Nextcloud image should bind port to 127.0.0.1:40000:80 instead of 40000:80

The nextcloud container is directly accessible from outside, aka it is possible to bypass the proxy (Apache)

  1. your nextcloud image bind the port 80 to 0.0.0.0:40000
  2. IPTables is bypassed because Docker by default creates rules as early as nat PREROUTING

for instance,
I’m able to access https://ucs.domain.tld/nextcloud/login but also http://ipserver:40000/nextcloud/login

an easy way to fix that is to bind the port the loopback 127.0.0.1

ports:
 - 127.0.0.1:40000:80