From 968fa0d0a43043e8377adf3858a6bf72ebe742bf Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Mon, 8 Jan 2024 19:43:08 +0100 Subject: [PATCH 1/7] add bzip2 into container for nc28 --- nextcloud/Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nextcloud/Dockerfile b/nextcloud/Dockerfile index 7b9cb73..5a7f1d8 100644 --- a/nextcloud/Dockerfile +++ b/nextcloud/Dockerfile @@ -8,6 +8,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ ffmpeg \ ocrmypdf tesseract-ocr-deu \ procps \ + libbz2-dev bzip2 \ && rm -rf /var/lib/apt/lists/* +RUN docker-php-ext-install bz2 + RUN mkdir -p /var/spool/cron/crontabs; echo '* * * * * php -f /var/www/html/cron.php' > /var/spool/cron/crontabs/www-data From d1233ece66f6477821bdbb5a10815d4bc7f5e15a Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Mon, 8 Jan 2024 19:44:00 +0100 Subject: [PATCH 2/7] update nginx.conf from official docu --- nextcloud/nginx.conf | 202 +++++++++++++++++++++++++------------------ 1 file changed, 120 insertions(+), 82 deletions(-) diff --git a/nextcloud/nginx.conf b/nextcloud/nginx.conf index 59f3d77..dd2e803 100644 --- a/nextcloud/nginx.conf +++ b/nextcloud/nginx.conf @@ -10,7 +10,7 @@ events { http { - include /etc/nginx/mime.types; + include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' @@ -27,6 +27,12 @@ http { keepalive_timeout 65; + # Set the `immutable` cache control options only for assets with a cache busting `v` argument + map $arg_v $asset_immutable { + "" ""; + default "immutable"; + } + #gzip on; upstream php-handler { @@ -36,23 +42,43 @@ http { server { listen 80; - # Add headers to serve security related headers - # Before enabling Strict-Transport-Security headers please read into this - # topic first. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - # + # HSTS settings # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "noindex, nofollow" always; - add_header X-XSS-Protection "1; mode=block" always; + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + + # set max upload size and increase upload timeout: + client_max_body_size 512M; + client_body_timeout 300s; + fastcgi_buffers 64 4K; + + # The settings allows you to optimize the HTTP2 bandwidth. + # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ + # for tuning hints + client_body_buffer_size 512k; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Pagespeed is not supported by Nextcloud, so if your server is built + # with the `ngx_pagespeed` module, uncomment this line to disable it. + #pagespeed off; + + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; @@ -60,6 +86,25 @@ http { # Path to the root of your installation root /var/www/html; + # Specify how to handle directories -- specifying `/index.php$request_uri` + # here as the fallback means that Nginx always exhibits the desired behaviour + # when a client requests a path that corresponds to a directory that exists + # on the server. In particular, if that directory contains an index.php file, + # that file is correctly served; if it doesn't, then the request is passed to + # the front-end controller. This consistent behaviour means that we don't need + # to specify custom rules for certain paths (e.g. images and other assets, + # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus + # `try_files $uri $uri/ /index.php$request_uri` + # always provides the desired behaviour. + index index.php index.html /index.php$request_uri; + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 https://$host:443/remote.php/webdav/$is_args$args; + } + } + location = /robots.txt { allow all; log_not_found off; @@ -71,97 +116,90 @@ http { # `location ~ /(\.|autotest|...)` which would otherwise handle requests # for `/.well-known`. location ^~ /.well-known { - location = /.well-known/carddav { return 301 https://$host:443/remote.php/dav; } - location = /.well-known/caldav { return 301 https://$host:443/remote.php/dav; } - # Anything else is dynamically handled by Nextcloud - location ^~ /.well-known { return 301 https://$host:443/index.php$uri; } + # The rules in this block are an adaptation of the rules + # in `.htaccess` that concern `/.well-known`. - try_files $uri $uri/ =404; - } + location = /.well-known/carddav { return 301 https://$host:443/remote.php/dav; } + location = /.well-known/caldav { return 301 https://$host:443/remote.php/dav; } - # set max upload size - client_max_body_size 10G; - fastcgi_buffers 64 4K; + location /.well-known/acme-challenge { try_files $uri $uri/ =404; } + location /.well-known/pki-validation { try_files $uri $uri/ =404; } - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - # Uncomment if your server is build with the ngx_pagespeed module - # This module is currently not supported. - #pagespeed off; - - location / { - rewrite ^ /index.php; + # Let Nextcloud's API for `/.well-known` URIs handle all other + # requests by passing them to the front-end controller. + return 301 https://$host:443/index.php$request_uri; } - location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { - deny all; - } - location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } - location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { - fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + # Required for legacy support + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; - # fastcgi_param HTTPS on; + #fastcgi_param HTTPS on; - # Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - - # Enable pretty urls - fastcgi_param front_controller_active true; + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls fastcgi_pass php-handler; + fastcgi_intercept_errors on; fastcgi_request_buffering off; + + fastcgi_max_temp_file_size 0; } - location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { - try_files $uri/ =404; - index index.php; - } - - # Adding the cache control header for js, css and map files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff2?|svg|gif|map)$ { + # Javascript mimetype fixes for nginx + # Note: The block below should be removed, and the js|mjs section should be + # added to the block below this one. This is a temporary fix until Nginx + # upstream fixes the js mime-type + location ~* \.(?:js|mjs)$ { + types { + text/javascript js mjs; + } + default_type "text/javascript"; try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - # Add headers to serve security related headers (It is intended to - # have those duplicated to the ones above) - # Before enabling Strict-Transport-Security headers please read into - # this topic first. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Optional: Don't log access to assets + add_header Cache-Control "public, max-age=15778463, $asset_immutable"; access_log off; } - location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { + # Serve static files + location ~ \.(?:css|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { try_files $uri /index.php$request_uri; - # Optional: Don't log access to other assets - access_log off; + add_header Cache-Control "public, max-age=15778463, $asset_immutable"; + access_log off; # Optional: Don't log access to assets + + location ~ \.wasm$ { + default_type application/wasm; + } + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + # Rule borrowed from `.htaccess` + location /remote { + return 301 https://$host:443/remote.php$request_uri; + } + + location / { + try_files $uri $uri/ /index.php$request_uri; } } } From a4a675634fabf8aca68c1f6067e7b298f1c427eb Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Mon, 8 Jan 2024 19:45:20 +0100 Subject: [PATCH 3/7] add hostname to diun --- monitoring/docker-compose.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/monitoring/docker-compose.yaml b/monitoring/docker-compose.yaml index d37e548..f731fd9 100644 --- a/monitoring/docker-compose.yaml +++ b/monitoring/docker-compose.yaml @@ -112,6 +112,7 @@ services: - "${VOLUMES_PATH}/monitoring/diun/data:/data" networks: - dockersocket + hostname: ${HOSTNAME} environment: - "TZ=Europe/Berlin" - "DIUN_WATCH_WORKERS=10" From cbb68cdbd38bf20a029ebd6924ee86ffa20e4652 Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Tue, 5 Mar 2024 07:04:22 +0000 Subject: [PATCH 4/7] use nginx stable --- nextcloud/docker-compose.yaml | 2 +- www/docker-compose.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nextcloud/docker-compose.yaml b/nextcloud/docker-compose.yaml index f93b614..01bb80c 100644 --- a/nextcloud/docker-compose.yaml +++ b/nextcloud/docker-compose.yaml @@ -1,7 +1,7 @@ services: web: - image: nginx + image: nginx:stable depends_on: - app volumes: diff --git a/www/docker-compose.yaml b/www/docker-compose.yaml index c6a475b..b2dd6c4 100644 --- a/www/docker-compose.yaml +++ b/www/docker-compose.yaml @@ -1,7 +1,7 @@ services: app: - image: nginx + image: nginx:stable volumes: - ${HTML}:/usr/share/nginx/html:ro networks: From 884e5cb044602a7d7a0f9b49bca4c4880fc5570b Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Tue, 5 Mar 2024 07:07:05 +0000 Subject: [PATCH 5/7] improve nextcloud update script --- nextcloud/update-nc.sh | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/nextcloud/update-nc.sh b/nextcloud/update-nc.sh index 2886d18..377bbeb 100755 --- a/nextcloud/update-nc.sh +++ b/nextcloud/update-nc.sh @@ -1,11 +1,19 @@ +#/bin/bash/ + +function occ { + docker compose --project-directory /home/flz/git/selfhost/nextcloud exec --user www-data app php occ "$@" +} + + #docker compose build --pull #docker compose pull --ignore-buildable -#docker compose --project-directory /home/flz/git/selfhost/nextcloud exec --user www-data app php occ status +#occ status #docker compose up -d #watch docker compose ps -docker compose --project-directory /home/flz/git/selfhost/nextcloud exec --user www-data app php occ upgrade -docker compose --project-directory /home/flz/git/selfhost/nextcloud exec --user www-data app php occ maintenance:repair -docker compose --project-directory /home/flz/git/selfhost/nextcloud exec --user www-data app php occ db:add-missing-indices -docker compose --project-directory /home/flz/git/selfhost/nextcloud exec --user www-data app php occ db:add-missing-columns -docker compose --project-directory /home/flz/git/selfhost/nextcloud exec --user www-data app php occ db:add-missing-primary-keys -docker compose --project-directory /home/flz/git/selfhost/nextcloud exec --user www-data app php occ status + +occ upgrade +occ maintenance:repair +occ db:add-missing-indices +occ db:add-missing-columns +occ db:add-missing-primary-keys +occ status From 77312ecd7063d6af011f2cb2fcac098cdbfe059e Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Tue, 5 Mar 2024 09:03:31 +0000 Subject: [PATCH 6/7] Nextcloud image adds bzip --- nextcloud/Dockerfile | 3 --- 1 file changed, 3 deletions(-) diff --git a/nextcloud/Dockerfile b/nextcloud/Dockerfile index 5a7f1d8..7b9cb73 100644 --- a/nextcloud/Dockerfile +++ b/nextcloud/Dockerfile @@ -8,9 +8,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ ffmpeg \ ocrmypdf tesseract-ocr-deu \ procps \ - libbz2-dev bzip2 \ && rm -rf /var/lib/apt/lists/* -RUN docker-php-ext-install bz2 - RUN mkdir -p /var/spool/cron/crontabs; echo '* * * * * php -f /var/www/html/cron.php' > /var/spool/cron/crontabs/www-data From c817a4eaf36711c14fb819eab71c48d0409bbc61 Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Tue, 5 Mar 2024 09:04:20 +0000 Subject: [PATCH 7/7] Disable test service whoami --- proxy/docker-compose.yaml | 22 +++++++++++----------- start-all.sh | 3 ++- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/proxy/docker-compose.yaml b/proxy/docker-compose.yaml index f934863..d6033ba 100755 --- a/proxy/docker-compose.yaml +++ b/proxy/docker-compose.yaml @@ -79,17 +79,17 @@ services: privileged: true - whoami: - image: traefik/whoami - networks: - - web - labels: - - "traefik.enable=true" - - "traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`)" - - "traefik.http.routers.whoami.entrypoints=websecure" - - "traefik.http.routers.whoami.tls.certresolver=netcup" - - "docker.group=proxy" - restart: unless-stopped +# whoami: +# image: traefik/whoami +# networks: +# - web +# labels: +# - "traefik.enable=true" +# - "traefik.http.routers.whoami.rule=Host(`whoami.${DOMAIN}`)" +# - "traefik.http.routers.whoami.entrypoints=websecure" +# - "traefik.http.routers.whoami.tls.certresolver=netcup" +# - "docker.group=proxy" +# restart: unless-stopped networks: diff --git a/start-all.sh b/start-all.sh index 3bb9ce4..c9b3e79 100755 --- a/start-all.sh +++ b/start-all.sh @@ -4,7 +4,8 @@ function up { (cd "$1" && echo "[$1]" && docker compose up -d "${@:2}"); } -up proxy --scale whoami=3; +#up proxy --scale whoami=3; +up proxy; up monitoring; up nextcloud; up git;