SWAG on local network

I install nextcloud and swag. I can only access nextcloud outside of my local network. Inside my network I got a timeout error.

docker-compose for nextcloud and swag:

version: "2"
services:
  nextcloud:
    image: linuxserver/nextcloud
    container_name: nextcloud
    environment:
      - PUID=1002 #change PUID if needed
      - PGID=100  #change PGID if needed
      - TZ=Europe/Lisbon #change Time Zone if needed
    volumes:
      - /srv/dev-disk-by-label-OS/appdata/nextcloud/config:/config #/srv/dev-disk-by-label-disk1 needs to be adjusted
      - /srv/dev-disk-by-label-OS/appdata/nextcloud/data:/data     #/srv/dev-disk-by-label-disk1 needs to be adjusted
    depends_on:
      - mariadb
 #   ports: # uncomment this and the next line if you want to bypass the proxy
 #     - 445:443
    restart: unless-stopped
  mariadb:
    image: linuxserver/mariadb
    container_name: nextclouddb
    environment:
      - PUID=1002 #change PUID if needed
      - PGID=100  #change PGID if needed
      - MYSQL_ROOT_PASSWORD=dbpassword  #change password
      - TZ=Europe/Lisbon #Change Time Zone if needed
    volumes:
      - /srv/dev-disk-by-label-OS/appdata/nextclouddb:/config    #/srv/dev-disk-by-label-disk1 needs to be adjusted
    restart: unless-stopped
  swag:
    image: linuxserver/swag         #swag is the replacement for letsencrypt (see link below)
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1002 #change PUID if needed
      - PGID=100  #change PGID if needed
      - TZ=Europe/Lisbon # change Time Zone if needed
      - URL=mydomain.duckdns.org #insert your domain name - yourdomain.url
      - SUBDOMAINS=www,nextcloud
      - VALIDATION=http
      - EMAIL=myemail@gmail.com # define email; required to renew certificate
    volumes:
      - /srv/dev-disk-by-label-OS/appdata/swag:/config  #/srv/dev-disk-by-label-disk1 needs to be adjusted
    ports:
      - 444:443
      - 81:80
    restart: unless-stopped

I tried to uncomment the line ports on nextcloud configuration as it says that it should be uncommented to bypass proxy but portainer gives me an error saying the port is already bind.

My nextcloud config.php:

root@raspberrypi:/srv/dev-disk-by-label-OS/appdata/nextcloud/config/www/nextcloud/config# cat config.php
<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'trusted_proxies' =>
  array (
    0 => 'swag',
  ),
  'overwrite.cli.url' => 'https://nextcloud.mydomain.duckdns.org',
  'overwritehost' => 'nextcloud.mydomain.duckdns.org',
  'overwriteprotocol' => 'https',
  'trusted_domains' =>
  array (
    0 => '192.168.1.108:444',
    1 => 'nextcloud.mydomain.duckdns.org',
  ),
  'instanceid' => 'instanceid',
  'passwordsalt' => 'passwordsalt',
  'secret' => 'secret',
  'dbtype' => 'mysql',
  'version' => '20.0.3.2',
  'dbname' => 'nextcloud',
  'dbhost' => 'nextclouddb',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_dbuser',
  'dbpassword' => 'dbpassword',
  'installed' => true,
);

I forward port 80 and 443 on my router to port 81 and 444 of my server (RPi4).

From what I read on the last couple of days it looks like my router doesn’t support nat loopback.

I’ve trying to set up a dns server using dnsmasq to route the subdomain inside my local network. During this process there was some configuration that worked but I can’t remember which one so I decided to start over again with external help to make it right.

Is it possible to get some nginx logs to understand if there is some request getting to nginx or not?

Thank you

For split dns (dnsmasq) to work properly, swag needs to use the port 443 on the host, not 444

Nginx logs won’t help you because you’re having a dns issue and the connection doesn’t even reach nginx

Can’t I tell dnsmask to route https://nextcloud.mydomain.duckdns.org to ip:444?

In this case since I’ll have another server that I want to reach using another subdomain what is the preferable way to do this? Bypass the nginx proxy for local network?

EDIT:
I enable dnsmasq with this config:

# Never forward plain names (without a domain)
domain-needed
# Turn off DHCP on eth0
no-dhcp-interface=eth0
# Never forward addresses in the non-routable address space (RFC1918)
bogus-priv
# Add domain to host names
#expand-hosts
# Domain to be added if expand-hosts is set
domain=mydomain.duckdns.org
# Local domain to be served from /etc/hosts file
local=/mydomain.duckdns.org/
# Don't read /etc/resolv.conf (I deleted it). Get the external name server from this file, see 'server' below
no-resolv
no-poll
# External server, works with no-resolv
server=8.8.8.8

address=/mydomain.duckdns.org/192.168.1.108

and now I got a curl: (7) Failed to connect to nextcloud.mydomain.duckdns.org port 443: Connection refused

No, dns only provides an IP address for the domain name

If you reverse proxy everything through swag, swag should be listening on port 443 and no other ports are needed on the host. Then swag can decide what to serve or proxy based on the address (subdomain or subfolder, etc.)

I change swag port to 443, disable port forwarding on router and edit config.php trusted_domains ip to 192.168.1.108:444. Now I got a ERR_TUNNEL_CONNECTION_FAILED when try to open it externally and timeout internally.

Now my swag config looks like this:

swag:
    image: linuxserver/swag         #swag is the replacement for letsencrypt (see link below)
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1002 #change PUID if needed
      - PGID=100  #change PGID if needed
      - TZ=Europe/Lisbon # change Time Zone if needed
      - URL=mydomain.duckdns.org #insert your domain name - yourdomain.url
      - SUBDOMAINS=www,nextcloud
      - VALIDATION=http
      - EMAIL=myemail@gmail.com # define email; required to renew certificate
    volumes:
      - /srv/dev-disk-by-label-OS/appdata/swag:/config  #/srv/dev-disk-by-label-disk1 needs to be adjusted
    ports:
      - 443:443
      - 81:80
    restart: unless-stopped

Why did you disable port forwarding? You still need to forward outside 443 to docker host’s port 443

Also, the trusted proxy should just be swag. You don’t use ports in there, just an ip or dns host name, which in this case is the container name.

Follow this: SWAG setup - LinuxServer.io

For no reason :man_facepalming: after enable portforwarding connect to it externally works again :man_facepalming:

The trusted proxy is swag, I changed trust domains:

'trusted_domains' =>                                                               array (
    0 => '192.168.1.108:443',                                                          
    1 => 'nextcloud.mydomain.duckdns.org',
  ),

But I still get a timeout.

I read the docs and I think I have all set up correctly:

version: "2"
services:
  nextcloud:
    image: linuxserver/nextcloud
    container_name: nextcloud
    environment:
      - PUID=1002 #change PUID if needed
      - PGID=100  #change PGID if needed
      - TZ=Europe/Lisbon #change Time Zone if needed
    volumes:
      - /srv/dev-disk-by-label-OS/appdata/nextcloud/config:/config #/srv/dev-disk-by-label-disk1 needs to be adjusted
      - /srv/dev-disk-by-label-OS/appdata/nextcloud/data:/data     #/srv/dev-disk-by-label-disk1 needs to be adjusted
    depends_on:
      - mariadb
#    ports: # uncomment this and the next line if you want to bypass the proxy
#      - 444:443
    restart: unless-stopped
  mariadb:
    image: linuxserver/mariadb
    container_name: nextclouddb
    environment:
      - PUID=1002 #change PUID if needed
      - PGID=100  #change PGID if needed
      - MYSQL_ROOT_PASSWORD=mysqlpassword  #change password
      - TZ=Europe/Lisbon #Change Time Zone if needed
    volumes:
      - /srv/dev-disk-by-label-OS/appdata/nextclouddb:/config    #/srv/dev-disk-by-label-disk1 needs to be adjusted
    restart: unless-stopped
  swag:
    image: linuxserver/swag         #swag is the replacement for letsencrypt (see link below)
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1002 #change PUID if needed
      - PGID=100  #change PGID if needed
      - TZ=Europe/Lisbon # change Time Zone if needed
      - URL=mydomain.duckdns.org #insert your domain name - yourdomain.url
      - SUBDOMAINS=www,nextcloud
      - VALIDATION=http
      - EMAIL=myemail@gmail.com # define email; required to renew certificate
    volumes:
      - /srv/dev-disk-by-label-OS/appdata/swag:/config  #/srv/dev-disk-by-label-disk1 needs to be adjusted
    ports:
      - 443:443
      - 81:80
    restart: unless-stopped
<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'trusted_proxies' =>
  array (
    0 => 'swag',
  ),
  'overwrite.cli.url' => 'https://nextcloud.mydomain.duckdns.org',
  'overwritehost' => 'nextcloud.mydomain.duckdns.org',
  'overwriteprotocol' => 'https',
  'trusted_domains' =>
  array (
    0 => '192.168.1.108:443',
    1 => 'nextcloud.mydomain.duckdns.org',
  ),
  'instanceid' => 'instanceid',
  'passwordsalt' => 'passwordsalt',
  'secret' => 'secret',
  'dbtype' => 'mysql',
  'version' => '20.0.3.2',
  'dbname' => 'dbname',
  'dbhost' => 'dbhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'dbuser',
  'dbpassword' => 'dbpassword',
  'installed' => true,
);

Router is forwarding port 443:443 and 80:81 to host 192.168.1.108.

There is one think from the docs that I don’t understand. I modified # 0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it. to match my IP however it says that I shouldn’t modify it :s

This is the result:

ze-2:~ ze$ curl https://nextcloud.mydomain.duckdns.org -k
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to nextcloud.mydomain.duckdns.org:443
ze-2:~ ze$

On the browser I got a ERR_TIMED_OUT

My problem is only when access it from my local network where nextcloud is hosted.

For some reason after a router restart it started to work :face_with_monocle: