NEXTCLOUD_TRUSTED_DOMAINS only sets first domain in list

[BornToBeRoot]

Multiple domains in NEXTCLOUD_TRUSTED_DOMAINS separated with spaces are ignored.

Example:

docker-compose:

NEXTCLOUD_TRUSTED_DOMAINS: cloud-test.example.com cloud-test.internal.example.com

config.php

'trusted_domains' =>
  array (
    0 => 'cloud-test.example.com',
  ),

[novaliswolf]

Also having the same issue on version: 24.0.1

[jwaes]

Also having this issue ...

[im2c0ol]

Months later trying to get the trusted domain option working using CloudFlare without luck.
It's a great tool, but why it's so difficult to get this working externally?
I even edited the config.php

Nextcloud version 24.0.5

[LinuxMeow]

For me it doesn't set even the first domain. I set only one. Then went on installation phase and page says "Access through untrusted domain".

[Ramalama2]

same here.
pretty annoying with all that nextcloud docker issues.

All i wanted is an easier upgrade method, through containers and traefik etc...
and its actually working all great, but this nextcloud docker container is just annoying.
i think its actually better to switch to a normal nginx instance.

Cheers

[rudolphh]

And seeing issues from even last year thought this was resolved until now.

[ariep]

For me it doesn't set even the first domain. I set only one. Then went on installation phase and page says "Access through untrusted domain".

I have the same experience: we regularly install/run the nextcloud docker image as part of a CI run. We set NEXTCLOUD_TRUSTED_DOMAINS to a single domain. Sometimes this does not end up in the actual configuration (according to php occ config:system:get trusted_domains): which will be only localhost then. Sometimes it does work and trusted_domains will contain both localhost and the specified domain. I have not found any pattern predicting when it will work.

[nel0x]

@LinuxMeow Can confirm the most recent stable docker release 25.0.2 ignores the NEXTCLOUD_TRUSTED_DOMAINS environment variable too.

docker exec nextcloud_app_1 printenv NEXTCLOUD_TRUSTED_DOMAINS successfully prints out the defined trusted domain(s), so that's not the issue.

@BornToBeRoot mentioned only the first domain was set. Did you do the initial setup with that domain?
Currently, Nextcloud container seems to only set the domain/ip used for inital setup as trusted domain in config.php.

[BornToBeRoot]

@nel0x yes. I think it was that domain.

[sebastiansam55]

also having this issue, I don't even see that dev has commented on this issue thread. Is this a won't fix or something?

Is there a way to set that value with the occ command?

[sebastiansam55]

well for anyone else, this is possible via occ but still doesn't resolve the error message in the administration console;

from their documentation: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#config-commands-label

To set one of multiple values, you need to specify the array index as the second name in the config:system:set command, separated by a space. For example, to replace sample.tld with example.com, trusted_domains => 2 needs to be set:

sudo -u www-data php occ config:system:set trusted_domains 2
--value=example.com
System config value trusted_domains => 2 set to string example.com

sudo -u www-data php occ config:system:get trusted_domains
localhost
nextcloud.local
example.com

EDIT TO ADD:
Also had to add the reverse proxy ip to the trusted_proxies list via the same command format as for trusted_domains.

This made the original warning in the nextcloud dashboard go away, there is still one about the trusted proxies but it appears to be safe to ignore.

[Cadish]

Anyone found another solution to this already? Also having the issue with only 1 domain set

[rmelotte]

I believe the issue is also visible when at installation, when the container starts for the first time:

app_1  | Setting trusted domains…
app_1  | sh: 1: Syntax error: Unterminated quoted string

[steljwagh]

This issue took me a couple of hours without any solution.

The environment variable NEXTCLOUD_TRUSTED_DOMAINS is useless, it is not populated into the config.php

[fyears]

i also encounter the same issue in may 2024. it seems the trusted domain is completely ignore

[joshtrichards]

There are differences in handling of environment variables across Docker Compose versions unfortunately.

docker/compose#8763 (comment)

I suspect that's part of these reports the last couple years.

There are also other factors like shell interpretation, if using -e via docker run.

The original PR #500 used \ in the example to escape the space when the list was provided at the command line.

If you're still having problems with NEXTCLOUD_TRUSTED_DOMAINS today please share:

• precisely (details matter) how you're providing the variable to Docker
• Docker Compose version
• Docker version

[joshtrichards]

i also encounter the same issue in may 2024. it seems the trusted domain is completely ignore

It's definitely not ignored. I used it daily. :-)

But only works at installation time (once).

Please post details of your situation if it's not working. If there is a bug, can't be fixed if we can't reproduce it. For that we need specifics.

[BornToBeRoot]

@joshtrichards the problem is not related to docker. Nextcloud doesn't handle the environment variables properly.

The environment variables work at installation (for the first time), but changes afterwards to this is ignored. Either you make it clear that it's only for installation or you need to handle updates to this variables.

However, in temporary environments with Kubernetes, for example, it should be possible to set (and adjust) such settings dynamically via environment variables. It's doesn't make sense when you define everything as code via something like terraform, deploy it to kubernetes and than you need to manually adjust the config.php file.

Pi-hole (Docker) for example will adjust the config based on the environment variables on each time the container starts.

https://github.com/pi-hole/docker-pi-hole?tab=readme-ov-file#environment-variables

EDIT: It should be possible to set every setting in nextcloud via environment variable (or with a terraform provider 😄 - which unfortunately does not yet exist)

[joshtrichards]

The environment variables work at installation (for the first time), but changes afterwards to this is ignored. Either you make it clear that it's only for installation or you need to handle updates to this variables.

That is a different discussion. Or at least I thought it was. :-) I thought this issue was about the NEXTCLOUD_TRUSTED_DOMAIN not working at installation time for some of you? Most of the Docker specific variables are installation only. That's similar to other containers, such as the MariaDB one: https://mariadb.com/kb/en/mariadb-server-docker-official-image-environment-variables/

Post-installation Server itself supports NC_* variables. They override all (well, most) config.php entries. Though it's never been particularly encouraged upstream though. See #1544 (comment) (among others).

As for the Docker variables being for installation time, there are a few spots that's noted, but it sounds like it could be clearer. Feel free to suggest where or submit a PR with the changes. This is a community project.

[BornToBeRoot]

The initial issue from ~2 years ago was that NEXTCLOUD_TRUSTED_DOMAIN is not set correct.

The comment from today (making it configurable via variables - or something like a Terraform Provider) is a different discussion. These were just my thoughts on the subject because my requirements have changed since then -.-

[fyears]

i also encounter the same issue in may 2024. it seems the trusted domain is completely ignore

It's definitely not ignored. I used it daily. :-)

But only works at installation time (once).

Please post details of your situation if it's not working. If there is a bug, can't be fixed if we can't reproduce it. For that we need specifics.

@joshtrichards

more details

I already have a Caddy in front of me, so I would like to use caddy to reverse proxy my nextcloud docker, which requires me setting up trusted domain(s).

I am a newbie to docker and nextcloud.

first try - failed

In host machine's bash, I try the "most simple" command here:

sudo docker run \
  -p 8080:80 \
  -e NEXTCLOUD_TRUSTED_DOMAINS=example.com \
  nextcloud

Go to http://localhost:8080 , the installation page is shown. I set up a username and password, and use the default sqlite.

After the installation completes, in the host machine, I go inside docker machine to check whether the domain is configured.

sudo docker ps
# so that I can find out the container id

sudo docker exec -it $containerid bash
## /var/www/html

cat config/config.php
## ...
## 'trusted_domains' => 
##   array (
##     0 => 'localhost:8080',
##   ),
## ...

second try - succeeded

In host machine's bash:

sudo docker run \
  -p 8080:80 \
  -e NEXTCLOUD_TRUSTED_DOMAINS=example.com \
  -e SQLITE_DATABASE=nextcloudsqlitedb \
  -e NEXTCLOUD_ADMIN_USER=admin1 \
  -e NEXTCLOUD_ADMIN_PASSWORD=123456 \
  nextcloud

Then I go to http://localhost:8080/, I am redirected to http://localhost:8080/login , skipping the installation page. And I can use admin1 and 123456 to directly login.

Go inside docker to check the config:

sudo docker ps
# so that I can find out the container id

sudo docker exec -it $containerid bash
## /var/www/html
cd config/
cat config.php
## ...
##  'trusted_domains' => 
##  array (
##    0 => 'localhost',
##    1 => 'example.com',
##  ),
## ...

As we can see, the domain is successfully injected into config.php this time.

My thoughts

So obviously showing up installation page or not makes a difference. A reasonable guess is that during the manual installation, maybe the environment variable is lost or the config.php is re-written. So to make it working, a database setting and username and password must be combined with NEXTCLOUD_TRUSTED_DOMAINS. I don't do further investigation though.

It seems that user @BornToBeRoot is saying the same thing in the above comment?

Maybe I am skimming the readme too fast, but maybe it's better to emphasize this "trick" in bold font in the readme file.

[aliuq]

Is /var/www/html bound? I also encountered this problem. From the above answer, I guess that config/config.php has not been changed. In my case, NEXTCLOUD_TRUSTED_DOMAINS was not added for the first time. At this time, the html already existed locally. When NEXTCLOUD_TRUSTED_DOMAINS was added later, the configuration in the html would not be modified.

Just modify trusted_domains in config/config.php

[joshtrichards]

NEXTCLOUD_TRUSTED_DOMAINS must be accompanied by NEXTCLOUD_ADMIN_USER and NEXTCLOUD_ADMIN_PASSWORD. This is currently expected behavior, but the docs need clean-up.

Work in progress in #2224

[nhohung]

NEXTCLOUD_TRUSTED_DOMAINS must be accompanied by NEXTCLOUD_ADMIN_USER and NEXTCLOUD_ADMIN_PASSWORD. This is currently expected behavior, but the docs need clean-up.
Work in progress in #2224

Hi, I've been accessing my Nextcloud service (version 27) from the external domain without problem until today tried to log in from my local network and found the same issue: the config.php only took the first trusted_domains value (which is my domain), and completely ignored my other local entries.

I reinstalled the latest Nextcloud docker version (version 29.0.1.1), defining NEXTCLOUD_TRUSTED_DOMAINS along side with NEXTCLOUD_ADMIN_USER and NEXTCLOUD_ADMIN_PASSWORD (see docker-compose.yml below). I notice the first initialization I can access the admin account creation page both locally and from my domain, but after setting that up, the config.php file only has one entry.

Any idea why?

• Docker version: 20.10.5
• Docker compose version: 1.25.0
• Variable passing:

version: "3.7"
services:
  nextcloud:
    image: nextcloud:latest
    restart: unless-stopped
    networks:
      - nextcloud
      - t2_proxy
    ports:
      - 8180:80
    volumes:
      - ./data:/var/www/html
    environment:
      REDIS_HOST: nc-redis
      NEXTCLOUD_TRUSTED_DOMAINS: localhost $NEXTCLOUD_DOMAIN_NAME 192.168.1.112 192.168.1.123 172.27.0.2 127.0.0.1 # I put everything I can think of into the list
      TRUSTED_PROXIES: 172.27.0.2
      OVERWRITEPROTOCOL: https
      NEXTCLOUD_ADMIN_USER: admin
      NEXTCLOUD_ADMIN_PASSWORD: admin_pass
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.entrypoints=https"
      - "traefik.http.routers.nextcloud.rule=Host(`$NEXTCLOUD_DOMAIN_NAME`)"
      - "traefik.http.routers.nextcloud.tls=true"
      - "traefik.http.routers.nextcloud.middlewares=chain-nextcloud@file" # No Authentication
      - "traefik.http.routers.nextcloud.service=nextcloud"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"

[superstes]

Greetings!

I too have hit this issue.

NextCloud works if I connect over the IP. But the supplied hostname is ignored.

Docker-ce: 5:27.0.2-1
Docker-compose-plugin: 2.28.1-1

CONFIG:

networks:
  nextcloud:
    driver: 'bridge'

services:
  mariadb:
    container_name: 'nextcloud-db'
    hostname: 'db'
    image: 'mariadb:lts'
    env_file: "/etc/nextcloud/db.env"
    volumes:
      - '/var/lib/nextcloud:/var/lib/mysql'
    ports:
      - '127.0.0.1:3306:3306'
    restart: always
    networks:
      - 'nextcloud'

  nextcloud:
    container_name: 'nextcloud'
    hostname: 'nextcloud'
    image: 'nextcloud:28.0.7'
    env_file: "/etc/nextcloud/nextcloud.env"
    volumes:
      - '/data/nextcloud:/var/www/html'
    ports:
      - '127.0.0.1:8080:80'
    restart: 'always'
    networks:
      - 'nextcloud'

# nextcloud.env
NEXTCLOUD_TRUSTED_DOMAINS=cloud.sub.domain.tld 192.168.1.100
# NOTE: I also tried to supply the trusted-domains in quotes

NEXTCLOUD_ADMIN_USER=admin
NEXTCLOUD_ADMIN_PASSWORD=<SECRET>
MYSQL_HOST=db
MYSQL_DATABASE=nextcloud
MYSQL_USER=nextcloud
MYSQL_PASSWORD=<SECRET>

---

RUN:

docker compose -f /etc/nextcloud/docker-compose.yml up -d

---

RESULT:

cat /data/nextcloud/config/config.php 
<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'upgrade.disable-web' => true,
  'instanceid' => '<ID>',
  'passwordsalt' => '<SECRET>',
  'secret' => '<SECRET>',
  'trusted_domains' => 
  array (
    0 => '192.168.1.100',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '28.0.7.4',
  'overwrite.cli.url' => 'http://192.168.1.100',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => '<SECRET>',
  'installed' => true,
);

EDIT:
I'll try to reproduce the issue the next few days and report back if it happens on the first run.
But I don't see why this is not handled by the entrypoint script.

Wouldn't this be enough? (see entrypoint.sh)

# check for existing domains and append new ones
NC_EXISTING_DOMAINS="$(php /var/www/html/occ config:system:get trusted_domains | tr -d '\n')"
NC_DOMAIN_START_IDX="$(echo "$NC_EXISTING_DOMAINS" | wc -w)"
NC_TRUSTED_DOMAIN_IDX=1

for DOMAIN in $NEXTCLOUD_TRUSTED_DOMAINS ; do
    if echo "$NC_EXISTING_DOMAINS" | grep -qv "$DOMAIN"; then
      DOMAIN=$(echo "$DOMAIN" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
      DOMAIN_IDX=$((NC_DOMAIN_START_IDX+NC_TRUSTED_DOMAIN_IDX))
      # echo "php /var/www/html/occ config:system:set trusted_domains $DOMAIN_IDX --value=$DOMAIN"
      run_as "php /var/www/html/occ config:system:set trusted_domains $DOMAIN_IDX --value=$DOMAIN"
      NC_TRUSTED_DOMAIN_IDX=$((NC_TRUSTED_DOMAIN_IDX+1))
    fi
done

The grep -qv is not perfect and may lead to some false-positive excludes if a parent domain for a sub-domain is added. But that is an edge-case.

---

EDIT2:

Just realized the occ config:system:set trusted_domains actually overrides existing entries. So the current block might just work 1-to-1 for updating these domains.
It might just be enough to move it outside the 'install' block.

[joshtrichards]

@nhohung wrote:

I reinstalled the latest Nextcloud docker version (version 29.0.1.1), defining NEXTCLOUD_TRUSTED_DOMAINS along side with NEXTCLOUD_ADMIN_USER and NEXTCLOUD_ADMIN_PASSWORD (see docker-compose.yml below). I notice the first initialization I can access the admin account creation page both locally and from my domain, but after setting that up, the config.php file only has one entry.

Your Compose lacks the db variables so auto configuration cannot run. The NEXTCLOUD_TRUSTED_DOMAINS is configured after the non-web installer runs. Since you're not specifying enough variables for a full auto-configuration, the NEXTCLOUD_TRUSTED_DOMAINS variable is being ignored, as expected, and the web installer is running.

@superstes wrote:

Just realized the occ config:system:set trusted_domains actually overrides existing entries. So the current block might just work 1-to-1 for updating these domains.
It might just be enough to move it outside the 'install' block.

NEXTCLOUD_TRUSTED_DOMAINS is only used at installation time. If you want to change it - or any config parameter after install time and you don't wish to do so manually - you can use auto-config hooks. In theory it could be moved outside the install block, but I fear it would be a serious breaking change. There are many environments out there already that have manually adjusted their trusted_domains via their config.php and suddenly having their "install time only" variables take priority would cause some problems.

[BestaBes]

for all who are interested how i solved this issue. i just mounted the location on local files in volumes. i can easy just edit the local file and update the container. easy going

    volumes:
      - ./config:/var/www/html/config:z

Just run the docker compose, go to web login of your nextcloud, create an admin user and select your apps, after using the wizards your config files will be written.
use vim on your local machine (you maybe need sudo), edit the config/config.php file, run docker-compose up -d again to update the instance. done.
you don't need to take the container down. works just fine. i'm using this with nxings proxy manager.

Here my files.

nexcloud docker-compose.yml

version: '3.8'

services:
  db:
    image: postgres:alpine
    restart: always
    volumes:
      - nxc-db1:/var/lib/postgresql/data:Z
    env_file:
      - db.env
  redis:
    image: redis:alpine
    restart: always

  app:
    image: nextcloud:apache
    restart: always
    ports:
      - 8080:80
    volumes:
      - nxc-app1:/var/www/html:z
      - ./config:/var/www/html/config:z
    environment:
      - POSTGRES_HOST=db
      - REDIS_HOST=redis
    env_file:
      - db.env
    depends_on:
      - db
      - redis
  cron:
    image: nextcloud:apache
    restart: always
    volumes:
      - nxc-app1:/var/www/html:z
    entrypoint: /cron.sh
    depends_on:
      - db
      - redis

volumes:
  nxc-db1:
  nxc-app1:

db.env File

POSTGRES_PASSWORD=mypassword
POSTGRES_DB=nextcloud
POSTGRES_USER=myuser

nginx proxy manager docker-compose.yml

version: '3.8'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port default admin@example.com changeme
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

[joshtrichards]

Closing since this is a documentation improvement matter at this point, which is covered elsewhere.