Skip to main content

How to Configure HAProxy for Docker-based Nextcloud AIO

Purpose

Set upConfigure HAProxy on pfSense to terminate SSL and properlysecurely reversereverse-proxy proxypublic HTTPS traffic to an internal Docker Nextcloud AIO (Apacheserver containerbehind onyour port 11000), based on our hands-on configuration today.firewall.

1. InstallHAProxy HAProxyPackage Installation on UbuntupfSense

On

bash
pfSense,
go 
sudoto:

apt
    
update
  • System sudo aptPackage Manager → Available Packages
    • 

  • Search for HAProxy and install haproxy -y(not
haproxy-devel unless needed).

2. BasicCreate SSL Certificate (or Import)

In pfSense:

  • System → Certificate Manager → Certificates
  • Import or create an SSL certificate for your domain (example: nextcloud.mydomain.com).

3. HAProxy Configuration FileSettings

WeGo editedto Services → HAProxy and configure:

Global Settings

  • Enable HAProxy
  • Set the defaultSSL/TLS cipher suite to "Intermediate" (recommended for compatibility and security)

Frontend (Public Side)

Name: frontend-https Bind address: WAN Address (or "any") Port: 443 Type: SSL Offloading (HTTPS) SSL Certificate: [Select imported Let's Encrypt or custom cert]

Actions:

  • Condition: Match on Host Header = nextcloud.mydomain.com
  • Action: Use Backend: backend-nextcloud

Optional:

  • Add another frontend to redirect port 80 to 443 if you want forced HTTPS

4. HAProxy configurationBackend at:(Internal Docker Host)

Name: backend-nextcloud Mode: HTTP (or HTTPS if you terminate SSL at the container) Server list: Name: nextcloud-docker Address: 192.168.100.19 Port: 11000 Health Check Method: HTTP-OPTIONS

Important Backend Options:

  • Check "Use HTTP/1.1"
  • Forward host headers (preserve client IP)
  • Add header X-Forwarded-Proto: https

5. Nextcloud Trusted Proxy Configuration

On the Nextcloud server, we modified the trusted proxies:

sudo docker exec -it nextcloud-aio-nextcloud bash cd /var/www/html/config nano /etc/haproxy/haproxy.cfgconfig.php

Global

Add Settings:

or verify these lines inside config.php:

global'trusted_proxies' log=> ['192.168.100.1'], 'overwritehost' => 'nextcloud.mydomain.com', 'overwriteprotocol' => 'https', 'overwrite.cli.url' => 'https:/dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon ca-base /etc/ssl/certs crt-base /etc/ssl/private ssl-default-bind-ciphers PROFILE=SYSTEM ssl-default-bind-options no-sslv3

Defaults:

defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http

3. Frontend Configuration

HTTP - Redirect to HTTPS:

frontend http-in bind *:80 redirect scheme https code 301 if !{ ssl_fc }

HTTPS - SSL Termination:

frontend https-in bind *:443 ssl crt /etc/ssl/private/nextcloud.mydomain.pem mode http option forwardfor http-request set-header X-Forwarded-Proto https if { ssl_fc } default_backend nextcloud_backendcom',

Note: Replace mydomain.pem192.168.100.1 with your actualpfSense SSLLAN combinedIP certificateif (fullchain + private key).different.

4. Backend Configuration

Forward traffic internally to the Apache container at port 11000:

backend nextcloud_backend server nextcloud 127.0.0.1:11000 check

This points to Nextcloud AIO Apache container's internal port 11000 (NOT container IP, just localhost).

5. Certificates

We manually combined the certificate like this:

cat fullchain.pem privkey.pem > /etc/ssl/private/mydomain.pem

Permissions were secured:

sudo chmod 600 /etc/ssl/private/mydomain.pem

6. Restart andDocker EnableNextcloud HAProxyContainer

bash
sudo systemctldocker restart haproxy sudo systemctl enable haproxynextcloud-aio-nextcloud

7. Verify Setup

  • Access Nextcloud over https://yourdomain.com.
  • Check the SSL padlock in browser.
  • Test basic uploads, logins, and app features.
  • Ensure Talk/TURN works through port 3478 if configured.

✅ Summary

  • pfSense HAProxy listens on 80WAN and 443.
  • HTTP443 (80) redirected automatically to HTTPS (443).HTTPS)
  • SSL termination is doneterminated at HAProxy using a single .pem file.
  • InternalpfSense, traffic forwardsforwarded to Docker Nextcloud Apache (port11000
    • 11000).
  • Client IP preserved using X-Forwarded-For headers
  • Nextcloud properly recognizes reverse proxy and HTTPS URL

🛠️ Additional Notes

  • HAProxy + pfSense reduces public attack surface on your Docker server
  • Remember to update SSL certificates if using Let's Encrypt (can be automated)
  • Use Health Checks to monitor Nextcloud availability
  • Backup your pfSense HAProxy config after working setup
Back to top