certificate.mydomain.pem mode http option forwardfor optionhttp-request http-server-closeset-header X-Forwarded-Proto https if { ssl_fc } default_backend nextcloud_backend

Replace `mydomain.pem` with your actual SSL combined certificate (fullchain + private key).

4. Backend Configuration

Forward traffic internally to the Apache container at port 11000:

backend nextcloud_backend mode http server nextcloud 127.0.0.1:11000 check

~~Adjust~~This ~~the certificate path and internal ports~~points to ~~match your deployment. 11000 is used by~~ Nextcloud AIO Apache container's internal port 11000 (NOT container byIP, ~~default.~~just localhost).

3. Obtain and Place5. Certificates

~~Use~~We ~~Let's~~manually ~~Encrypt~~combined orthe ~~your~~certificate ~~internal~~like ~~CA to generate certificates. Combine fullchain and private key into a single .pem file:~~this:

cat fullchain.pem privkey.pem > /etc/ssl/private/my-certificate.mydomain.pem

~~Make~~Permissions ~~sure~~were ~~permissions are secure:~~secured:

sudo chmod 600 /etc/ssl/private/my-certificate.mydomain.pem

4.6. Restart and Enable HAProxy

sudo systemctl restart haproxy

~~Check that it’s running:~~

sudo systemctl statusenable haproxy

5.7. Verify AccessSetup

~~Access your Nextcloud instance over HTTPS and verify the secure connection works:~~

Access Nextcloud over https://yourdomain.com.

Check ~~browser~~the ~~padlock.~~SSL padlock in browser.

Test basic uploads, logins, and app features.
Ensure ~~your~~Talk/TURN ~~Nextcloud~~works ~~instance~~through ~~shows~~port ~~HTTPS~~3478 ~~correctly~~if ~~in "Settings > Overview".~~configured.

✅ Summary

HAProxy ~~terminates~~listens ~~SSL~~on at80 ~~the~~and ~~proxy.~~443.
~~Certificates must be correctly formatted~~HTTP (~~.pem~~80) ~~combined~~redirected ~~file)~~automatically to HTTPS (443).
~~Forward~~SSL termination is done at HAProxy using a single .pem file.

Internal traffic ~~internally~~forwards to Docker ~~containers~~Nextcloud ~~using private ports~~Apache (~~e.g.,~~port ~~11000 for Nextcloud AIO Apache)~~11000).
~~Secure permissions on certificates to avoid access issues.~~

~~After updates to HAProxy config or certificates, restart the service.~~