From f4af177a693c215226815ff025b97494a6ddff12 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sat, 17 Nov 2018 15:41:43 -0500 Subject: [PATCH 01/62] Experimental setup with dedicated httpd service --- templates/Nextcloud/0/docker-compose.yml | 70 +++++++++++++++-------- templates/Nextcloud/0/rancher-compose.yml | 10 +--- 2 files changed, 47 insertions(+), 33 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 3e6b8b5..2617cb0 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -1,8 +1,48 @@ version: '2' services: + httpd: + image: httpd:alpine + dns: + - 1.1.1.1 + - 1.0.0.1 + labels: + io.rancher.container.pull_image: always + {{- if .Values.HOST_LABEL}} + io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} + {{- end}} + {{- if .Values.TRAEFIK_HOST}} + traefik.enable: true + traefik.frontend.rule: Host:${TRAEFIK_HOST} + traefik.frontend.entryPoints: http # ,https + # traefik.frontend.headers.forceSTSHeader: true + # traefik.frontend.headers.SSLRedirect: true + # traefik.frontend.headers.STSPreload: true + # traefik.frontend.headers.STSSeconds: 15552000 + traefik.port: "80" + {{- else}} + traefik.enable: false + {{- end}} + links: + - mysql + - nextcloud + {{- if eq .Values.REDIS "true"}} + - redis + {{- end}} + networks: + - public-proxy + ports: + - "${WEB_PORT}:80" + restart: on-failure + volumes: + - /RancherCattleData/${DATA_DIR}/Application:/usr/local/apache2/htdocs + - /RancherCattleConfig/${DATA_DIR}/httpd:/usr/local/apache2/conf + - /RancherCattleData/${DATA_DIR}/Application:/var/www/html + - /RancherCattleData/${DATA_DIR}/Database:/var/lib/mysql + - /RancherCattleData/${DATA_DIR}/UserData:/var/www/html/data + nextcloud: - image: nextcloud:stable-apache + image: nextcloud:fpm-alpine dns: - 1.1.1.1 - 1.0.0.1 @@ -18,31 +58,11 @@ services: {{- if .Values.HOST_LABEL}} io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} {{- end}} - {{- if .Values.TRAEFIK_HOST}} - traefik.enable: true - traefik.frontend.rule: Host:${TRAEFIK_HOST} - traefik.frontend.entryPoints: http,https - traefik.frontend.headers.forceSTSHeader: true - traefik.frontend.headers.SSLRedirect: true - traefik.frontend.headers.STSPreload: true - traefik.frontend.headers.STSSeconds: 15552000 - traefik.port: "80" - {{- else}} - traefik.enable: false - {{- end}} - links: - - mysql - {{- if eq .Values.REDIS "true"}} - - redis - {{- end}} networks: - public-proxy - ports: - - "${WEB_PORT}:80" restart: on-failure - volumes: - - /RancherCattleData/${DATA_DIR}/Application:/var/www/html - - /RancherCattleData/${DATA_DIR}/UserData:/var/www/html/data + volumes-from: + - httpd mysql: image: mysql:5 dns: @@ -60,7 +80,9 @@ services: {{- end}} restart: on-failure volumes: - - /RancherCattleData/${DATA_DIR}/Database:/var/lib/mysql + + volumes-from: + - httpd {{- if eq .Values.REDIS "true"}} redis: image: redis:latest diff --git a/templates/Nextcloud/0/rancher-compose.yml b/templates/Nextcloud/0/rancher-compose.yml index caa7a47..0f52a7b 100644 --- a/templates/Nextcloud/0/rancher-compose.yml +++ b/templates/Nextcloud/0/rancher-compose.yml @@ -77,20 +77,12 @@ catalog: label: "Data Directory" description: | The directory to store persistent data for the stack. - default: "Personal/Nextcloud" + default: "Personal/Nextcloud-Experimental" required: true type: string services: nextcloud: scale: 1 -# health_check: -# port: ${HOST_HTTP_PORT} -# request_line: GET /healthcheck HTTP/1.0 -# interval: 5000 -# response_timeout: 2000 -# healthy_threshold: 2 -# unhealthy_threshold: 3 -# strategy: none mysql: scale: 1 \ No newline at end of file From 9c569fb8f2ebb3ed14a55506ebd72be092c1453c Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sat, 17 Nov 2018 15:52:07 -0500 Subject: [PATCH 02/62] Fixed volumes config --- templates/Nextcloud/0/docker-compose.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 2617cb0..7e52263 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -38,9 +38,7 @@ services: - /RancherCattleData/${DATA_DIR}/Application:/usr/local/apache2/htdocs - /RancherCattleConfig/${DATA_DIR}/httpd:/usr/local/apache2/conf - /RancherCattleData/${DATA_DIR}/Application:/var/www/html - - /RancherCattleData/${DATA_DIR}/Database:/var/lib/mysql - /RancherCattleData/${DATA_DIR}/UserData:/var/www/html/data - nextcloud: image: nextcloud:fpm-alpine dns: @@ -80,9 +78,7 @@ services: {{- end}} restart: on-failure volumes: - - volumes-from: - - httpd + - /RancherCattleData/${DATA_DIR}/Database:/var/lib/mysql {{- if eq .Values.REDIS "true"}} redis: image: redis:latest From 1f43a8bf061cd9fd7568bc33be9645bb2c87021a Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sat, 17 Nov 2018 16:10:07 -0500 Subject: [PATCH 03/62] Fixed volumes_from and ports --- templates/Nextcloud/0/docker-compose.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 7e52263..23aae6e 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -19,7 +19,7 @@ services: # traefik.frontend.headers.SSLRedirect: true # traefik.frontend.headers.STSPreload: true # traefik.frontend.headers.STSSeconds: 15552000 - traefik.port: "80" + traefik.port: "9000" {{- else}} traefik.enable: false {{- end}} @@ -32,7 +32,7 @@ services: networks: - public-proxy ports: - - "${WEB_PORT}:80" + - "${WEB_PORT}:9000" restart: on-failure volumes: - /RancherCattleData/${DATA_DIR}/Application:/usr/local/apache2/htdocs @@ -59,7 +59,7 @@ services: networks: - public-proxy restart: on-failure - volumes-from: + volumes_from: - httpd mysql: image: mysql:5 From 79f02f75c28473129170c15f977cbfaf6ae9d3a4 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sat, 17 Nov 2018 16:15:51 -0500 Subject: [PATCH 04/62] Added sidekicks label --- templates/Nextcloud/0/docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 23aae6e..c28258e 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -11,6 +11,7 @@ services: {{- if .Values.HOST_LABEL}} io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} {{- end}} + io.rancher.sidekicks: nextcloud {{- if .Values.TRAEFIK_HOST}} traefik.enable: true traefik.frontend.rule: Host:${TRAEFIK_HOST} From 6d00a8667bf20b9125fa6b7dda2bfd480ff856d7 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sat, 17 Nov 2018 16:27:20 -0500 Subject: [PATCH 05/62] Use default httpd.conf --- templates/Nextcloud/0/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index c28258e..1e54d59 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -37,7 +37,7 @@ services: restart: on-failure volumes: - /RancherCattleData/${DATA_DIR}/Application:/usr/local/apache2/htdocs - - /RancherCattleConfig/${DATA_DIR}/httpd:/usr/local/apache2/conf +# - /RancherCattleConfig/${DATA_DIR}/httpd:/usr/local/apache2/conf - /RancherCattleData/${DATA_DIR}/Application:/var/www/html - /RancherCattleData/${DATA_DIR}/UserData:/var/www/html/data nextcloud: From 6bf6daa2a32ffefe51755df824da7b5ae82aca4e Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sat, 17 Nov 2018 16:38:31 -0500 Subject: [PATCH 06/62] Trying different port --- templates/Nextcloud/0/docker-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 1e54d59..27650ee 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -20,7 +20,7 @@ services: # traefik.frontend.headers.SSLRedirect: true # traefik.frontend.headers.STSPreload: true # traefik.frontend.headers.STSSeconds: 15552000 - traefik.port: "9000" + traefik.port: "80" {{- else}} traefik.enable: false {{- end}} @@ -33,7 +33,7 @@ services: networks: - public-proxy ports: - - "${WEB_PORT}:9000" + - "${WEB_PORT}:80" restart: on-failure volumes: - /RancherCattleData/${DATA_DIR}/Application:/usr/local/apache2/htdocs From a1a044e5fbf1aa238e7a71b5a0821ba0e64e144d Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sat, 17 Nov 2018 17:33:09 -0500 Subject: [PATCH 07/62] Added exposed port to test PHP-FPM --- templates/Nextcloud/0/docker-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 27650ee..7efe1c7 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -52,6 +52,8 @@ services: MYSQL_PASSWORD: ${DB_USER_PASS} NEXTCLOUD_ADMIN_USER: ${NC_ADMIN} NEXTCLOUD_ADMIN_PASSWORD: ${NC_ADMIN_PASS} + expose: + - "9000" labels: io.rancher.container.pull_image: always {{- if .Values.HOST_LABEL}} From 976eaf0dc9360a6f39baa1b36233efe2abfd1b1e Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Wed, 5 Dec 2018 22:33:41 -0500 Subject: [PATCH 08/62] Sync host timezone --- templates/Nextcloud/0/docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 7efe1c7..c7cdd69 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -81,6 +81,7 @@ services: {{- end}} restart: on-failure volumes: + - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system - /RancherCattleData/${DATA_DIR}/Database:/var/lib/mysql {{- if eq .Values.REDIS "true"}} redis: From 99592b61e3a1c0f1be44544ef7406f0a7629afb1 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Wed, 5 Dec 2018 22:42:27 -0500 Subject: [PATCH 09/62] Sync time and timezone with host --- templates/Nextcloud/0/docker-compose.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index c7cdd69..78d3022 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -36,6 +36,8 @@ services: - "${WEB_PORT}:80" restart: on-failure volumes: + - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system + - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system - /RancherCattleData/${DATA_DIR}/Application:/usr/local/apache2/htdocs # - /RancherCattleConfig/${DATA_DIR}/httpd:/usr/local/apache2/conf - /RancherCattleData/${DATA_DIR}/Application:/var/www/html @@ -81,6 +83,7 @@ services: {{- end}} restart: on-failure volumes: + - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system - /RancherCattleData/${DATA_DIR}/Database:/var/lib/mysql {{- if eq .Values.REDIS "true"}} From a83fd33a9603a8b7747a5d6dbffd94889060c0cf Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Thu, 6 Dec 2018 23:36:42 -0500 Subject: [PATCH 10/62] Added Nextcloud security checker --- templates/Nextcloud/0/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/templates/Nextcloud/0/README.md b/templates/Nextcloud/0/README.md index 5a626c5..e0ece46 100644 --- a/templates/Nextcloud/0/README.md +++ b/templates/Nextcloud/0/README.md @@ -1 +1,4 @@ -# Nextcloud \ No newline at end of file +# Nextcloud + +### Security Check +https://scan.nextcloud.com/ \ No newline at end of file From 6ebce7c89c77a9c5470575c4fe0f34ce4eafc7d7 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sun, 9 Dec 2018 16:24:51 -0500 Subject: [PATCH 11/62] Added Apache httpd configuration reference --- templates/Nextcloud/0/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/templates/Nextcloud/0/README.md b/templates/Nextcloud/0/README.md index e0ece46..e8fe31d 100644 --- a/templates/Nextcloud/0/README.md +++ b/templates/Nextcloud/0/README.md @@ -1,4 +1,8 @@ # Nextcloud ### Security Check -https://scan.nextcloud.com/ \ No newline at end of file +https://scan.nextcloud.com/ + + +### Apache Configuration Reference +https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html? \ No newline at end of file From acca7d3efaf5d31c55e5724ca68ae829b53c1a48 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sun, 9 Dec 2018 19:37:20 -0500 Subject: [PATCH 12/62] Initial complete creation of fpm and alpine setup Many changes --- templates/Nextcloud/0/README.md | 5 +- templates/Nextcloud/0/docker-compose.yml | 101 ++++++++++++---------- templates/Nextcloud/0/rancher-compose.yml | 5 +- 3 files changed, 63 insertions(+), 48 deletions(-) diff --git a/templates/Nextcloud/0/README.md b/templates/Nextcloud/0/README.md index e8fe31d..0d177e1 100644 --- a/templates/Nextcloud/0/README.md +++ b/templates/Nextcloud/0/README.md @@ -5,4 +5,7 @@ https://scan.nextcloud.com/ ### Apache Configuration Reference -https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html? \ No newline at end of file +https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html? + +### To-Do's +* Explain how to manually setup Redis \ No newline at end of file diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 78d3022..ba2e3a3 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -1,47 +1,6 @@ version: '2' services: - httpd: - image: httpd:alpine - dns: - - 1.1.1.1 - - 1.0.0.1 - labels: - io.rancher.container.pull_image: always - {{- if .Values.HOST_LABEL}} - io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} - {{- end}} - io.rancher.sidekicks: nextcloud - {{- if .Values.TRAEFIK_HOST}} - traefik.enable: true - traefik.frontend.rule: Host:${TRAEFIK_HOST} - traefik.frontend.entryPoints: http # ,https - # traefik.frontend.headers.forceSTSHeader: true - # traefik.frontend.headers.SSLRedirect: true - # traefik.frontend.headers.STSPreload: true - # traefik.frontend.headers.STSSeconds: 15552000 - traefik.port: "80" - {{- else}} - traefik.enable: false - {{- end}} - links: - - mysql - - nextcloud - {{- if eq .Values.REDIS "true"}} - - redis - {{- end}} - networks: - - public-proxy - ports: - - "${WEB_PORT}:80" - restart: on-failure - volumes: - - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system - - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system - - /RancherCattleData/${DATA_DIR}/Application:/usr/local/apache2/htdocs -# - /RancherCattleConfig/${DATA_DIR}/httpd:/usr/local/apache2/conf - - /RancherCattleData/${DATA_DIR}/Application:/var/www/html - - /RancherCattleData/${DATA_DIR}/UserData:/var/www/html/data nextcloud: image: nextcloud:fpm-alpine dns: @@ -55,6 +14,7 @@ services: NEXTCLOUD_ADMIN_USER: ${NC_ADMIN} NEXTCLOUD_ADMIN_PASSWORD: ${NC_ADMIN_PASS} expose: + - "80" - "9000" labels: io.rancher.container.pull_image: always @@ -65,14 +25,59 @@ services: - public-proxy restart: on-failure volumes_from: - - httpd + - nginx + nginx: + image: nginx:alpine + dns: + - 1.1.1.1 + - 1.0.0.1 + labels: + io.rancher.container.pull_image: always + {{- if .Values.HOST_LABEL}} + io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} + {{- end}} + io.rancher.sidekicks: nextcloud + {{- if .Values.TRAEFIK_HOST}} + traefik.enable: true + ### Start Web Segment + traefik.frontend.entryPoints: http,https + traefik.frontend.headers.forceSTSHeader: true + traefik.frontend.headers.referrerPolicy: no-referrer # Security enhancement (Prevents leaking of referer information) + traefik.frontend.headers.SSLRedirect: true + traefik.frontend.headers.STSPreload: true + traefik.frontend.headers.STSSeconds: 15552000 + traefik.frontend.rule: Host:${TRAEFIK_HOST} + traefik.port: "80" + ### End Web Segment + {{- else}} + traefik.enable: false + {{- end}} + links: + - mysql + - nextcloud + {{- if eq .Values.REDIS "true"}} + - redis + {{- end}} + networks: + - public-proxy + {{- if .Values.WEB_PORT}} + ports: + - "${WEB_PORT}:80" + {{- end}} + restart: on-failure + volumes: + - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system + - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system + - /RancherCattle/${DATA_DIR}/Configuration/NGINX:/etc/nginx + - /RancherCattle/${DATA_DIR}/Nextcloud:/var/www/html + - /RancherCattle/${DATA_DIR}/UserData:/var/www/html/data mysql: image: mysql:5 dns: - 1.1.1.1 - 1.0.0.1 environment: - MYSQL_DATABASE: nextcloud + MYSQL_DATABASE: nextcloud # Will rename this to "nextcloud_db" in the future. MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASS} MYSQL_USER: nextcloud_user MYSQL_PASSWORD: ${DB_USER_PASS} @@ -81,11 +86,15 @@ services: {{- if .Values.HOST_LABEL}} io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} {{- end}} + networks: + db-admin: + aliases: + - nextcloud # This should allow access from "mysql.nextcloud.rancher.internal" restart: on-failure volumes: - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system - - /RancherCattleData/${DATA_DIR}/Database:/var/lib/mysql + - /RancherCattle/${DATA_DIR}/Database:/var/lib/mysql {{- if eq .Values.REDIS "true"}} redis: image: redis:latest @@ -100,5 +109,7 @@ services: {{- end}} networks: + db-admin: + external: true # Created by phpMyAdmin stack public-proxy: - external: true \ No newline at end of file + external: true # Created by Traefik stack \ No newline at end of file diff --git a/templates/Nextcloud/0/rancher-compose.yml b/templates/Nextcloud/0/rancher-compose.yml index 0f52a7b..ea4de32 100644 --- a/templates/Nextcloud/0/rancher-compose.yml +++ b/templates/Nextcloud/0/rancher-compose.yml @@ -29,9 +29,10 @@ catalog: label: "Web Port" description: | The port to locally access the web interface on. + Leaving this empty will disable opening any port on the host system. default: "10100" - required: true - type: string + required: false + type: int - variable: "DB_ROOT_PASS" label: "MySQL Root Password" From 3b6a342fb1231d90a4ddf3ec88005821ad233081 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sun, 9 Dec 2018 20:23:15 -0500 Subject: [PATCH 13/62] Added pre-configured files --- templates/Nextcloud/Resources/README.md | 5 + templates/Nextcloud/Resources/mime.types | 48 +++++++++ templates/Nextcloud/Resources/nginx.conf | 119 +++++++++++++++++++++++ 3 files changed, 172 insertions(+) create mode 100644 templates/Nextcloud/Resources/README.md create mode 100644 templates/Nextcloud/Resources/mime.types create mode 100644 templates/Nextcloud/Resources/nginx.conf diff --git a/templates/Nextcloud/Resources/README.md b/templates/Nextcloud/Resources/README.md new file mode 100644 index 0000000..1f24674 --- /dev/null +++ b/templates/Nextcloud/Resources/README.md @@ -0,0 +1,5 @@ +# Default Configured Files +nginx.conf and mime.types to be put in the Configuration/NGINX directory. + +Included nginx.conf has only a few minor tweaks from the one located here: +https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx \ No newline at end of file diff --git a/templates/Nextcloud/Resources/mime.types b/templates/Nextcloud/Resources/mime.types new file mode 100644 index 0000000..62bd4b6 --- /dev/null +++ b/templates/Nextcloud/Resources/mime.types @@ -0,0 +1,48 @@ +types { + text/html html htm shtml; + text/css css; + text/xml xml rss; + image/gif gif; + image/jpeg jpeg jpg; + application/x-javascript js; + text/plain txt; + text/x-component htc; + text/mathml mml; + image/png png; + image/x-icon ico; + image/x-jng jng; + image/vnd.wap.wbmp wbmp; + application/java-archive jar war ear; + application/mac-binhex40 hqx; + application/pdf pdf; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/zip zip; + application/octet-stream deb; + application/octet-stream bin exe dll; + application/octet-stream dmg; + application/octet-stream eot; + application/octet-stream iso img; + application/octet-stream msi msp msm; + audio/mpeg mp3; + audio/x-realaudio ra; + video/mpeg mpeg mpg; + video/quicktime mov; + video/x-flv flv; + video/x-msvideo avi; + video/x-ms-wmv wmv; + video/x-ms-asf asx asf; + video/x-mng mng; +} \ No newline at end of file diff --git a/templates/Nextcloud/Resources/nginx.conf b/templates/Nextcloud/Resources/nginx.conf new file mode 100644 index 0000000..c6fd4ad --- /dev/null +++ b/templates/Nextcloud/Resources/nginx.conf @@ -0,0 +1,119 @@ +user www-data; +worker_processes 4; ## Default: 1 +# worker_rlimit_nofile 8192; + +#error_log /var/log/nginx/error.log warn; +#pid /var/run/nginx.pid; + +events { + worker_connections 1024; ## Default: 1024 +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; +# access_log /var/log/nginx/access.log main; + sendfile on; + tcp_nopush on; +# keepalive_timeout 65; + upstream php-handler { + server nextcloud:9000; + } + server { + listen 80; + server_name _; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/nextcloud/; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + + # set max upload size + client_max_body_size 1G; # Previous: "512M" + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + location / { + rewrite ^ /index.php$request_uri; + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + # fastcgi_param HTTPS on; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + # Adding the cache control header for js and css files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + + # Optional: Don't log access to assets + access_log off; + } + location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } + } +} \ No newline at end of file From de7a4cec8e0b4162d63325e98827be7a8b6b0784 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sun, 9 Dec 2018 20:23:38 -0500 Subject: [PATCH 14/62] Various minor additions --- templates/Nextcloud/0/docker-compose.yml | 8 +++++--- templates/Nextcloud/0/rancher-compose.yml | 10 ++-------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index ba2e3a3..398c47c 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -68,9 +68,11 @@ services: volumes: - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system - - /RancherCattle/${DATA_DIR}/Configuration/NGINX:/etc/nginx - - /RancherCattle/${DATA_DIR}/Nextcloud:/var/www/html - - /RancherCattle/${DATA_DIR}/UserData:/var/www/html/data + - /RancherCattle/${DATA_DIR}/Configuration/Nextcloud:/var/www/html/config # Nextcloud configuration files + - /RancherCattle/${DATA_DIR}/Configuration/NGINX:/etc/nginx # NGINX configuration files + - /RancherCattle/${DATA_DIR}/Apps:/var/www/html/custom_apps # Nextcloud apps + - /RancherCattle/${DATA_DIR}/Nextcloud:/var/www/html # Nextcloud site + - /RancherCattle/${DATA_DIR}/UserData:/var/www/html/data # Users' data file mysql: image: mysql:5 dns: diff --git a/templates/Nextcloud/0/rancher-compose.yml b/templates/Nextcloud/0/rancher-compose.yml index ea4de32..f9dbd1e 100644 --- a/templates/Nextcloud/0/rancher-compose.yml +++ b/templates/Nextcloud/0/rancher-compose.yml @@ -78,12 +78,6 @@ catalog: label: "Data Directory" description: | The directory to store persistent data for the stack. - default: "Personal/Nextcloud-Experimental" + default: "Personal-Experimental/Nextcloud" required: true - type: string - -services: - nextcloud: - scale: 1 - mysql: - scale: 1 \ No newline at end of file + type: string \ No newline at end of file From e09274940af325e91db2cd238e2af04e4afe4bc0 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sun, 9 Dec 2018 21:43:40 -0500 Subject: [PATCH 15/62] Made a few minor adjustments; added fastcgi.conf --- templates/Nextcloud/Resources/fastcgi.conf | 21 +++++++++++++++++++++ templates/Nextcloud/Resources/nginx.conf | 2 +- 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 templates/Nextcloud/Resources/fastcgi.conf diff --git a/templates/Nextcloud/Resources/fastcgi.conf b/templates/Nextcloud/Resources/fastcgi.conf new file mode 100644 index 0000000..c2f509a --- /dev/null +++ b/templates/Nextcloud/Resources/fastcgi.conf @@ -0,0 +1,21 @@ +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +fastcgi_index index.php; + +fastcgi_param REDIRECT_STATUS 200; \ No newline at end of file diff --git a/templates/Nextcloud/Resources/nginx.conf b/templates/Nextcloud/Resources/nginx.conf index c6fd4ad..b99a1d0 100644 --- a/templates/Nextcloud/Resources/nginx.conf +++ b/templates/Nextcloud/Resources/nginx.conf @@ -69,7 +69,7 @@ http { } location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; - include fastcgi_params; + include fastcgi.conf; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; # fastcgi_param HTTPS on; From e51618802f0034226a2bfe2c4a62d1839f7ba85d Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sun, 9 Dec 2018 21:44:12 -0500 Subject: [PATCH 16/62] Changed back to string, as int was unnecessary --- templates/Nextcloud/0/rancher-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/Nextcloud/0/rancher-compose.yml b/templates/Nextcloud/0/rancher-compose.yml index f9dbd1e..5158688 100644 --- a/templates/Nextcloud/0/rancher-compose.yml +++ b/templates/Nextcloud/0/rancher-compose.yml @@ -32,7 +32,7 @@ catalog: Leaving this empty will disable opening any port on the host system. default: "10100" required: false - type: int + type: string - variable: "DB_ROOT_PASS" label: "MySQL Root Password" From fe696b4679aa495f49d693c15d625caf50c41031 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sun, 9 Dec 2018 21:44:31 -0500 Subject: [PATCH 17/62] Testing without alpine, may not be possible to use --- templates/Nextcloud/0/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 398c47c..e250bde 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -27,7 +27,7 @@ services: volumes_from: - nginx nginx: - image: nginx:alpine + image: nginx:latest # :alpine dns: - 1.1.1.1 - 1.0.0.1 From 8e87382743499eae04064ee568eea668e9c82d68 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sun, 9 Dec 2018 21:57:17 -0500 Subject: [PATCH 18/62] Added some comments --- templates/Nextcloud/0/docker-compose.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index e250bde..4c16d3b 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -3,7 +3,7 @@ version: '2' services: nextcloud: image: nextcloud:fpm-alpine - dns: + dns: # Using Cloudflare DNS - 1.1.1.1 - 1.0.0.1 environment: @@ -27,8 +27,8 @@ services: volumes_from: - nginx nginx: - image: nginx:latest # :alpine - dns: + image: nginx:latest # Can't use ":alpine" until I have a way to get the "www-data" user added automatically. (Project for another time) + dns: # Using Cloudflare DNS - 1.1.1.1 - 1.0.0.1 labels: @@ -75,7 +75,7 @@ services: - /RancherCattle/${DATA_DIR}/UserData:/var/www/html/data # Users' data file mysql: image: mysql:5 - dns: + dns: # Using Cloudflare DNS - 1.1.1.1 - 1.0.0.1 environment: @@ -100,7 +100,7 @@ services: {{- if eq .Values.REDIS "true"}} redis: image: redis:latest - dns: + dns: # Using Cloudflare DNS - 1.1.1.1 - 1.0.0.1 labels: @@ -108,6 +108,9 @@ services: io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} {{- end}} restart: on-failure + volumes: + - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system + - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system {{- end}} networks: From 2d3f943ca5a6854bbe7a5524d16c315ec20f1b97 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sun, 9 Dec 2018 21:57:39 -0500 Subject: [PATCH 19/62] Will continue debugging later --- templates/Nextcloud/Resources/nginx.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/templates/Nextcloud/Resources/nginx.conf b/templates/Nextcloud/Resources/nginx.conf index b99a1d0..861d6e6 100644 --- a/templates/Nextcloud/Resources/nginx.conf +++ b/templates/Nextcloud/Resources/nginx.conf @@ -57,6 +57,10 @@ http { # This module is currently not supported. #pagespeed off; +# Will test later +# error_page 403 /core/templates/403.php; +# error_page 404 /core/templates/404.php; + location / { rewrite ^ /index.php$request_uri; } @@ -67,6 +71,7 @@ http { location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } +############################################################################################################################### Suspected current issue location location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; include fastcgi.conf; From 5568cb360de7b06e464b2018ba47c18a90572fc5 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Mon, 10 Dec 2018 14:39:31 -0500 Subject: [PATCH 20/62] Testing changes --- templates/Nextcloud/Resources/fastcgi.conf | 21 --------------- templates/Nextcloud/Resources/fastcgi_params | 27 ++++++++++++++++++++ templates/Nextcloud/Resources/nginx.conf | 17 ++++++++---- 3 files changed, 39 insertions(+), 26 deletions(-) delete mode 100644 templates/Nextcloud/Resources/fastcgi.conf create mode 100644 templates/Nextcloud/Resources/fastcgi_params diff --git a/templates/Nextcloud/Resources/fastcgi.conf b/templates/Nextcloud/Resources/fastcgi.conf deleted file mode 100644 index c2f509a..0000000 --- a/templates/Nextcloud/Resources/fastcgi.conf +++ /dev/null @@ -1,21 +0,0 @@ -fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -fastcgi_param QUERY_STRING $query_string; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; -fastcgi_param SCRIPT_NAME $fastcgi_script_name; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; - -fastcgi_index index.php; - -fastcgi_param REDIRECT_STATUS 200; \ No newline at end of file diff --git a/templates/Nextcloud/Resources/fastcgi_params b/templates/Nextcloud/Resources/fastcgi_params new file mode 100644 index 0000000..14e5ac6 --- /dev/null +++ b/templates/Nextcloud/Resources/fastcgi_params @@ -0,0 +1,27 @@ +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param PATH_INFO $fastcgi_path_info; +fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +fastcgi_param HTTPS $https; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; \ No newline at end of file diff --git a/templates/Nextcloud/Resources/nginx.conf b/templates/Nextcloud/Resources/nginx.conf index 861d6e6..82ddf1c 100644 --- a/templates/Nextcloud/Resources/nginx.conf +++ b/templates/Nextcloud/Resources/nginx.conf @@ -27,7 +27,7 @@ http { fastcgi_hide_header X-Powered-By; # Path to the root of your installation - root /var/www/nextcloud/; + root /var/www/html/; location = /robots.txt { allow all; @@ -71,17 +71,24 @@ http { location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } -############################################################################################################################### Suspected current issue location location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; - include fastcgi.conf; + + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass php-handler; + fastcgi_index index.php; + + # include the fastcgi_param setting + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; - # fastcgi_param HTTPS on; + # fastcgi_param HTTPS on; # Handled through Traefik #Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; - fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } From bbfe6b3b54d7f912d19ab68bbfd90231466bb195 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Mon, 10 Dec 2018 15:55:04 -0500 Subject: [PATCH 21/62] Added reminder for future instructions --- templates/Nextcloud/0/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/templates/Nextcloud/0/README.md b/templates/Nextcloud/0/README.md index 0d177e1..212758b 100644 --- a/templates/Nextcloud/0/README.md +++ b/templates/Nextcloud/0/README.md @@ -7,5 +7,9 @@ https://scan.nextcloud.com/ ### Apache Configuration Reference https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html? +### Setup trusted domains on first startup +https://docs.nextcloud.com/server/14/admin_manual/installation/installation_wizard.html#trusted-domains + + ### To-Do's * Explain how to manually setup Redis \ No newline at end of file From 4162d8130fcdbd6e7f557e050f4c8b0b5702867c Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Mon, 10 Dec 2018 15:55:30 -0500 Subject: [PATCH 22/62] Fixed a few things; site accessible now; no images yet --- templates/Nextcloud/Resources/nginx.conf | 55 ++++++++++-------------- 1 file changed, 23 insertions(+), 32 deletions(-) diff --git a/templates/Nextcloud/Resources/nginx.conf b/templates/Nextcloud/Resources/nginx.conf index 82ddf1c..379e00e 100644 --- a/templates/Nextcloud/Resources/nginx.conf +++ b/templates/Nextcloud/Resources/nginx.conf @@ -29,17 +29,6 @@ http { # Path to the root of your installation root /var/www/html/; - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - location = /.well-known/carddav { - return 301 $scheme://$host/remote.php/dav; - } - location = /.well-known/caldav { - return 301 $scheme://$host/remote.php/dav; - } # set max upload size client_max_body_size 1G; # Previous: "512M" @@ -53,6 +42,14 @@ http { gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + # Add headers to serve security related headers + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; @@ -61,10 +58,24 @@ http { # error_page 403 /core/templates/403.php; # error_page 404 /core/templates/404.php; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/webfinger { + return 301 $scheme://$host/public.php?service=webfinger; + } location / { rewrite ^ /index.php$request_uri; } - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; } @@ -85,8 +96,6 @@ http { fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; - # fastcgi_param HTTPS on; # Handled through Traefik - #Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; fastcgi_intercept_errors on; @@ -101,24 +110,6 @@ http { location ~ \.(?:css|js|woff2?|svg|gif)$ { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; - # Add headers to serve security related headers (It is intended to - # have those duplicated to the ones above) - # Before enabling Strict-Transport-Security headers please read into - # this topic first. - # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; - # Optional: Don't log access to assets access_log off; } From 561b808f68cb62662b8b403e1f25b749e65483ba Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Mon, 10 Dec 2018 15:59:22 -0500 Subject: [PATCH 23/62] Removed webfinger --- templates/Nextcloud/Resources/nginx.conf | 3 --- 1 file changed, 3 deletions(-) diff --git a/templates/Nextcloud/Resources/nginx.conf b/templates/Nextcloud/Resources/nginx.conf index 379e00e..b7dcd16 100644 --- a/templates/Nextcloud/Resources/nginx.conf +++ b/templates/Nextcloud/Resources/nginx.conf @@ -70,9 +70,6 @@ http { location = /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; } - location = /.well-known/webfinger { - return 301 $scheme://$host/public.php?service=webfinger; - } location / { rewrite ^ /index.php$request_uri; } From f3114441d7c96347384baaf159450285c667568a Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Wed, 2 Jan 2019 19:07:05 -0500 Subject: [PATCH 24/62] Updated setup guide --- templates/Nextcloud/0/README.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/templates/Nextcloud/0/README.md b/templates/Nextcloud/0/README.md index 212758b..0ddd721 100644 --- a/templates/Nextcloud/0/README.md +++ b/templates/Nextcloud/0/README.md @@ -1,15 +1,26 @@ # Nextcloud -### Security Check -https://scan.nextcloud.com/ +## First Run Setup +### Add Your Domain as a Trusted Domain + +[Official Documentation](https://docs.nextcloud.com/server/latest/admin_manual/installation/installation_wizard.html#trusted-domains) + +* Open the "config.php" file, located in `/Application/config`. +* Under the "trusted_domains" array, add `1 => 'cloud.williammiceli.systems',`. ### Apache Configuration Reference + https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html? ### Setup trusted domains on first startup + https://docs.nextcloud.com/server/14/admin_manual/installation/installation_wizard.html#trusted-domains +## Useful Tools + +* [Official Security Check](https://scan.nextcloud.com/) + +## To-Do's -### To-Do's * Explain how to manually setup Redis \ No newline at end of file From 8feab78eeb5209a5a99d77e7a341ee502fa2dc4b Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Fri, 4 Jan 2019 21:41:33 -0500 Subject: [PATCH 25/62] Ditching using NGINX and added Collabora --- templates/Nextcloud/0/README.md | 12 ++ templates/Nextcloud/0/docker-compose.yml | 70 ++++++---- templates/Nextcloud/0/rancher-compose.yml | 12 +- templates/Nextcloud/Resources/README.md | 5 - templates/Nextcloud/Resources/Template 1.conf | 128 ++++++++++++++++++ templates/Nextcloud/Resources/Template 2.conf | 128 ++++++++++++++++++ templates/Nextcloud/Resources/nginx.conf | 119 ---------------- 7 files changed, 319 insertions(+), 155 deletions(-) delete mode 100644 templates/Nextcloud/Resources/README.md create mode 100644 templates/Nextcloud/Resources/Template 1.conf create mode 100644 templates/Nextcloud/Resources/Template 2.conf delete mode 100644 templates/Nextcloud/Resources/nginx.conf diff --git a/templates/Nextcloud/0/README.md b/templates/Nextcloud/0/README.md index 0ddd721..3c80e4c 100644 --- a/templates/Nextcloud/0/README.md +++ b/templates/Nextcloud/0/README.md @@ -2,6 +2,18 @@ ## First Run Setup +### Add Configuration For NGINX + +nginx.conf and mime.types to be put in the Configuration/NGINX directory. + +Included nginx.conf has only a few minor tweaks from the one located here: + +https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx + +??? Template 1.conf is WITHOUT Collabora + +??? Template 2.conf is WITH Collabora + ### Add Your Domain as a Trusted Domain [Official Documentation](https://docs.nextcloud.com/server/latest/admin_manual/installation/installation_wizard.html#trusted-domains) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 4c16d3b..93ae21a 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -1,43 +1,57 @@ version: '2' services: + {{- if eq .Values.COLLABORA "true"}} + collabora: + image: collabora/code:latest + cap_add: + - MKNOD # Ability to create special files (https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) + dns: # Using Cloudflare DNS + - 1.1.1.1 + - 1.0.0.1 + environment: + domain: collabora.${TRAEFIK_HOST} + expose: + - "9980" + labels: + io.rancher.container.pull_image: always + {{- if .Values.HOST_LABEL}} + io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} + {{- end}} + traefik.enable: true + ### Start Web Segment + traefik.frontend.entryPoints: http,https + traefik.frontend.headers.forceSTSHeader: true + traefik.frontend.headers.referrerPolicy: no-referrer # Security enhancement (Prevents leaking of referer information) + traefik.frontend.headers.SSLRedirect: true + traefik.frontend.headers.STSPreload: true + traefik.frontend.headers.STSSeconds: 15552000 + traefik.frontend.rule: Host:collabora.${TRAEFIK_HOST} + traefik.port: "9980" + ### End Web Segment + networks: + - public-proxy + restart: on-failure + {{- end}} nextcloud: - image: nextcloud:fpm-alpine + image: nextcloud:stable-apache dns: # Using Cloudflare DNS - 1.1.1.1 - 1.0.0.1 environment: MYSQL_HOST: mysql - MYSQL_DATABASE: nextcloud + MYSQL_DATABASE: nextcloud_db MYSQL_USER: nextcloud_user MYSQL_PASSWORD: ${DB_USER_PASS} NEXTCLOUD_ADMIN_USER: ${NC_ADMIN} NEXTCLOUD_ADMIN_PASSWORD: ${NC_ADMIN_PASS} expose: - "80" - - "9000" labels: io.rancher.container.pull_image: always {{- if .Values.HOST_LABEL}} io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} {{- end}} - networks: - - public-proxy - restart: on-failure - volumes_from: - - nginx - nginx: - image: nginx:latest # Can't use ":alpine" until I have a way to get the "www-data" user added automatically. (Project for another time) - dns: # Using Cloudflare DNS - - 1.1.1.1 - - 1.0.0.1 - labels: - io.rancher.container.pull_image: always - {{- if .Values.HOST_LABEL}} - io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} - {{- end}} - io.rancher.sidekicks: nextcloud - {{- if .Values.TRAEFIK_HOST}} traefik.enable: true ### Start Web Segment traefik.frontend.entryPoints: http,https @@ -49,12 +63,11 @@ services: traefik.frontend.rule: Host:${TRAEFIK_HOST} traefik.port: "80" ### End Web Segment - {{- else}} - traefik.enable: false - {{- end}} links: + {{- if eq .Values.COLLABORA "true"}} + - collabora + {{- end}} - mysql - - nextcloud {{- if eq .Values.REDIS "true"}} - redis {{- end}} @@ -68,18 +81,17 @@ services: volumes: - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system - - /RancherCattle/${DATA_DIR}/Configuration/Nextcloud:/var/www/html/config # Nextcloud configuration files - - /RancherCattle/${DATA_DIR}/Configuration/NGINX:/etc/nginx # NGINX configuration files + - /RancherCattle/${DATA_DIR}/Configuration:/var/www/html/config # Nextcloud configuration files - /RancherCattle/${DATA_DIR}/Apps:/var/www/html/custom_apps # Nextcloud apps - /RancherCattle/${DATA_DIR}/Nextcloud:/var/www/html # Nextcloud site - /RancherCattle/${DATA_DIR}/UserData:/var/www/html/data # Users' data file mysql: - image: mysql:5 + image: mysql:latest dns: # Using Cloudflare DNS - 1.1.1.1 - 1.0.0.1 environment: - MYSQL_DATABASE: nextcloud # Will rename this to "nextcloud_db" in the future. + MYSQL_DATABASE: nextcloud_db MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASS} MYSQL_USER: nextcloud_user MYSQL_PASSWORD: ${DB_USER_PASS} @@ -115,6 +127,6 @@ services: networks: db-admin: - external: true # Created by phpMyAdmin stack + external: true # Created by Adminer or phpMyAdmin stack public-proxy: external: true # Created by Traefik stack \ No newline at end of file diff --git a/templates/Nextcloud/0/rancher-compose.yml b/templates/Nextcloud/0/rancher-compose.yml index 5158688..a8f40ea 100644 --- a/templates/Nextcloud/0/rancher-compose.yml +++ b/templates/Nextcloud/0/rancher-compose.yml @@ -66,10 +66,18 @@ catalog: required: true type: password + - variable: "COLLABORA" + label: "Enable Collabora" + description: | + Add a Collabora container for office document editing and live collaboration. Additional setup required, see README. + default: true + required: true + type: boolean + - variable: "REDIS" label: "Enable Redis" description: | - Add a Redis container for memory caching. Must be setup manually. + Add a Redis container for memory caching. Additional setup required, see README. default: true required: true type: boolean @@ -78,6 +86,6 @@ catalog: label: "Data Directory" description: | The directory to store persistent data for the stack. - default: "Personal-Experimental/Nextcloud" + default: "Personal/Nextcloud-Experimental" required: true type: string \ No newline at end of file diff --git a/templates/Nextcloud/Resources/README.md b/templates/Nextcloud/Resources/README.md deleted file mode 100644 index 1f24674..0000000 --- a/templates/Nextcloud/Resources/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# Default Configured Files -nginx.conf and mime.types to be put in the Configuration/NGINX directory. - -Included nginx.conf has only a few minor tweaks from the one located here: -https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx \ No newline at end of file diff --git a/templates/Nextcloud/Resources/Template 1.conf b/templates/Nextcloud/Resources/Template 1.conf new file mode 100644 index 0000000..2c33275 --- /dev/null +++ b/templates/Nextcloud/Resources/Template 1.conf @@ -0,0 +1,128 @@ +user www-data; +worker_processes 4; ## Default: 1 +# worker_rlimit_nofile 8192; + +#error_log /var/log/nginx/error.log warn; +#pid /var/run/nginx.pid; + +events { + worker_connections 1024; ## Default: 1024 +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + #access_log /var/log/nginx/access.log main; + sendfile on; + tcp_nopush on; + #keepalive_timeout 65; + + upstream php-handler { + server nextcloud:9000; + } + + server { + listen 80; + listen [::]:80; + server_name _; + + # Add headers to serve security related headers + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/html/; + + # Will test later + #error_page 403 /core/templates/403.php; + #error_page 404 /core/templates/404.php; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + + # set max upload size + client_max_body_size 1G; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + location / { + rewrite ^ /index.php$request_uri; + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + # Mitigate https://httpoxy.org/ vulnerabilities: + fastcgi_param HTTP_PROXY ""; + #fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js and css files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } + } +} \ No newline at end of file diff --git a/templates/Nextcloud/Resources/Template 2.conf b/templates/Nextcloud/Resources/Template 2.conf new file mode 100644 index 0000000..2c33275 --- /dev/null +++ b/templates/Nextcloud/Resources/Template 2.conf @@ -0,0 +1,128 @@ +user www-data; +worker_processes 4; ## Default: 1 +# worker_rlimit_nofile 8192; + +#error_log /var/log/nginx/error.log warn; +#pid /var/run/nginx.pid; + +events { + worker_connections 1024; ## Default: 1024 +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + #access_log /var/log/nginx/access.log main; + sendfile on; + tcp_nopush on; + #keepalive_timeout 65; + + upstream php-handler { + server nextcloud:9000; + } + + server { + listen 80; + listen [::]:80; + server_name _; + + # Add headers to serve security related headers + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/html/; + + # Will test later + #error_page 403 /core/templates/403.php; + #error_page 404 /core/templates/404.php; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + + # set max upload size + client_max_body_size 1G; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + location / { + rewrite ^ /index.php$request_uri; + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + # Mitigate https://httpoxy.org/ vulnerabilities: + fastcgi_param HTTP_PROXY ""; + #fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js and css files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } + } +} \ No newline at end of file diff --git a/templates/Nextcloud/Resources/nginx.conf b/templates/Nextcloud/Resources/nginx.conf deleted file mode 100644 index b7dcd16..0000000 --- a/templates/Nextcloud/Resources/nginx.conf +++ /dev/null @@ -1,119 +0,0 @@ -user www-data; -worker_processes 4; ## Default: 1 -# worker_rlimit_nofile 8192; - -#error_log /var/log/nginx/error.log warn; -#pid /var/run/nginx.pid; - -events { - worker_connections 1024; ## Default: 1024 -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; -# access_log /var/log/nginx/access.log main; - sendfile on; - tcp_nopush on; -# keepalive_timeout 65; - upstream php-handler { - server nextcloud:9000; - } - server { - listen 80; - server_name _; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - # Path to the root of your installation - root /var/www/html/; - - - # set max upload size - client_max_body_size 1G; # Previous: "512M" - fastcgi_buffers 64 4K; - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - # Add headers to serve security related headers - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; - - # Uncomment if your server is build with the ngx_pagespeed module - # This module is currently not supported. - #pagespeed off; - -# Will test later -# error_page 403 /core/templates/403.php; -# error_page 404 /core/templates/404.php; - - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - location = /.well-known/carddav { - return 301 $scheme://$host/remote.php/dav; - } - location = /.well-known/caldav { - return 301 $scheme://$host/remote.php/dav; - } - location / { - rewrite ^ /index.php$request_uri; - } - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { - deny all; - } - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - - # Mitigate https://httpoxy.org/ vulnerabilities - fastcgi_param HTTP_PROXY ""; - - fastcgi_pass php-handler; - fastcgi_index index.php; - - # include the fastcgi_param setting - include fastcgi_params; - - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param modHeadersAvailable true; - fastcgi_param front_controller_active true; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - location ~ ^/(?:updater|ocs-provider)(?:$|/) { - try_files $uri/ =404; - index index.php; - } - # Adding the cache control header for js and css files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff2?|svg|gif)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - # Optional: Don't log access to assets - access_log off; - } - location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { - try_files $uri /index.php$request_uri; - # Optional: Don't log access to other assets - access_log off; - } - } -} \ No newline at end of file From 7a67e4af3b83a0a44622e4cc802ac9192c2c43de Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Fri, 4 Jan 2019 22:07:19 -0500 Subject: [PATCH 26/62] Why is it that v8 never works with anything?... --- templates/Nextcloud/0/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 93ae21a..85ee6c5 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -86,7 +86,7 @@ services: - /RancherCattle/${DATA_DIR}/Nextcloud:/var/www/html # Nextcloud site - /RancherCattle/${DATA_DIR}/UserData:/var/www/html/data # Users' data file mysql: - image: mysql:latest + image: mysql:5 dns: # Using Cloudflare DNS - 1.1.1.1 - 1.0.0.1 From 3adbea871292e0b63075b4338e96886d17bd4041 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Fri, 4 Jan 2019 22:07:40 -0500 Subject: [PATCH 27/62] Changed default data directory name --- templates/Nextcloud/0/rancher-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/Nextcloud/0/rancher-compose.yml b/templates/Nextcloud/0/rancher-compose.yml index a8f40ea..a9c0516 100644 --- a/templates/Nextcloud/0/rancher-compose.yml +++ b/templates/Nextcloud/0/rancher-compose.yml @@ -86,6 +86,6 @@ catalog: label: "Data Directory" description: | The directory to store persistent data for the stack. - default: "Personal/Nextcloud-Experimental" + default: "Personal/Nextcloud" required: true type: string \ No newline at end of file From d2334dbc0e813b95ef8c004d742474e4919f92b3 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sat, 5 Jan 2019 15:45:56 -0500 Subject: [PATCH 28/62] Back to NGINX, added cron --- templates/Nextcloud/0/README.md | 8 +- templates/Nextcloud/0/docker-compose.yml | 91 +++++++++---- templates/Nextcloud/0/rancher-compose.yml | 1 - templates/Nextcloud/Resources/Template 2.conf | 128 ------------------ .../Resources/{Template 1.conf => nginx.conf} | 0 5 files changed, 68 insertions(+), 160 deletions(-) delete mode 100644 templates/Nextcloud/Resources/Template 2.conf rename templates/Nextcloud/Resources/{Template 1.conf => nginx.conf} (100%) diff --git a/templates/Nextcloud/0/README.md b/templates/Nextcloud/0/README.md index 3c80e4c..180b3a8 100644 --- a/templates/Nextcloud/0/README.md +++ b/templates/Nextcloud/0/README.md @@ -1,5 +1,9 @@ # Nextcloud +## Pre-Requisites + +* Traefik deployed + ## First Run Setup ### Add Configuration For NGINX @@ -10,10 +14,6 @@ Included nginx.conf has only a few minor tweaks from the one located here: https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx -??? Template 1.conf is WITHOUT Collabora - -??? Template 2.conf is WITH Collabora - ### Add Your Domain as a Trusted Domain [Official Documentation](https://docs.nextcloud.com/server/latest/admin_manual/installation/installation_wizard.html#trusted-domains) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 85ee6c5..e08a2b0 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -18,23 +18,28 @@ services: {{- if .Values.HOST_LABEL}} io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} {{- end}} - traefik.enable: true - ### Start Web Segment - traefik.frontend.entryPoints: http,https - traefik.frontend.headers.forceSTSHeader: true - traefik.frontend.headers.referrerPolicy: no-referrer # Security enhancement (Prevents leaking of referer information) - traefik.frontend.headers.SSLRedirect: true - traefik.frontend.headers.STSPreload: true - traefik.frontend.headers.STSSeconds: 15552000 - traefik.frontend.rule: Host:collabora.${TRAEFIK_HOST} - traefik.port: "9980" - ### End Web Segment - networks: - - public-proxy + traefik.enable: false restart: on-failure {{- end}} + cron: + image: nextcloud:fpm-alpine + dns: # Using Cloudflare DNS + - 1.1.1.1 + - 1.0.0.1 + entrypoint: | + bash -c 'bash -s < Date: Sat, 5 Jan 2019 15:48:33 -0500 Subject: [PATCH 29/62] Added Cron container as a Rancher sidekick --- templates/Nextcloud/0/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index e08a2b0..ce9ad3e 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -72,7 +72,7 @@ services: {{- if .Values.HOST_LABEL}} io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} {{- end}} - io.rancher.sidekicks: nextcloud + io.rancher.sidekicks: nextcloud, cron traefik.enable: true ### Start Nextcloud Segment traefik.nextcloud.frontend.entryPoints: http,https From fcd2c6cd27c7d79d0cbf4058116906c0d4fdcec7 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sat, 5 Jan 2019 16:10:49 -0500 Subject: [PATCH 30/62] Probably won't work, but we'll try! --- templates/Nextcloud/0/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index ce9ad3e..3abb50f 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -27,7 +27,7 @@ services: - 1.1.1.1 - 1.0.0.1 entrypoint: | - bash -c 'bash -s < Date: Sat, 5 Jan 2019 16:13:04 -0500 Subject: [PATCH 31/62] Revert "Probably won't work, but we'll try!" This reverts commit fcd2c6cd27c7d79d0cbf4058116906c0d4fdcec7. --- templates/Nextcloud/0/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 3abb50f..ce9ad3e 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -27,7 +27,7 @@ services: - 1.1.1.1 - 1.0.0.1 entrypoint: | - bash -c 'sh -s < Date: Sat, 5 Jan 2019 16:20:00 -0500 Subject: [PATCH 32/62] Also probably won't work, but we'll try! --- templates/Nextcloud/0/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index ce9ad3e..1a4c91d 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -27,7 +27,7 @@ services: - 1.1.1.1 - 1.0.0.1 entrypoint: | - bash -c 'bash -s < Date: Sat, 5 Jan 2019 16:24:20 -0500 Subject: [PATCH 33/62] Removed Cron container for the moment --- templates/Nextcloud/0/docker-compose.yml | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 1a4c91d..1b15101 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -21,23 +21,6 @@ services: traefik.enable: false restart: on-failure {{- end}} - cron: - image: nextcloud:fpm-alpine - dns: # Using Cloudflare DNS - - 1.1.1.1 - - 1.0.0.1 - entrypoint: | - sh -c 'sh -s < Date: Sat, 5 Jan 2019 17:43:47 -0500 Subject: [PATCH 34/62] Testing --- templates/Nextcloud/0/docker-compose.yml | 11 +++--- templates/Nextcloud/Resources/nginx.conf | 46 +++++++++++++++++++++++- 2 files changed, 51 insertions(+), 6 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 1b15101..d89e067 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -42,6 +42,11 @@ services: io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} {{- end}} traefik.enable: false + links: + - mysql + {{- if eq .Values.REDIS "true"}} + - redis + {{- end}} restart: on-failure volumes_from: - nginx @@ -75,17 +80,13 @@ services: traefik.collabora.frontend.headers.STSPreload: true traefik.collabora.frontend.headers.STSSeconds: 15552000 traefik.collabora.frontend.rule: Host:collabora.${TRAEFIK_HOST} - traefik.collabora.port: "9980" + traefik.collabora.port: "81" ### End Collabora Segment links: {{- if eq .Values.COLLABORA "true"}} - collabora {{- end}} - - mysql - nextcloud - {{- if eq .Values.REDIS "true"}} - - redis - {{- end}} networks: - public-proxy {{- if .Values.WEB_PORT}} diff --git a/templates/Nextcloud/Resources/nginx.conf b/templates/Nextcloud/Resources/nginx.conf index 2c33275..c6717df 100644 --- a/templates/Nextcloud/Resources/nginx.conf +++ b/templates/Nextcloud/Resources/nginx.conf @@ -21,10 +21,13 @@ http { server nextcloud:9000; } + upstream collabora { + server collabora:9980 + } + server { listen 80; listen [::]:80; - server_name _; # Add headers to serve security related headers add_header X-Content-Type-Options nosniff; @@ -125,4 +128,45 @@ http { access_log off; } } + + server { + listen 81; + listen [::]:81; + + # static files + location ^~ /loleaflet { + proxy_pass collabora; + proxy_set_header Host $http_host; + } + + # WOPI discovery URL + location ^~ /hosting/discovery { + proxy_pass collabora; + proxy_set_header Host $http_host; + } + + # main websocket + location ~ ^/lool/(.*)/ws$ { + proxy_pass collabora; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + } + + # download, presentation and image upload + location ~ ^/lool { + proxy_pass collabora; + proxy_set_header Host $http_host; + } + + # Admin Console websocket + location ^~ /lool/adminws { + proxy_pass collabora; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + } + } } \ No newline at end of file From 2484bf113efde056f2bba213b3faa1444bf9c251 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sat, 5 Jan 2019 19:03:30 -0500 Subject: [PATCH 35/62] Testing --- templates/Nextcloud/Resources/nginx.conf | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/templates/Nextcloud/Resources/nginx.conf b/templates/Nextcloud/Resources/nginx.conf index c6717df..22ea724 100644 --- a/templates/Nextcloud/Resources/nginx.conf +++ b/templates/Nextcloud/Resources/nginx.conf @@ -22,12 +22,13 @@ http { } upstream collabora { - server collabora:9980 + server collabora:9980; } server { listen 80; listen [::]:80; + server_name _; # Add headers to serve security related headers add_header X-Content-Type-Options nosniff; @@ -132,22 +133,23 @@ http { server { listen 81; listen [::]:81; + server_name _; # static files location ^~ /loleaflet { - proxy_pass collabora; + proxy_pass http://collabora; proxy_set_header Host $http_host; } # WOPI discovery URL location ^~ /hosting/discovery { - proxy_pass collabora; + proxy_pass http://collabora; proxy_set_header Host $http_host; } # main websocket location ~ ^/lool/(.*)/ws$ { - proxy_pass collabora; + proxy_pass http://collabora; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $http_host; @@ -156,13 +158,13 @@ http { # download, presentation and image upload location ~ ^/lool { - proxy_pass collabora; + proxy_pass http://collabora; proxy_set_header Host $http_host; } # Admin Console websocket location ^~ /lool/adminws { - proxy_pass collabora; + proxy_pass http://collabora; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $http_host; From 2c3fa9d96d48fc8cb71f56171e25952c6f55b02a Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sat, 5 Jan 2019 20:54:23 -0500 Subject: [PATCH 36/62] Trying a different entrypoint for Cron --- templates/Nextcloud/0/docker-compose.yml | 26 ++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index d89e067..0177d46 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -21,6 +21,20 @@ services: traefik.enable: false restart: on-failure {{- end}} + cron: + image: nextcloud:fpm-alpine + dns: # Using Cloudflare DNS + - 1.1.1.1 + - 1.0.0.1 + entrypoint: | + #!/bin/sh + set -eu + + exec busybox crond -f -l 0 -L /dev/stdout + restart: on-failure + user: www-data + volumes_from: + - nextcloud nextcloud: image: nextcloud:fpm-alpine dns: # Using Cloudflare DNS @@ -43,11 +57,19 @@ services: {{- end}} traefik.enable: false links: + - cron - mysql {{- if eq .Values.REDIS "true"}} - redis {{- end}} restart: on-failure + volumes: + - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system + - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system + - /RancherCattle/${DATA_DIR}/Configuration/Nextcloud:/var/www/html/config # Nextcloud configuration files + - /RancherCattle/${DATA_DIR}/Apps:/var/www/html/custom_apps # Nextcloud apps + - /RancherCattle/${DATA_DIR}/Nextcloud:/var/www/html # Nextcloud site + - /RancherCattle/${DATA_DIR}/UserData:/var/www/html/data # Users' data file volumes_from: - nginx nginx: @@ -97,11 +119,7 @@ services: volumes: - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system - - /RancherCattle/${DATA_DIR}/Configuration/Nextcloud:/var/www/html/config # Nextcloud configuration files - /RancherCattle/${DATA_DIR}/Configuration/NGINX:/etc/nginx # NGINX configuration files - - /RancherCattle/${DATA_DIR}/Apps:/var/www/html/custom_apps # Nextcloud apps - - /RancherCattle/${DATA_DIR}/Nextcloud:/var/www/html # Nextcloud site - - /RancherCattle/${DATA_DIR}/UserData:/var/www/html/data # Users' data file mysql: image: mysql:5 dns: # Using Cloudflare DNS From bf126678bedf3333d2e7067504040f0a1d58dc94 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sat, 5 Jan 2019 21:00:02 -0500 Subject: [PATCH 37/62] Fixed issue with sidekick declaration --- templates/Nextcloud/0/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 0177d46..6c1d5b0 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -55,6 +55,7 @@ services: {{- if .Values.HOST_LABEL}} io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} {{- end}} + io.rancher.sidekicks: cron traefik.enable: false links: - cron @@ -82,7 +83,6 @@ services: {{- if .Values.HOST_LABEL}} io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} {{- end}} - io.rancher.sidekicks: nextcloud traefik.enable: true ### Start Nextcloud Segment traefik.nextcloud.frontend.entryPoints: http,https From 95ce3f611c8584816bd565b144d185ef8d141e6b Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sat, 5 Jan 2019 21:02:42 -0500 Subject: [PATCH 38/62] Removed volumes_from for Nextcloud container --- templates/Nextcloud/0/docker-compose.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 6c1d5b0..ac1fac6 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -71,8 +71,6 @@ services: - /RancherCattle/${DATA_DIR}/Apps:/var/www/html/custom_apps # Nextcloud apps - /RancherCattle/${DATA_DIR}/Nextcloud:/var/www/html # Nextcloud site - /RancherCattle/${DATA_DIR}/UserData:/var/www/html/data # Users' data file - volumes_from: - - nginx nginx: image: nginx:latest # Can't use ":alpine" until I have a way to get the "www-data" user added automatically. (Project for another time) dns: # Using Cloudflare DNS From 9712507f470c21709e9d586f25a7b0bbe6b6c506 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sat, 5 Jan 2019 21:10:25 -0500 Subject: [PATCH 39/62] Slight modification to Cron entrypoint (testing) --- templates/Nextcloud/0/docker-compose.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index ac1fac6..11e7bb9 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -27,10 +27,8 @@ services: - 1.1.1.1 - 1.0.0.1 entrypoint: | - #!/bin/sh - set -eu - - exec busybox crond -f -l 0 -L /dev/stdout + /bin/sh 'set -eu + exec busybox crond -f -l 0 -L /dev/stdout' restart: on-failure user: www-data volumes_from: From 044edeeb0e4ee94848a1e49ece98e560b2589d1a Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sat, 5 Jan 2019 21:35:22 -0500 Subject: [PATCH 40/62] Moved Resources directory --- templates/Nextcloud/{ => 0}/Resources/fastcgi_params | 0 templates/Nextcloud/{ => 0}/Resources/mime.types | 0 templates/Nextcloud/{ => 0}/Resources/nginx.conf | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename templates/Nextcloud/{ => 0}/Resources/fastcgi_params (100%) rename templates/Nextcloud/{ => 0}/Resources/mime.types (100%) rename templates/Nextcloud/{ => 0}/Resources/nginx.conf (100%) diff --git a/templates/Nextcloud/Resources/fastcgi_params b/templates/Nextcloud/0/Resources/fastcgi_params similarity index 100% rename from templates/Nextcloud/Resources/fastcgi_params rename to templates/Nextcloud/0/Resources/fastcgi_params diff --git a/templates/Nextcloud/Resources/mime.types b/templates/Nextcloud/0/Resources/mime.types similarity index 100% rename from templates/Nextcloud/Resources/mime.types rename to templates/Nextcloud/0/Resources/mime.types diff --git a/templates/Nextcloud/Resources/nginx.conf b/templates/Nextcloud/0/Resources/nginx.conf similarity index 100% rename from templates/Nextcloud/Resources/nginx.conf rename to templates/Nextcloud/0/Resources/nginx.conf From b6ef872ca8cea7ef507fed385cdff2a2439ba4aa Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sat, 5 Jan 2019 21:35:35 -0500 Subject: [PATCH 41/62] Testing --- templates/Nextcloud/0/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 11e7bb9..5405693 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -27,7 +27,7 @@ services: - 1.1.1.1 - 1.0.0.1 entrypoint: | - /bin/sh 'set -eu + /bin/sh '/bin/sh set -eu exec busybox crond -f -l 0 -L /dev/stdout' restart: on-failure user: www-data From 5a8c25d800a1133de82c4f1e8dab218a647c3b2d Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sun, 6 Jan 2019 17:04:07 -0500 Subject: [PATCH 42/62] Added trusted domains environment variable --- templates/Nextcloud/0/docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 5405693..df17ce2 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -45,6 +45,7 @@ services: MYSQL_PASSWORD: ${DB_USER_PASS} NEXTCLOUD_ADMIN_USER: ${NC_ADMIN} NEXTCLOUD_ADMIN_PASSWORD: ${NC_ADMIN_PASS} + NEXTCLOUD_TRUSTED_DOMAINS: ${TRAEFIK_HOST} expose: - "80" - "9000" From cbffbad2df0450854ae42f3d2611ada4aee2c19e Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Sun, 6 Jan 2019 17:05:03 -0500 Subject: [PATCH 43/62] Fixed wording --- templates/Nextcloud/0/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index df17ce2..977eb0c 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -162,6 +162,6 @@ services: networks: db-admin: - external: true # Created by Adminer or phpMyAdmin stack + external: true # Created by administrative stack (such as Adminer or phpMyAdmin) public-proxy: external: true # Created by Traefik stack \ No newline at end of file From 669ce48762d2d45ce51b84578bfcb0aa04cf72e5 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Mon, 7 Jan 2019 10:04:53 -0500 Subject: [PATCH 44/62] Testing --- templates/Nextcloud/0/docker-compose.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 977eb0c..08a976a 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -27,8 +27,14 @@ services: - 1.1.1.1 - 1.0.0.1 entrypoint: | - /bin/sh '/bin/sh set -eu - exec busybox crond -f -l 0 -L /dev/stdout' + sh -c 'sh -s < Date: Mon, 7 Jan 2019 10:37:29 -0500 Subject: [PATCH 45/62] Testing without Cron --- templates/Nextcloud/0/docker-compose.yml | 40 ++++++++++++------------ 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 08a976a..1d98cc2 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -21,24 +21,24 @@ services: traefik.enable: false restart: on-failure {{- end}} - cron: - image: nextcloud:fpm-alpine - dns: # Using Cloudflare DNS - - 1.1.1.1 - - 1.0.0.1 - entrypoint: | - sh -c 'sh -s < Date: Mon, 7 Jan 2019 11:29:52 -0500 Subject: [PATCH 46/62] Minor adjustments --- templates/Nextcloud/0/Resources/nginx.conf | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/templates/Nextcloud/0/Resources/nginx.conf b/templates/Nextcloud/0/Resources/nginx.conf index 22ea724..d8d3aac 100644 --- a/templates/Nextcloud/0/Resources/nginx.conf +++ b/templates/Nextcloud/0/Resources/nginx.conf @@ -21,10 +21,6 @@ http { server nextcloud:9000; } - upstream collabora { - server collabora:9980; - } - server { listen 80; listen [::]:80; @@ -90,7 +86,7 @@ http { fastcgi_split_path_info ^(.+?\.php)(/.*)$; # Mitigate https://httpoxy.org/ vulnerabilities: fastcgi_param HTTP_PROXY ""; - #fastcgi_index index.php; + fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; @@ -137,19 +133,19 @@ http { # static files location ^~ /loleaflet { - proxy_pass http://collabora; + proxy_pass http://collabora:9980; proxy_set_header Host $http_host; } # WOPI discovery URL location ^~ /hosting/discovery { - proxy_pass http://collabora; + proxy_pass http://collabora:9980; proxy_set_header Host $http_host; } # main websocket location ~ ^/lool/(.*)/ws$ { - proxy_pass http://collabora; + proxy_pass http://collabora:9980; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $http_host; @@ -158,13 +154,13 @@ http { # download, presentation and image upload location ~ ^/lool { - proxy_pass http://collabora; + proxy_pass http://collabora:9980; proxy_set_header Host $http_host; } # Admin Console websocket location ^~ /lool/adminws { - proxy_pass http://collabora; + proxy_pass http://collabora:9980; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $http_host; From 34b3bd79c7e030b95fb4afddd507ec23d8acf262 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Mon, 7 Jan 2019 11:38:06 -0500 Subject: [PATCH 47/62] Testing with volumes declared in NGINX --- templates/Nextcloud/0/docker-compose.yml | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 1d98cc2..7304523 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -38,7 +38,7 @@ services: # restart: on-failure # user: www-data # volumes_from: -# - nextcloud +# - nginx nextcloud: image: nextcloud:fpm-alpine dns: # Using Cloudflare DNS @@ -60,7 +60,6 @@ services: {{- if .Values.HOST_LABEL}} io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} {{- end}} -# io.rancher.sidekicks: cron traefik.enable: false links: # - cron @@ -69,13 +68,8 @@ services: - redis {{- end}} restart: on-failure - volumes: - - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system - - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system - - /RancherCattle/${DATA_DIR}/Configuration/Nextcloud:/var/www/html/config # Nextcloud configuration files - - /RancherCattle/${DATA_DIR}/Apps:/var/www/html/custom_apps # Nextcloud apps - - /RancherCattle/${DATA_DIR}/Nextcloud:/var/www/html # Nextcloud site - - /RancherCattle/${DATA_DIR}/UserData:/var/www/html/data # Users' data file + volumes_from: + - nginx nginx: image: nginx:latest # Can't use ":alpine" until I have a way to get the "www-data" user added automatically. (Project for another time) dns: # Using Cloudflare DNS @@ -86,6 +80,7 @@ services: {{- if .Values.HOST_LABEL}} io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} {{- end}} + io.rancher.sidekicks: nextcloud traefik.enable: true ### Start Nextcloud Segment traefik.nextcloud.frontend.entryPoints: http,https @@ -122,7 +117,11 @@ services: volumes: - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system + - /RancherCattle/${DATA_DIR}/Configuration/Nextcloud:/var/www/html/config # Nextcloud configuration files - /RancherCattle/${DATA_DIR}/Configuration/NGINX:/etc/nginx # NGINX configuration files + - /RancherCattle/${DATA_DIR}/Apps:/var/www/html/custom_apps # Nextcloud apps + - /RancherCattle/${DATA_DIR}/Nextcloud:/var/www/html # Nextcloud site + - /RancherCattle/${DATA_DIR}/UserData:/var/www/html/data # Users' data file mysql: image: mysql:5 dns: # Using Cloudflare DNS From f2016d750e1eb46839da7ae86c0f4958f8e4d7e7 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Mon, 7 Jan 2019 11:49:16 -0500 Subject: [PATCH 48/62] Re-enabled Cron --- templates/Nextcloud/0/docker-compose.yml | 37 ++++++++++++------------ 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 7304523..6d39aee 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -21,24 +21,24 @@ services: traefik.enable: false restart: on-failure {{- end}} -# cron: -# image: nextcloud:fpm-alpine -# dns: # Using Cloudflare DNS -# - 1.1.1.1 -# - 1.0.0.1 -# entrypoint: | -# sh -c 'sh -s < Date: Mon, 7 Jan 2019 11:54:56 -0500 Subject: [PATCH 49/62] Added Cron as sidekick --- templates/Nextcloud/0/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 6d39aee..dbc7c99 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -79,7 +79,7 @@ services: {{- if .Values.HOST_LABEL}} io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} {{- end}} - io.rancher.sidekicks: nextcloud + io.rancher.sidekicks: cron, nextcloud traefik.enable: true ### Start Nextcloud Segment traefik.nextcloud.frontend.entryPoints: http,https From ab2703d2335cd4282622dfb4bb633844de11000d Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Mon, 7 Jan 2019 14:20:54 -0500 Subject: [PATCH 50/62] Testing Cron issues --- templates/Nextcloud/0/docker-compose.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index dbc7c99..e0de4ec 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -26,17 +26,17 @@ services: dns: # Using Cloudflare DNS - 1.1.1.1 - 1.0.0.1 - entrypoint: | + entrypoint: | # www-data uid: 82 sh -c 'sh -s < Date: Mon, 7 Jan 2019 16:19:43 -0500 Subject: [PATCH 51/62] Changed user to a string --- templates/Nextcloud/0/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index e0de4ec..c6af9d7 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -36,7 +36,7 @@ services: done EOF' restart: on-failure - user: 82 + user: "82" volumes_from: - nginx nextcloud: From 5ffda99de2702d8750d26e6df9b5b7f1fd98a997 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Mon, 7 Jan 2019 16:59:01 -0500 Subject: [PATCH 52/62] Tried some changes, still no fix --- templates/Nextcloud/0/Resources/nginx.conf | 29 +++++++++++++--------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/templates/Nextcloud/0/Resources/nginx.conf b/templates/Nextcloud/0/Resources/nginx.conf index d8d3aac..ca6c521 100644 --- a/templates/Nextcloud/0/Resources/nginx.conf +++ b/templates/Nextcloud/0/Resources/nginx.conf @@ -1,21 +1,28 @@ user www-data; -worker_processes 4; ## Default: 1 +worker_processes 1; # worker_rlimit_nofile 8192; #error_log /var/log/nginx/error.log warn; -#pid /var/run/nginx.pid; +pid /var/run/nginx.pid; events { - worker_connections 1024; ## Default: 1024 + worker_connections 1024; } http { - include /etc/nginx/mime.types; + include /etc/nginx/mime.types; default_type application/octet-stream; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + #access_log /var/log/nginx/access.log main; + sendfile on; - tcp_nopush on; - #keepalive_timeout 65; + #tcp_nopush on; + + keepalive_timeout 65; upstream php-handler { server nextcloud:9000; @@ -24,7 +31,6 @@ http { server { listen 80; listen [::]:80; - server_name _; # Add headers to serve security related headers add_header X-Content-Type-Options nosniff; @@ -59,7 +65,7 @@ http { } # set max upload size - client_max_body_size 1G; + client_max_body_size 10G; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers @@ -83,10 +89,10 @@ http { } location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; + fastcgi_split_path_info ^(.+\.php)(/.*)$; # Mitigate https://httpoxy.org/ vulnerabilities: fastcgi_param HTTP_PROXY ""; - fastcgi_index index.php; + #fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; @@ -105,7 +111,7 @@ http { # Adding the cache control header for js and css files # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff2?|svg|gif)$ { + location ~ \.(?:css|js|woff|svg|gif)$ { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; add_header X-Content-Type-Options nosniff; @@ -129,7 +135,6 @@ http { server { listen 81; listen [::]:81; - server_name _; # static files location ^~ /loleaflet { From db6a573b5b768cf88796dadae33ff9433de7b2bd Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Fri, 11 Jan 2019 16:36:45 -0500 Subject: [PATCH 53/62] Testing --- .../0/Resources/conf.d/collabora.conf | 40 ++++ .../0/Resources/conf.d/nextcloud.conf | 69 +++++++ .../Nextcloud/0/Resources/fastcgi_params | 44 ++-- templates/Nextcloud/0/Resources/nginx.conf | 194 +++++------------- templates/Nextcloud/0/docker-compose.yml | 92 ++++++--- 5 files changed, 245 insertions(+), 194 deletions(-) create mode 100644 templates/Nextcloud/0/Resources/conf.d/collabora.conf create mode 100644 templates/Nextcloud/0/Resources/conf.d/nextcloud.conf diff --git a/templates/Nextcloud/0/Resources/conf.d/collabora.conf b/templates/Nextcloud/0/Resources/conf.d/collabora.conf new file mode 100644 index 0000000..1f6b893 --- /dev/null +++ b/templates/Nextcloud/0/Resources/conf.d/collabora.conf @@ -0,0 +1,40 @@ +server { + listen 81; + listen [::]:81; + + # static files + location ^~ /loleaflet { + proxy_pass http://collabora:9980; + proxy_set_header Host $http_host; + } + + # WOPI discovery URL + location ^~ /hosting/discovery { + proxy_pass http://collabora:9980; + proxy_set_header Host $http_host; + } + + # main websocket + location ~ ^/lool/(.*)/ws$ { + proxy_pass http://collabora:9980; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + } + + # download, presentation and image upload + location ~ ^/lool { + proxy_pass http://collabora:9980; + proxy_set_header Host $http_host; + } + + # Admin Console websocket + location ^~ /lool/adminws { + proxy_pass http://collabora:9980; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + } +} \ No newline at end of file diff --git a/templates/Nextcloud/0/Resources/conf.d/nextcloud.conf b/templates/Nextcloud/0/Resources/conf.d/nextcloud.conf new file mode 100644 index 0000000..50ad8e7 --- /dev/null +++ b/templates/Nextcloud/0/Resources/conf.d/nextcloud.conf @@ -0,0 +1,69 @@ +upstream php-handler { + server nextcloud:9000; +} + +server { + listen 80; + listen [::]:80; + server_name _; + + root /var/www/html/; # Path to the root of your installation + + client_max_body_size 10G; # Max upload size + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip off; + + index index.php + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + + + + location / { + rewrite ^ /index.php$request_uri; + } + + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + } + + # Adding the cache control header for js and css files + # Make sure it is BELOW the location ~ \.php(?:$|/) { block + location ~* \.(?:css|js)$ { + add_header Cache-Control "public, max-age=7200"; + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + # Optional: Don't log access to assets + access_log off; + } + + # Optional: Don't log access to other assets + location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ { + access_log off; + } +} \ No newline at end of file diff --git a/templates/Nextcloud/0/Resources/fastcgi_params b/templates/Nextcloud/0/Resources/fastcgi_params index 14e5ac6..c2f509a 100644 --- a/templates/Nextcloud/0/Resources/fastcgi_params +++ b/templates/Nextcloud/0/Resources/fastcgi_params @@ -1,27 +1,21 @@ -fastcgi_param QUERY_STRING $query_string; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; -fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -fastcgi_param SCRIPT_NAME $fastcgi_script_name; -fastcgi_param PATH_INFO $fastcgi_path_info; -fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_index index.php; -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; - -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; - -fastcgi_param HTTPS $https; - -# PHP only, required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; \ No newline at end of file +fastcgi_param REDIRECT_STATUS 200; \ No newline at end of file diff --git a/templates/Nextcloud/0/Resources/nginx.conf b/templates/Nextcloud/0/Resources/nginx.conf index ca6c521..9493b30 100644 --- a/templates/Nextcloud/0/Resources/nginx.conf +++ b/templates/Nextcloud/0/Resources/nginx.conf @@ -1,175 +1,79 @@ user www-data; -worker_processes 1; -# worker_rlimit_nofile 8192; +worker_processes auto; -#error_log /var/log/nginx/error.log warn; +# error_log /var/log/nginx.error_log info; # [ debug | info | notice | warn | error | crit ] pid /var/run/nginx.pid; events { worker_connections 1024; + use epoll; # use [ kqueue | rtsig | epoll | /dev/poll | select | poll ] } http { - include /etc/nginx/mime.types; - default_type application/octet-stream; + #---------------------------------------- + # Logging + #---------------------------------------- + + + # REFERENCE 1 #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - + + # REFERENCE 2 + #log_format main '$remote_addr - $host [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"' + # 'rt=$request_time ut=$upstream_response_time ' + # 'cs=$upstream_cache_status'; + + #log_format cache '$remote_addr - $host [$time_local] "$request" $status ' + # '$body_bytes_sent "$http_referer" ' + # 'rt=$request_time ut=$upstream_response_time ' + # 'cs=$upstream_cache_status'; + + #access_log /var/log/nginx/access.log main; + #error_log /var/log/nginx/error.log warn; + + #---------------------------------------- + # Basic Settings + #---------------------------------------- + + sendfile on; + tcp_nopush on; + tcp_nodelay on; keepalive_timeout 65; - - upstream php-handler { - server nextcloud:9000; - } - server { - listen 80; - listen [::]:80; + include /etc/nginx/mime.types; + default_type application/octet-stream; - # Add headers to serve security related headers - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; + #---------------------------------------- + # Common Limits + #---------------------------------------- - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; + client_max_body_size 1G; # Max upload size - # Path to the root of your installation - root /var/www/html/; + #---------------------------------------- + # GZip + #---------------------------------------- - # Will test later - #error_page 403 /core/templates/403.php; - #error_page 404 /core/templates/404.php; - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - location = /.well-known/carddav { - return 301 $scheme://$host/remote.php/dav; - } - location = /.well-known/caldav { - return 301 $scheme://$host/remote.php/dav; - } - # set max upload size - client_max_body_size 10G; - fastcgi_buffers 64 4K; + #---------------------------------------- + # Cache + #---------------------------------------- - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + proxy_cache_valid 1m; - location / { - rewrite ^ /index.php$request_uri; - } + #---------------------------------------- + # Virtual Hosts + #---------------------------------------- - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { - deny all; - } + include /etc/nginx/conf.d/*.conf; - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - - location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { - fastcgi_split_path_info ^(.+\.php)(/.*)$; - # Mitigate https://httpoxy.org/ vulnerabilities: - fastcgi_param HTTP_PROXY ""; - #fastcgi_index index.php; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - #Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - fastcgi_param front_controller_active true; - fastcgi_pass php-handler; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - location ~ ^/(?:updater|ocs-provider)(?:$|/) { - try_files $uri/ =404; - index index.php; - } - - # Adding the cache control header for js and css files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff|svg|gif)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; - - # Optional: Don't log access to assets - access_log off; - } - - location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { - try_files $uri /index.php$request_uri; - # Optional: Don't log access to other assets - access_log off; - } - } - - server { - listen 81; - listen [::]:81; - - # static files - location ^~ /loleaflet { - proxy_pass http://collabora:9980; - proxy_set_header Host $http_host; - } - - # WOPI discovery URL - location ^~ /hosting/discovery { - proxy_pass http://collabora:9980; - proxy_set_header Host $http_host; - } - - # main websocket - location ~ ^/lool/(.*)/ws$ { - proxy_pass http://collabora:9980; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $http_host; - proxy_read_timeout 36000s; - } - - # download, presentation and image upload - location ~ ^/lool { - proxy_pass http://collabora:9980; - proxy_set_header Host $http_host; - } - - # Admin Console websocket - location ^~ /lool/adminws { - proxy_pass http://collabora:9980; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $http_host; - proxy_read_timeout 36000s; - } - } } \ No newline at end of file diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index c6af9d7..4a001fb 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -11,8 +11,6 @@ services: - 1.0.0.1 environment: domain: collabora.${TRAEFIK_HOST} - expose: - - "9980" labels: io.rancher.container.pull_image: always {{- if .Values.HOST_LABEL}} @@ -20,6 +18,9 @@ services: {{- end}} traefik.enable: false restart: on-failure + volumes: + - Localtime:/etc/localtime:ro # Syncronize time of container with the host system + - Timezone:/etc/timezone:ro # Syncronize timezone of container with the host system {{- end}} cron: image: nextcloud:fpm-alpine @@ -30,13 +31,13 @@ services: sh -c 'sh -s < Date: Fri, 11 Jan 2019 16:38:26 -0500 Subject: [PATCH 54/62] Testing Rancher hostname_override --- templates/Nextcloud/0/docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 4a001fb..f805ecf 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -130,6 +130,7 @@ services: MYSQL_USER: nextcloud_user MYSQL_PASSWORD: ${DB_USER_PASS} labels: + io.rancher.container.hostname_override: "nextcloud" io.rancher.container.pull_image: always {{- if .Values.HOST_LABEL}} io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} From 0cb7258eff5e038dbe00702807059b6bc8d7ec20 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Fri, 11 Jan 2019 16:54:09 -0500 Subject: [PATCH 55/62] Removed other networks, fixed Database --- templates/Nextcloud/0/docker-compose.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index f805ecf..d352350 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -104,8 +104,6 @@ services: - collabora {{- end}} - nextcloud - networks: - - public-proxy {{- if .Values.WEB_PORT}} ports: - "${WEB_PORT}:80" @@ -136,15 +134,11 @@ services: io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} {{- end}} traefik.enable: false - networks: - db-admin: - aliases: - - nextcloud restart: on-failure volumes: - Localtime:/etc/localtime:ro # Syncronize time of container with the host system - Timezone:/etc/timezone:ro # Syncronize timezone of container with the host system - - mysql:/var/lib/mysql + - Database:/var/lib/mysql {{- if eq .Values.REDIS "true"}} redis: image: redis:alpine From 73dc3bb186854356d8c4125fd74f0e408fbe11a2 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Fri, 11 Jan 2019 17:08:44 -0500 Subject: [PATCH 56/62] Named bind mounts don't work... --- templates/Nextcloud/0/docker-compose.yml | 84 +++++------------------- 1 file changed, 17 insertions(+), 67 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index d352350..99d6815 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -19,8 +19,8 @@ services: traefik.enable: false restart: on-failure volumes: - - Localtime:/etc/localtime:ro # Syncronize time of container with the host system - - Timezone:/etc/timezone:ro # Syncronize timezone of container with the host system + - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system + - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system {{- end}} cron: image: nextcloud:fpm-alpine @@ -110,13 +110,15 @@ services: {{- end}} restart: on-failure volumes: - - Localtime:/etc/localtime:ro # Syncronize time of container with the host system - - Timezone:/etc/timezone:ro # Syncronize timezone of container with the host system - - Apps:/var/www/html/custom_apps # Nextcloud apps - - Configuration-Nextcloud:/var/www/html/config # Nextcloud configuration files - - Configuration-NGINX:/etc/nginx # NGINX configuration files - - Nextcloud:/var/www/html # Nextcloud site - - UserData:/var/www/html/data # Users' data file + - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system + - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system + - /RancherCattle/${DATA_DIR}/Apps:/var/www/html/custom_apps # Nextcloud apps + - /RancherCattle/${DATA_DIR}/Configuration/Nextcloud:/var/www/html/config # Nextcloud configuration files + - /RancherCattle/${DATA_DIR}/Configuration/NGINX:/etc/nginx # NGINX configuration files + - /RancherCattle/${DATA_DIR}/Nextcloud:/var/www/html # Nextcloud site + - /RancherCattle/${DATA_DIR}/UserData:/var/www/html/data # Users' data file + #- /RancherCattle/${DATA_DIR}/Logs/Nextcloud + #- /RancherCattle/${DATA_DIR}/Logs/NGINX mysql: image: mysql:5 dns: # Using Cloudflare DNS @@ -136,9 +138,9 @@ services: traefik.enable: false restart: on-failure volumes: - - Localtime:/etc/localtime:ro # Syncronize time of container with the host system - - Timezone:/etc/timezone:ro # Syncronize timezone of container with the host system - - Database:/var/lib/mysql + - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system + - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system + - /RancherCattle/${DATA_DIR}/Database:/var/lib/mysql {{- if eq .Values.REDIS "true"}} redis: image: redis:alpine @@ -153,58 +155,6 @@ services: traefik.enable: false restart: on-failure volumes: - - Localtime:/etc/localtime:ro # Syncronize time of container with the host system - - Timezone:/etc/timezone:ro # Syncronize timezone of container with the host system - {{- end}} - -volumes: - Localtime: - driver_opts: - type: none - device: /etc/localtime - o: bind - Timezone: - driver_opts: - type: none - device: /etc/timezone - o: bind - Database: - driver_opts: - type: none - device: /RancherCattle/${DATA_DIR}/Database - o: bind - Configuration-Nextcloud: - driver_opts: - type: none - device: /RancherCattle/${DATA_DIR}/Configuration/Nextcloud - o: bind - Configuration-NGINX: - driver_opts: - type: none - device: /RancherCattle/${DATA_DIR}/Configuration/NGINX - o: bind - Apps: - driver_opts: - type: none - device: /RancherCattle/${DATA_DIR}/Apps - o: bind - Nextcloud: - driver_opts: - type: none - device: /RancherCattle/${DATA_DIR}/Nextcloud - o: bind - UserData: - driver_opts: - type: none - device: /RancherCattle/${DATA_DIR}/UserData - o: bind - Logs-Nextcloud: - driver_opts: - type: none - device: /RancherCattle/${DATA_DIR}/Logs/Nextcloud - o: bind - Logs-NGINX: - driver_opts: - type: none - device: /RancherCattle/${DATA_DIR}/Logs/NGINX - o: bind \ No newline at end of file + - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system + - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system + {{- end}} \ No newline at end of file From e03f8625f25eaf154dfdc005257193ceeccbc7e9 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Fri, 11 Jan 2019 17:23:41 -0500 Subject: [PATCH 57/62] Maybe this will work... --- templates/Nextcloud/0/docker-compose.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 99d6815..2be9b4a 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -121,6 +121,7 @@ services: #- /RancherCattle/${DATA_DIR}/Logs/NGINX mysql: image: mysql:5 + container_name: nextcloud dns: # Using Cloudflare DNS - 1.1.1.1 - 1.0.0.1 @@ -130,7 +131,7 @@ services: MYSQL_USER: nextcloud_user MYSQL_PASSWORD: ${DB_USER_PASS} labels: - io.rancher.container.hostname_override: "nextcloud" + io.rancher.container.hostname_override: container_name io.rancher.container.pull_image: always {{- if .Values.HOST_LABEL}} io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} From 16ee5533d835c7a4c80cdaf3c6ef4345fdff7329 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Fri, 11 Jan 2019 17:32:22 -0500 Subject: [PATCH 58/62] SO happy Rancher stuff rarely seems to work... --- templates/Nextcloud/0/docker-compose.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 2be9b4a..80f1d1e 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -121,7 +121,6 @@ services: #- /RancherCattle/${DATA_DIR}/Logs/NGINX mysql: image: mysql:5 - container_name: nextcloud dns: # Using Cloudflare DNS - 1.1.1.1 - 1.0.0.1 @@ -131,7 +130,6 @@ services: MYSQL_USER: nextcloud_user MYSQL_PASSWORD: ${DB_USER_PASS} labels: - io.rancher.container.hostname_override: container_name io.rancher.container.pull_image: always {{- if .Values.HOST_LABEL}} io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} From 0af049b60c77b0daeb00dadb63b739d161922478 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Fri, 11 Jan 2019 19:17:21 -0500 Subject: [PATCH 59/62] Reverted some things, but still using new file structure --- .../0/Resources/conf.d/collabora.conf | 4 + .../0/Resources/conf.d/nextcloud.conf | 88 +++++++++++++++---- templates/Nextcloud/0/Resources/nginx.conf | 19 ++-- 3 files changed, 88 insertions(+), 23 deletions(-) diff --git a/templates/Nextcloud/0/Resources/conf.d/collabora.conf b/templates/Nextcloud/0/Resources/conf.d/collabora.conf index 1f6b893..0b718bd 100644 --- a/templates/Nextcloud/0/Resources/conf.d/collabora.conf +++ b/templates/Nextcloud/0/Resources/conf.d/collabora.conf @@ -1,7 +1,11 @@ server { listen 81; listen [::]:81; + server_name _; + #access_log logs/collabora_access.log; + #error_log logs/collabora_error.log error; + # static files location ^~ /loleaflet { proxy_pass http://collabora:9980; diff --git a/templates/Nextcloud/0/Resources/conf.d/nextcloud.conf b/templates/Nextcloud/0/Resources/conf.d/nextcloud.conf index 50ad8e7..e2ee329 100644 --- a/templates/Nextcloud/0/Resources/conf.d/nextcloud.conf +++ b/templates/Nextcloud/0/Resources/conf.d/nextcloud.conf @@ -7,15 +7,52 @@ server { listen [::]:80; server_name _; + #---------------------------------------- + # Logging + #---------------------------------------- + + #access_log logs/nextcloud_access.log; + #error_log logs/nextcloud_error.log error; + + #---------------------------------------- + # Basic Settings + #---------------------------------------- + root /var/www/html/; # Path to the root of your installation client_max_body_size 10G; # Max upload size fastcgi_buffers 64 4K; - # Enable gzip but do not remove ETag headers - gzip off; + #---------------------------------------- + # GZip + #---------------------------------------- + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + #---------------------------------------- + # Security Headers + #---------------------------------------- + + # Add headers to serve security related headers + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + + fastcgi_hide_header X-Powered-By; # Remove X-Powered-By, which is an information leak + + #---------------------------------------- + # Locations + #---------------------------------------- - index index.php error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; @@ -33,37 +70,58 @@ server { return 301 $scheme://$host/remote.php/dav; } - - location / { rewrite ^ /index.php$request_uri; } - location ~ \.php(?:$|/) { - fastcgi_split_path_info ^(.+\.php)(/.+)$; + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { + fastcgi_split_path_info ^(.+\.php)(/.*)$; + # Mitigate https://httpoxy.org/ vulnerabilities: + fastcgi_param HTTP_PROXY ""; + #fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; } # Adding the cache control header for js and css files - # Make sure it is BELOW the location ~ \.php(?:$|/) { block - location ~* \.(?:css|js)$ { - add_header Cache-Control "public, max-age=7200"; - # Add headers to serve security related headers - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff|svg|gif)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + # Optional: Don't log access to assets access_log off; } - # Optional: Don't log access to other assets - location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ { + location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets access_log off; } } \ No newline at end of file diff --git a/templates/Nextcloud/0/Resources/nginx.conf b/templates/Nextcloud/0/Resources/nginx.conf index 9493b30..682ca28 100644 --- a/templates/Nextcloud/0/Resources/nginx.conf +++ b/templates/Nextcloud/0/Resources/nginx.conf @@ -1,7 +1,7 @@ user www-data; worker_processes auto; -# error_log /var/log/nginx.error_log info; # [ debug | info | notice | warn | error | crit ] +#error_log /var/log/nginx_error.log info; # [ debug | info | notice | warn | error | crit ] pid /var/run/nginx.pid; events { @@ -21,7 +21,7 @@ http { # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; - #access_log /var/log/nginx/access.log main; + #access_log /var/log/nginx/http_access.log main; # REFERENCE 2 #log_format main '$remote_addr - $host [$time_local] "$request" ' @@ -35,8 +35,8 @@ http { # 'rt=$request_time ut=$upstream_response_time ' # 'cs=$upstream_cache_status'; - #access_log /var/log/nginx/access.log main; - #error_log /var/log/nginx/error.log warn; + #access_log /var/log/nginx/http_access.log main; + #error_log /var/log/nginx/http_error.log error; #---------------------------------------- # Basic Settings @@ -45,7 +45,7 @@ http { sendfile on; tcp_nopush on; tcp_nodelay on; - keepalive_timeout 65; + keepalive_timeout 65; include /etc/nginx/mime.types; default_type application/octet-stream; @@ -60,9 +60,12 @@ http { # GZip #---------------------------------------- - - - + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 1000; + gzip_buffers 4 8k; + gzip_types text/plain; #---------------------------------------- # Cache From 3821bbe6946b957feb5fe921d6001df599821db3 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Fri, 11 Jan 2019 21:24:32 -0500 Subject: [PATCH 60/62] Giving up on NGINX/Collabora/Alpine stuff Just not worth the time... --- templates/Nextcloud/0/README.md | 25 ---- .../0/Resources/conf.d/collabora.conf | 44 ------ .../0/Resources/conf.d/nextcloud.conf | 127 ------------------ .../Nextcloud/0/Resources/fastcgi_params | 21 --- templates/Nextcloud/0/Resources/mime.types | 48 ------- templates/Nextcloud/0/Resources/nginx.conf | 82 ----------- templates/Nextcloud/0/docker-compose.yml | 67 +-------- templates/Nextcloud/0/rancher-compose.yml | 8 -- 8 files changed, 7 insertions(+), 415 deletions(-) delete mode 100644 templates/Nextcloud/0/Resources/conf.d/collabora.conf delete mode 100644 templates/Nextcloud/0/Resources/conf.d/nextcloud.conf delete mode 100644 templates/Nextcloud/0/Resources/fastcgi_params delete mode 100644 templates/Nextcloud/0/Resources/mime.types delete mode 100644 templates/Nextcloud/0/Resources/nginx.conf diff --git a/templates/Nextcloud/0/README.md b/templates/Nextcloud/0/README.md index 180b3a8..bb093a4 100644 --- a/templates/Nextcloud/0/README.md +++ b/templates/Nextcloud/0/README.md @@ -4,31 +4,6 @@ * Traefik deployed -## First Run Setup - -### Add Configuration For NGINX - -nginx.conf and mime.types to be put in the Configuration/NGINX directory. - -Included nginx.conf has only a few minor tweaks from the one located here: - -https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx - -### Add Your Domain as a Trusted Domain - -[Official Documentation](https://docs.nextcloud.com/server/latest/admin_manual/installation/installation_wizard.html#trusted-domains) - -* Open the "config.php" file, located in `/Application/config`. -* Under the "trusted_domains" array, add `1 => 'cloud.williammiceli.systems',`. - -### Apache Configuration Reference - -https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html? - -### Setup trusted domains on first startup - -https://docs.nextcloud.com/server/14/admin_manual/installation/installation_wizard.html#trusted-domains - ## Useful Tools * [Official Security Check](https://scan.nextcloud.com/) diff --git a/templates/Nextcloud/0/Resources/conf.d/collabora.conf b/templates/Nextcloud/0/Resources/conf.d/collabora.conf deleted file mode 100644 index 0b718bd..0000000 --- a/templates/Nextcloud/0/Resources/conf.d/collabora.conf +++ /dev/null @@ -1,44 +0,0 @@ -server { - listen 81; - listen [::]:81; - server_name _; - - #access_log logs/collabora_access.log; - #error_log logs/collabora_error.log error; - - # static files - location ^~ /loleaflet { - proxy_pass http://collabora:9980; - proxy_set_header Host $http_host; - } - - # WOPI discovery URL - location ^~ /hosting/discovery { - proxy_pass http://collabora:9980; - proxy_set_header Host $http_host; - } - - # main websocket - location ~ ^/lool/(.*)/ws$ { - proxy_pass http://collabora:9980; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $http_host; - proxy_read_timeout 36000s; - } - - # download, presentation and image upload - location ~ ^/lool { - proxy_pass http://collabora:9980; - proxy_set_header Host $http_host; - } - - # Admin Console websocket - location ^~ /lool/adminws { - proxy_pass http://collabora:9980; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $http_host; - proxy_read_timeout 36000s; - } -} \ No newline at end of file diff --git a/templates/Nextcloud/0/Resources/conf.d/nextcloud.conf b/templates/Nextcloud/0/Resources/conf.d/nextcloud.conf deleted file mode 100644 index e2ee329..0000000 --- a/templates/Nextcloud/0/Resources/conf.d/nextcloud.conf +++ /dev/null @@ -1,127 +0,0 @@ -upstream php-handler { - server nextcloud:9000; -} - -server { - listen 80; - listen [::]:80; - server_name _; - - #---------------------------------------- - # Logging - #---------------------------------------- - - #access_log logs/nextcloud_access.log; - #error_log logs/nextcloud_error.log error; - - #---------------------------------------- - # Basic Settings - #---------------------------------------- - - root /var/www/html/; # Path to the root of your installation - - client_max_body_size 10G; # Max upload size - fastcgi_buffers 64 4K; - - #---------------------------------------- - # GZip - #---------------------------------------- - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - #---------------------------------------- - # Security Headers - #---------------------------------------- - - # Add headers to serve security related headers - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; - - fastcgi_hide_header X-Powered-By; # Remove X-Powered-By, which is an information leak - - #---------------------------------------- - # Locations - #---------------------------------------- - - error_page 403 /core/templates/403.php; - error_page 404 /core/templates/404.php; - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - location = /.well-known/carddav { - return 301 $scheme://$host/remote.php/dav; - } - - location = /.well-known/caldav { - return 301 $scheme://$host/remote.php/dav; - } - - location / { - rewrite ^ /index.php$request_uri; - } - - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { - deny all; - } - - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - - location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { - fastcgi_split_path_info ^(.+\.php)(/.*)$; - # Mitigate https://httpoxy.org/ vulnerabilities: - fastcgi_param HTTP_PROXY ""; - #fastcgi_index index.php; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - #Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - fastcgi_param front_controller_active true; - fastcgi_pass php-handler; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - location ~ ^/(?:updater|ocs-provider)(?:$|/) { - try_files $uri/ =404; - index index.php; - } - - # Adding the cache control header for js and css files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff|svg|gif)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; - - # Optional: Don't log access to assets - access_log off; - } - - location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { - try_files $uri /index.php$request_uri; - # Optional: Don't log access to other assets - access_log off; - } -} \ No newline at end of file diff --git a/templates/Nextcloud/0/Resources/fastcgi_params b/templates/Nextcloud/0/Resources/fastcgi_params deleted file mode 100644 index c2f509a..0000000 --- a/templates/Nextcloud/0/Resources/fastcgi_params +++ /dev/null @@ -1,21 +0,0 @@ -fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -fastcgi_param QUERY_STRING $query_string; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; -fastcgi_param SCRIPT_NAME $fastcgi_script_name; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; - -fastcgi_index index.php; - -fastcgi_param REDIRECT_STATUS 200; \ No newline at end of file diff --git a/templates/Nextcloud/0/Resources/mime.types b/templates/Nextcloud/0/Resources/mime.types deleted file mode 100644 index 62bd4b6..0000000 --- a/templates/Nextcloud/0/Resources/mime.types +++ /dev/null @@ -1,48 +0,0 @@ -types { - text/html html htm shtml; - text/css css; - text/xml xml rss; - image/gif gif; - image/jpeg jpeg jpg; - application/x-javascript js; - text/plain txt; - text/x-component htc; - text/mathml mml; - image/png png; - image/x-icon ico; - image/x-jng jng; - image/vnd.wap.wbmp wbmp; - application/java-archive jar war ear; - application/mac-binhex40 hqx; - application/pdf pdf; - application/x-cocoa cco; - application/x-java-archive-diff jardiff; - application/x-java-jnlp-file jnlp; - application/x-makeself run; - application/x-perl pl pm; - application/x-pilot prc pdb; - application/x-rar-compressed rar; - application/x-redhat-package-manager rpm; - application/x-sea sea; - application/x-shockwave-flash swf; - application/x-stuffit sit; - application/x-tcl tcl tk; - application/x-x509-ca-cert der pem crt; - application/x-xpinstall xpi; - application/zip zip; - application/octet-stream deb; - application/octet-stream bin exe dll; - application/octet-stream dmg; - application/octet-stream eot; - application/octet-stream iso img; - application/octet-stream msi msp msm; - audio/mpeg mp3; - audio/x-realaudio ra; - video/mpeg mpeg mpg; - video/quicktime mov; - video/x-flv flv; - video/x-msvideo avi; - video/x-ms-wmv wmv; - video/x-ms-asf asx asf; - video/x-mng mng; -} \ No newline at end of file diff --git a/templates/Nextcloud/0/Resources/nginx.conf b/templates/Nextcloud/0/Resources/nginx.conf deleted file mode 100644 index 682ca28..0000000 --- a/templates/Nextcloud/0/Resources/nginx.conf +++ /dev/null @@ -1,82 +0,0 @@ -user www-data; -worker_processes auto; - -#error_log /var/log/nginx_error.log info; # [ debug | info | notice | warn | error | crit ] -pid /var/run/nginx.pid; - -events { - worker_connections 1024; - use epoll; # use [ kqueue | rtsig | epoll | /dev/poll | select | poll ] -} - -http { - - #---------------------------------------- - # Logging - #---------------------------------------- - - - # REFERENCE 1 - #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - # '$status $body_bytes_sent "$http_referer" ' - # '"$http_user_agent" "$http_x_forwarded_for"'; - - #access_log /var/log/nginx/http_access.log main; - - # REFERENCE 2 - #log_format main '$remote_addr - $host [$time_local] "$request" ' - # '$status $body_bytes_sent "$http_referer" ' - # '"$http_user_agent" "$http_x_forwarded_for"' - # 'rt=$request_time ut=$upstream_response_time ' - # 'cs=$upstream_cache_status'; - - #log_format cache '$remote_addr - $host [$time_local] "$request" $status ' - # '$body_bytes_sent "$http_referer" ' - # 'rt=$request_time ut=$upstream_response_time ' - # 'cs=$upstream_cache_status'; - - #access_log /var/log/nginx/http_access.log main; - #error_log /var/log/nginx/http_error.log error; - - #---------------------------------------- - # Basic Settings - #---------------------------------------- - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - #---------------------------------------- - # Common Limits - #---------------------------------------- - - client_max_body_size 1G; # Max upload size - - #---------------------------------------- - # GZip - #---------------------------------------- - - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 1000; - gzip_buffers 4 8k; - gzip_types text/plain; - - #---------------------------------------- - # Cache - #---------------------------------------- - - proxy_cache_valid 1m; - - #---------------------------------------- - # Virtual Hosts - #---------------------------------------- - - include /etc/nginx/conf.d/*.conf; - -} \ No newline at end of file diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 80f1d1e..184e7db 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -1,29 +1,8 @@ version: '2' services: - {{- if eq .Values.COLLABORA "true"}} - collabora: - image: collabora/code:latest - cap_add: - - MKNOD # Ability to create special files (https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) - dns: # Using Cloudflare DNS - - 1.1.1.1 - - 1.0.0.1 - environment: - domain: collabora.${TRAEFIK_HOST} - labels: - io.rancher.container.pull_image: always - {{- if .Values.HOST_LABEL}} - io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} - {{- end}} - traefik.enable: false - restart: on-failure - volumes: - - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system - - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system - {{- end}} cron: - image: nextcloud:fpm-alpine + image: nextcloud:apache dns: # Using Cloudflare DNS - 1.1.1.1 - 1.0.0.1 @@ -41,7 +20,7 @@ services: volumes_from: - nginx nextcloud: - image: nextcloud:fpm-alpine + image: nextcloud:apache dns: # Using Cloudflare DNS - 1.1.1.1 - 1.0.0.1 @@ -58,26 +37,7 @@ services: {{- if .Values.HOST_LABEL}} io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} {{- end}} - traefik.enable: false - links: - - mysql - {{- if eq .Values.REDIS "true"}} - - redis - {{- end}} - restart: on-failure - volumes_from: - - nginx - nginx: - image: nginx:latest # Can't use ":alpine" until I have a way to get the "www-data" user added automatically. (Project for another time) - dns: # Using Cloudflare DNS - - 1.1.1.1 - - 1.0.0.1 - labels: - io.rancher.container.pull_image: always - {{- if .Values.HOST_LABEL}} - io.rancher.scheduler.affinity:host_label: ${HOST_LABEL} - {{- end}} - io.rancher.sidekicks: cron, nextcloud + io.rancher.sidekicks: cron traefik.enable: true ### Start Nextcloud Segment traefik.nextcloud.frontend.entryPoints: http,https @@ -89,21 +49,11 @@ services: traefik.nextcloud.frontend.rule: Host:${TRAEFIK_HOST} traefik.nextcloud.port: "80" ### End Nextcloud Segment - ### Start Collabora Segment - traefik.collabora.frontend.entryPoints: http,https - traefik.collabora.frontend.headers.forceSTSHeader: true - traefik.collabora.frontend.headers.referrerPolicy: no-referrer # Security enhancement (Prevents leaking of referer information) - traefik.collabora.frontend.headers.SSLRedirect: true - traefik.collabora.frontend.headers.STSPreload: true - traefik.collabora.frontend.headers.STSSeconds: 15552000 - traefik.collabora.frontend.rule: Host:collabora.${TRAEFIK_HOST} - traefik.collabora.port: "81" - ### End Collabora Segment links: - {{- if eq .Values.COLLABORA "true"}} - - collabora + - mysql + {{- if eq .Values.REDIS "true"}} + - redis {{- end}} - - nextcloud {{- if .Values.WEB_PORT}} ports: - "${WEB_PORT}:80" @@ -113,12 +63,9 @@ services: - /etc/localtime:/etc/localtime:ro # Syncronize time of container with the host system - /etc/timezone:/etc/timezone:ro # Syncronize timezone of container with the host system - /RancherCattle/${DATA_DIR}/Apps:/var/www/html/custom_apps # Nextcloud apps - - /RancherCattle/${DATA_DIR}/Configuration/Nextcloud:/var/www/html/config # Nextcloud configuration files - - /RancherCattle/${DATA_DIR}/Configuration/NGINX:/etc/nginx # NGINX configuration files + - /RancherCattle/${DATA_DIR}/Configuration:/var/www/html/config # Nextcloud configuration files - /RancherCattle/${DATA_DIR}/Nextcloud:/var/www/html # Nextcloud site - /RancherCattle/${DATA_DIR}/UserData:/var/www/html/data # Users' data file - #- /RancherCattle/${DATA_DIR}/Logs/Nextcloud - #- /RancherCattle/${DATA_DIR}/Logs/NGINX mysql: image: mysql:5 dns: # Using Cloudflare DNS diff --git a/templates/Nextcloud/0/rancher-compose.yml b/templates/Nextcloud/0/rancher-compose.yml index 7a54f5a..faa54a4 100644 --- a/templates/Nextcloud/0/rancher-compose.yml +++ b/templates/Nextcloud/0/rancher-compose.yml @@ -65,14 +65,6 @@ catalog: required: true type: password - - variable: "COLLABORA" - label: "Enable Collabora" - description: | - Add a Collabora container for office document editing and live collaboration. Additional setup required, see README. - default: true - required: true - type: boolean - - variable: "REDIS" label: "Enable Redis" description: | From a394a878a899161529c08900e42b8b84d9e94036 Mon Sep 17 00:00:00 2001 From: WilliamMiceli Date: Fri, 11 Jan 2019 21:26:43 -0500 Subject: [PATCH 61/62] Disabled Cron for now --- templates/Nextcloud/0/README.md | 3 +- templates/Nextcloud/0/docker-compose.yml | 38 ++++++++++++------------ 2 files changed, 21 insertions(+), 20 deletions(-) diff --git a/templates/Nextcloud/0/README.md b/templates/Nextcloud/0/README.md index bb093a4..6a42d1f 100644 --- a/templates/Nextcloud/0/README.md +++ b/templates/Nextcloud/0/README.md @@ -10,4 +10,5 @@ ## To-Do's -* Explain how to manually setup Redis \ No newline at end of file +* Explain how to manually setup Redis +* Fix Cron container, does not yet properly execute yet \ No newline at end of file diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 184e7db..07d1043 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -1,24 +1,24 @@ version: '2' services: - cron: - image: nextcloud:apache - dns: # Using Cloudflare DNS - - 1.1.1.1 - - 1.0.0.1 - entrypoint: | # www-data uid: 82 - sh -c 'sh -s < Date: Fri, 11 Jan 2019 21:28:04 -0500 Subject: [PATCH 62/62] I don't really trust 15 yet... --- templates/Nextcloud/0/docker-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/Nextcloud/0/docker-compose.yml b/templates/Nextcloud/0/docker-compose.yml index 07d1043..2970ab0 100644 --- a/templates/Nextcloud/0/docker-compose.yml +++ b/templates/Nextcloud/0/docker-compose.yml @@ -2,7 +2,7 @@ version: '2' services: # cron: -# image: nextcloud:apache +# image: nextcloud:stable-apache # dns: # Using Cloudflare DNS # - 1.1.1.1 # - 1.0.0.1 @@ -20,7 +20,7 @@ services: # volumes_from: # - nginx nextcloud: - image: nextcloud:apache + image: nextcloud:stable-apache dns: # Using Cloudflare DNS - 1.1.1.1 - 1.0.0.1