Nextcloud AiO setup

Hi guys,

I have a question concerning hosting a Nextcloud AiO behind HAProxy.
On the github page of the Nextcloud AiO I found this guide. This is the expected setup:

global
    chroot                      /var/haproxy
    log                         /var/run/log audit debug
    lua-prepend-path            /tmp/haproxy/lua/?.lua
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
    log     global
    option redispatch -1
    retries 3
    default-server init-addr last,libc

# Frontend: LetsEncrypt_443 ()
frontend LetsEncrypt_443
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl crt-list /tmp/haproxy/ssl/605f6609f106d1.17683543.certlist 
    mode http
    option http-keep-alive
    default_backend acme_challenge_backend
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: find_acme_challenge
    acl acl_605f6d4b6453d2.03059920 path_beg -i /.well-known/acme-challenge/
    # ACL: Nextcloud
    acl acl_60604e669c3ca4.13013327 hdr(host) -i <your-nc-domain>

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_605f6d4b6453d2.03059920
    # ACTION: Nextcloud
    use_backend Nextcloud if acl_60604e669c3ca4.13013327


# Frontend: LetsEncrypt_80 ()
frontend LetsEncrypt_80
    bind 0.0.0.0:80 name 0.0.0.0:80 
    mode tcp
    default_backend acme_challenge_backend
    # tuning options
    timeout client 30s

    # logging options
    # ACL: find_acme_challenge
    acl acl_605f6d4b6453d2.03059920 path_beg -i /.well-known/acme-challenge/

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_605f6d4b6453d2.03059920

# Frontend (DISABLED): 1_HTTP_frontend ()

# Frontend (DISABLED): 1_HTTPS_frontend ()

# Frontend (DISABLED): 0_SNI_frontend ()

# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580 

# Backend: Nextcloud ()
backend Nextcloud
    mode http
    balance source
    server Nextcloud localhost:11000 # Adjust to match APACHE_PORT and APACHE_IP_BINDING. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below

I tried to set it up in OPNSense, but unfortunately, the error “400 Bad request” occurs.

Now I would like to ask, if you could check my configuration and help me to set it up correctly.
For this, I put my current configuration in the annex.

If you need more information, just ask.

I used these guides for the setup of haproxy:
#1
#2
#3

In the logs of the nextcloud aio mastercontainer I found the following:

NOTICE: PHP message: The response of the connection attempt to "https://nextcloud.xyz.cc:443" was: <!DOCTYPE html><html lang="en"> <head>  <meta charset="UTF-8" />  <title>400 Bad Request</title> </head> <body>  <h1>400 Bad Request</h1> </body></html>
NOTICE: PHP message: Expected was: fe6210d73356ad54fafe06268a516c6c9ec6b6eb98ecb27f
NOTICE: PHP message: The error message was: 
NOTICE: PHP message: Please follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#6-how-to-debug-things in order to debug things!

Thank you for your help.

Maginos

This is the configuration I have right now:

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    ocsp-update.mindelay 300
    ocsp-update.maxdelay 3600
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 debug
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats

# Frontend: Public_facing_Pool ()
frontend Public_facing_Pool
    bind 0.0.0.0:80 name 0.0.0.0:80 ssl alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/66b27d2fad3150.94967269.certlist 
    mode http
    option http-keep-alive

    # logging options
    # ACL: nextcloud2
    acl acl_66be5bfb83c992.25957275 hdr_beg(host) -i nextcloud2.xyz.cc
    # ACL: nextcloud-aio-docker
    acl acl_66be5cd316acb9.27188494 hdr_beg(host) -i nextcloud.xyz.cc

    # ACTION: httpsredirect
    http-request redirect scheme https code 301 if !acl_66b4b049acd730.71159202
    # ACTION: nextcloud2
    use_backend nextcloud2 if acl_66be5bfb83c992.25957275
    # ACTION: nextcloud-aio-docker
    use_backend nextcloud-aio-docker if acl_66be5cd316acb9.27188494

# Frontend: SSL ()
frontend SSL
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/66b4ee8b0a4796.92529650.certlist 
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    # ACL: nextcloud2
    acl acl_66be5bfb83c992.25957275 hdr_beg(host) -i nextcloud2.xyz.cc
    # ACL: nextcloud-aio-docker
    acl acl_66be5cd316acb9.27188494 hdr_beg(host) -i nextcloud.xyz.cc

    # ACTION: nextcloudls
    use_backend NextcloudLS if acl_66b4a4a52852b9.64013797
    # ACTION: nextcloud2
    use_backend nextcloud2 if acl_66be5bfb83c992.25957275
    # ACTION: nextcloud-aio-docker
    use_backend nextcloud-aio-docker if acl_66be5cd316acb9.27188494

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    option log-health-checks
    # health check: Acme Challenge Host
    option httpchk
    http-check send meth OPTIONS uri / ver HTTP/1.0
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580 check inter 10000 downinter 900000 port 43580 


# Backend: nextcloud2 ()
backend nextcloud2
    option log-health-checks
    # health check: Nextcloud 2
    option httpchk
    http-check send meth OPTIONS uri / ver HTTP/1.0
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server nextcloud2 10.50.1.4:11000 check inter 10000 port 11000  ssl alpn h2,http/1.1 verify required ca-file /usr/local/etc/ssl/cert.pem

# Backend: nextcloud-aio-docker ()
backend nextcloud-aio-docker
    option log-health-checks
    # health check: Nextcloud AiO Docker
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    option forwardfor
    server nextcloud-aio-docker 10.50.1.2:11000 check inter 10000 port 11000  send-proxy-v2 check-send-proxy

# statistics are DISABLED