Nextcloud + traefik: "This app cannot be enabled because it makes the server unstable"

LSIO Discussion Container Support
1

I’m using LSIOs nextcloud image and traefik v3 as reverse proxy.

With this setup I can’t enable any nextcloud app without getting an error that says “Error: This app cannot be enabled because it makes the server unstable”.

There doesn’t seem to be any relevant errors in the logs.

In the admin settings, the setup warnings mention that “The Strict-Transport-Security HTTP header is not set”. I’m not sure if solving this would be enough to solve the app enabling issue of if the error is somewhere else.

Where should I start investigating?

For reference, here’s my compose.yaml:

services:
 nextcloud:
   image: lscr.io/linuxserver/nextcloud:latest
   container_name: nextcloud
   hostname: cloud.example.com
   environment:
     - PUID=1003
     - PGID=1003
     - TZ=America/Recife
   volumes:
     - $DOCKER_DIR/volumes/nextcloud/config:/config
     - $DOCKER_DIR/volumes/nextcloud/data:/data
   networks:
     # Use an internal network for the nextcloud services
     - nextcloud
     - traefik
   # ports:
     # - 443:443
   restart: unless-stopped

   labels:
     - "traefik.enable=true"
     - "traefik.docker.network=traefik"
     - "traefik.http.routers.nextcloud.rule=Host(`cloud.example.com`)"
     - "traefik.http.routers.nextcloud.entrypoints=web, websecure"
     - "traefik.http.routers.nextcloud.tls=true"
     - "traefik.http.routers.nextcloud.tls.certresolver=production"
     - "traefik.http.routers.nextcloud.middlewares=chain-nextcloud"
     - "traefik.http.routers.nextcloud.middlewares=nextcloud-secure-headers"
     - "traefik.http.middlewares.rate-limit.rateLimit.average=100"
     - "traefik.http.middlewares.rate-limit.rateLimit.burst=50"
     - "traefik.http.middlewares.nextcloud-secure-headers.headers.accessControlMaxAge=100"
     - "traefik.http.middlewares.nextcloud-secure-headers.headers.stsSeconds=15552000"
     - "traefik.http.middlewares.nextcloud-secure-headers.headers.stsIncludeSubdomains=true"
     - "traefik.http.middlewares.nextcloud-secure-headers.headers.stsPreload=true"
     - "traefik.http.middlewares.nextcloud-secure-headers.headers.forceSTSHeader=true"
     - "traefik.http.middlewares.nextcloud-secure-headers.headers.hostsProxyHeaders=X-Forward-Host"
     - "traefik.http.middlewares.nextcloud-secure-headers.headers.customRequestHeaders.X-Forwarded-Proto=https"
     - "traefik.http.middlewares.nextcloud-secure-headers.headers.referrerPolicy=no-referrer"
     - "traefik.http.middlewares.nextcloud-secure-headers.headers.customResponseHeaders.X-Robots-Tag=noindex, nofollow"
     - "traefik.http.routers.nextcloud.middlewares=nextcloud_redirectregex@docker"
     - "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.permanent=true"
     - "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.regex=https://(.*)/.well-known/(?:card|cal)dav"
     - "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.replacement=https://$${1}/remote.php/dav"
     - "traefik.http.middlewares.chain-nextcloud.chain.middlewares=nextcloud-secure-headers, nextcloud-redirect, rate-limit"

 # Nextcloud Database - Using MariaDB, but can also use MySQL or PostgreSQL
 nextcloud-db:
   # MariaDB 10.5 again not using latest to prevent future breakage
   # https://docs.nextcloud.com/server/latest/admin_manual/installation/system_requirements.html#server
   image: mariadb:10.11
   # Set to allow easy Docker DNS name resolution - not strictly necessary
   container_name: nc-db
   # Same as above
   hostname: nc-db
   # Container will restart unless we specifically stop it
   restart: unless-stopped
   # Recommended database settings as listed in:
   # https://docs.nextcloud.com/server/21/admin_manual/configuration_database/linux_database_configuration.html
   command: --transaction-isolation=READ-COMMITTED --log-bin=msqyld-bin --binlog-format=ROW
   # Defines how we want our container to connect outside
   networks:
     # ONLY using an internal network and not exposing to the internet
     - nextcloud
   # Persistent volumes with bind mounts to easily move/backup data
   volumes:
     # I like to use the /opt folder to hold my Docker bind mounted volumes
     - $DOCKER_DIR/volumes/nextcloud-db:/var/lib/mysql
   # We add our secrets here
   secrets:
     - db_root_password
     - db_password
   # Environment (internal to the container) variables to simplify setup (notice the secrets used below)
   environment:
     MYSQL_USER: nextcloud
     MYSQL_DATABASE: nextcloud
     MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
     MYSQL_PASSWORD_FILE: /run/secrets/db_password

 # Nextcloud (in memory) Redis Cache - speed up lookup transactions
 # Speeds up Nextcloud by reducing the time spent "looking" for things
 nc-redis:
   # Official REDIS 6.2 image based upon alpine Linux (to keep it lightweight)
   image: redis:6.2-alpine
   # Set to allow easy Docker DNS name resolution - not strictly necessary
   container_name: nc-redis
   # Same as above
   hostname: nc-redis
   # Container will restart unless we specifically stop it
   restart: unless-stopped
   # Defines how we want our container to connect outside
   networks:
   # ONLY using an internal network and not exposing to the internet
     - nextcloud
   # Persistent volumes with bind mounts to easily move/backup data
   volumes:
   # I like to use the /opt folder to hold my Docker bind mounted volumes
     - $DOCKER_DIR/volumes/nextcloud-redis:/data

# Declare networks at the high level to avoid confusion and to access those
#   not initially started by this document.
networks:
 # Internal facing network for Nextcloud Docker containers
 nextcloud:
   name: nextcloud
   # Define how we want the network created
   driver: bridge
   internal: true
 traefik:
   external: true

# Must use a high level declaration of our secrets (notice the use of the environmental variable 
#   we set above in .env)
secrets:
  db_password:
    file: $DOCKER_SECRETS_DIR/nextcloud_db_pwd
  db_root_password:
    file: $DOCKER_SECRETS_DIR/nextcloud_db_root_pwd

And my config.php

<?php
$CONFIG = array (
  'datadirectory' => '/data',
  'instanceid' => 'REDACTED',
  'passwordsalt' => 'REDACTED',
  'secret' => 'REDACTED',
  'default_phone_region' => 'BR',
  'trusted_proxies' => 
  array (
    0 => '172.23.0.0/16',
    0 => '127.0.0.0/16',
  ),
  'trusted_domains' => 
  array (
    0 => 'cloud.example.com',
    1 => 'localhost',
    2 => 'traefik',
  ),
  'dbtype' => 'mysql',
  'version' => '31.0.2.1',
  'overwriteprotocol' => 'https',
  'overwrite.cli.url' => 'http://cloud.example.com',
  'overwritehost' => 'cloud.example.com',
  'overwritewebroot'  => '/',
  'dbname' => 'nextcloud',
  'dbhost' => 'nc-db:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'REDACTED',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'filelocking.enabled' => true,
  'memcache.locking' => '\\OC\\Memcache\\APCu',
  'redis' => 
  array (
    'host' => 'nc-redis',
    'password' => '',
    'port' => 6379,
  ),
  'maintenance_window_start' => 2,
  'upgrade.disable-web' => true,
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'ssl',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpauth' => 1,
  'mail_from_address' => 'REDACTED',
  'mail_domain' => 'gmail.com',
  'mail_smtphost' => 'smtp.gmail.com',
  'mail_smtpport' => '465',
  'mail_smtpname' => 'REDACTED',
  'mail_smtppassword' => 'REDACTED',
);

Thanks!