Skip to main content

How to Configure HAProxy for Docker-based Nextcloud AIO

Purpose

Set upConfigure HAProxy on pfSense to terminate SSL and properlysecurely reversereverse-proxy proxypublic HTTPS traffic to an internal Docker Nextcloud AIO (Apacheserver containerbehind onyour port 11000), based on our hands-on configuration today.firewall.

1. InstallHAProxy HAProxyPackage Installation on UbuntupfSense

On

bash
pfSense,
go 
sudoto:
apt
updateSystem sudo aptPackage Manager → Available Packages Search for HAProxy and install haproxy -y(not haproxy-devel unless needed).

2. BasicCreate SSL Certificate (or Import)

In pfSense:

    System → Certificate Manager → Certificates Import or create an SSL certificate for your domain (example: nextcloud.mydomain.com).

    3. HAProxy Configuration FileSettings

    WeGo editedto Services → HAProxy and configure:

    Global Settings

      Enable HAProxy Set the defaultSSL/TLS cipher suite to "Intermediate" (recommended for compatibility and security)

      Frontend (Public Side)

      Name: frontend-https Bind address: WAN Address (or "any") Port: 443 Type: SSL Offloading (HTTPS) SSL Certificate: [Select imported Let's Encrypt or custom cert]

      Actions:

        Condition: Match on Host Header = nextcloud.mydomain.com Action: Use Backend: backend-nextcloud

        Optional:

          Add another frontend to redirect port 80 to 443 if you want forced HTTPS

          4. HAProxy configurationBackend at:(Internal Docker Host)

          Name: backend-nextcloud Mode: HTTP (or HTTPS if you terminate SSL at the container) Server list: Name: nextcloud-docker Address: 192.168.100.19 Port: 11000 Health Check Method: HTTP-OPTIONS

          Important Backend Options:

            Check "Use HTTP/1.1" Forward host headers (preserve client IP) Add header X-Forwarded-Proto: https

            5. Nextcloud Trusted Proxy Configuration

            On the Nextcloud server, we modified the trusted proxies:

            sudo docker exec -it nextcloud-aio-nextcloud bash cd /var/www/html/config nano /etc/haproxy/haproxy.cfgconfig.php

            Global

            Add Settings:or verify these lines inside config.php:

            global'trusted_proxies' log=> ['192.168.100.1'], 'overwritehost' => 'nextcloud.mydomain.com', 'overwriteprotocol' => 'https', 'overwrite.cli.url' => 'https:/dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon ca-base /etc/ssl/certs crt-base /etc/ssl/private ssl-default-bind-ciphers PROFILE=SYSTEM ssl-default-bind-options no-sslv3

            Defaults:

            defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http

            3. Frontend Configuration

            HTTP - Redirect to HTTPS:

            frontend http-in bind *:80 redirect scheme https code 301 if !{ ssl_fc }

            HTTPS - SSL Termination:

            frontend https-in bind *:443 ssl crt /etc/ssl/private/nextcloud.mydomain.pem mode http option forwardfor http-request set-header X-Forwarded-Proto https if { ssl_fc } default_backend nextcloud_backendcom',

            Note: Replace mydomain.pem192.168.100.1 with your actualpfSense SSLLAN combinedIP certificateif (fullchain + private key).different.

            4. Backend Configuration

            Forward traffic internally to the Apache container at port 11000:

            backend nextcloud_backend server nextcloud 127.0.0.1:11000 check

            This points to Nextcloud AIO Apache container's internal port 11000 (NOT container IP, just localhost).

            5. Certificates

            We manually combined the certificate like this:

            cat fullchain.pem privkey.pem > /etc/ssl/private/mydomain.pem

            Permissions were secured:

            sudo chmod 600 /etc/ssl/private/mydomain.pem

            6. Restart andDocker EnableNextcloud HAProxyContainer

            bash
            sudo systemctldocker restart haproxy sudo systemctl enable haproxynextcloud-aio-nextcloud

            7. Verify Setup

              Access Nextcloud over https://yourdomain.com. Check the SSL padlock in browser. Test basic uploads, logins, and app features. Ensure Talk/TURN works through port 3478 if configured.

              ✅ Summary

              • pfSense HAProxy listens on 80WAN and 443.
              HTTP443 (80) redirected automatically to HTTPS (443).HTTPS) SSL termination is doneterminated at HAProxy using a single .pem file. InternalpfSense, traffic forwardsforwarded to Docker Nextcloud Apache (port11000 11000).Client IP preserved using X-Forwarded-For headers Nextcloud properly recognizes reverse proxy and HTTPS URL

              🛠️ Additional Notes

                HAProxy + pfSense reduces public attack surface on your Docker server Remember to update SSL certificates if using Let's Encrypt (can be automated) Use Health Checks to monitor Nextcloud availability Backup your pfSense HAProxy config after working setup
                Back to top