NextcloudAIO VM behind Cloudflare tunnel, TLS problems

[nilsAx]

Hi,

UPDATE:
I have now got it to work. Starting with a clean Debian OS instead of the ready-made Nextcloud VM was the solution.
The docker-compose recommended in this discussion is the only configuration needed:
(Solved)AIO working with Cloudflare?

I started with the exact same configuration on the Nextcloud VM, but for some reason it didn't work. I guess there are some other modifications made on the Nextcloud VM that didn't like my setup.

ORG:
I have downloaded the AIO VM and have been trying to get it to work behind a Cloudflare tunnel with a domain using their proxy, but I am now out of ideas..
I have a local DNS-server, 1 VM containing the Cloudflare Tunnel, and Nextcloud AIO VM in a third VM.

I have followed the guide at https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md and it is possible to connect to the Nextcloud VM from the public domain connected to the Cloudflare tunnel, but only port 8080.
When trying to connect to 8443 or 443, I get "ERR_SSL_PROTOCOL_ERROR".

When trying to connect to port 11000 I get "ERR_CONNECTION_REFUSED", and i belive it is due to the apache container failing to get or update the ssl certificate or something. In the docker log it outputs the message "Cannot negotiate ALPN protocol “acme-tls/1” for tls-alpn-01 challenge". I then learned that ALPN challenge is not possible together with the Cloudflare DNS Proxy, and I have been trying to get around it. I have tried modifying the Caddyfile with the following:

• disable_tlsalpn_challenge
• disable_http_challenge
• tls_insecure_skip_verify
• using certificate and key downloaded from Cloudflare

Nothing works...

The current caddyfile is pasted below. In the log file, there are no longer any errors. But the Apache service never starts:
Waiting for Nextcloud to start...
Waiting for Nextcloud to start...
{"level":"info","ts":1695473306.2622163,"msg":"using provided configuration","config_file":"/tmp/Caddyfile","config_adapter":""}
[Sat Sep 23 14:48:26.276959 2023] [mpm_event:notice] [pid 55:tid 139837702302536] AH00489: Apache/2.4.57 (Unix) configured -- resuming normal operations
[Sat Sep 23 14:48:26.277039 2023] [core:notice] [pid 55:tid 139837702302536] AH00094: Command line: '/usr/local/apache2/bin/httpd -D FOREGROUND'
{"level":"info","ts":1695473306.285156,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}

And I have tried to increase the buffer with the following lines in sysctl.conf, but the buffer doesnt increase:
net.core.rmem_max=2500000
net.core.wmem_max=2500000

Does anybody have any ideas on how to expose the apache server to my public domain?

Caddyfile in apache-container:

{
auto_https disable_redirects

storage file_system {
    root /mnt/data/caddy
}

servers {
    # trusted_proxies placeholder
}

log {
    level ERROR
}

}

{$PROTOCOL}://{$NC_DOMAIN}:{$APACHE_PORT} {

# Collabora
route /browser/* {
    reverse_proxy {$COLLABORA_HOST}:9980
}
route /hosting/* {
    reverse_proxy {$COLLABORA_HOST}:9980
}
route /cool/* {
    reverse_proxy {$COLLABORA_HOST}:9980
}

# Notify Push
route /push/* {
    uri strip_prefix /push
    reverse_proxy {$NOTIFY_PUSH_HOST}:7867
}

# Onlyoffice
route /onlyoffice/* {
    uri strip_prefix /onlyoffice
    reverse_proxy {$ONLYOFFICE_HOST}:80 {
        header_up X-Forwarded-Host {http.request.host}/onlyoffice
        header_up X-Forwarded-Proto https
    }
}

# Talk
route /standalone-signaling/* {
    uri strip_prefix /standalone-signaling
    reverse_proxy {$TALK_HOST}:8081
}

# Others
import /mnt/data/caddy-imports/*

# Nextcloud
route {
    rewrite /.well-known/carddav /remote.php/dav
    rewrite /.well-known/caldav /remote.php/dav
    header Strict-Transport-Security max-age=31536000;
    reverse_proxy localhost:8000 {
        transport http {
            tls_insecure_skip_verify
        }
    }
}

# TLS options

tls {
    issuer acme {
            disable_http_challenge
            disable_tlsalpn_challenge
    }
}

tls /etc/ssl/certs/Cloudflare_Nextcloud_Proxy_Certificate.pem /etc/ssl/certs/Cloudflare_Nextcloud_Proxy_Key.pem

}

[szaimen]

UPDATE:
I have now got it to work. Starting with a clean Debian OS instead of the ready-made Nextcloud VM was the solution.
The docker-compose recommended in this discussion is the only configuration needed:
(Solved)AIO working with Cloudflare?