Closed Adrian-at-CrimsonAzure closed 2 years ago
So, same as #142 and #65 which were closed.
The LSIO Nextcloud container rewrites each request to port 80 to port 443 using a 301 redirect. This is a major PITA and prevents using the LSIO version in combination with Traefik2. A number of people think this behaviour is a bit odd, certainly as other LSIO containers do not exhibit this behaviour.
A way to override the default redirect to HTTPS is very desirable.
Just focusing on your traefik2 comment, I've been told the following settings will make it work fine:
- traefik.enable=true
- traefik.http.routers.nextcloud-all.rule=Host(`nextcloud.domain.com`)
- traefik.http.routers.nextcloud-all.entrypoints=https,http
- traefik.http.routers.nextcloud-all.service=nextcloud-svc
- traefik.http.routers.nextcloud-all.middlewares=middleware-https-redirect
- traefik.http.services.nextcloud-svc.loadbalancer.server.scheme=https
- traefik.http.services.nextcloud-svc.loadbalancer.server.port=443
You will also need either
serversTransport:
insecureSkipVerify: true
In your static config (will apply to all containers) or something like
http:
serversTransports:
ignorecert:
insecureSkipVerify: true
In your dynamic config with a:
- traefik.http.services.foo.loadbalancer.serverstransport=ignorecert
Label on your container.
I've been told the following settings will make it work fine:
- traefik.http.routers.nextcloud-all.middlewares=middleware-https-redirect - traefik.http.services.nextcloud-svc.loadbalancer.server.scheme=https - traefik.http.services.nextcloud-svc.loadbalancer.server.port=443
and
insecureSkipVerify: true
I'm fully aware of this solution. Problem is, this disable systemwide checking of (internal) certificates. Traefik2 doesn't offer disabling (yet) on router / per backend-host level.
This issue #206 is a typical ping-pong issue 'who's to blame and who's willing to adapt'. Pity LSIO, I'll just keep using the official NC image which offers plain HTTP backend access. So far so good.
Problem is, this disable systemwide checking of (internal) certificates. Traefik2 doesn't offer disabling (yet) on router / per backend-host level.
It does, and I provided a brief example of how to do it in my post.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Hello there. I had to struggle with this too and here is my solution for this:
services:
traefik:
image: traefik:2.5 # brie v2.5.x livarot v2.4.x # picodon v2.3.x
command: # CLI arguments
- --serversTransport.insecureSkipVerify=true # needed for self signed certificates
....
labels:
#- "autoheal=true"
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME0`)"
## Services - API
- "traefik.http.routers.traefik-rtr.service=api@internal"
## Middlewares
# - "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file"
- "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file"
nextcloud:
image: lscr.io/linuxserver/nextcloud:php8
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.nextcloud-rtr.entrypoints=https"
- "traefik.http.routers.nextcloud-rtr.rule=HostHeader(`nc.$DOMAINNAME0`)"
- "traefik.http.routers.nextcloud-rtr.tls=true"
## Middlewares
- "traefik.http.routers.nextcloud-rtr.middlewares=chain-nextcloud@file"
## HTTP Services
- "traefik.http.routers.nextcloud-rtr.service=nextcloud-svc"
- "traefik.http.services.nextcloud-svc.loadbalancer.server.port=443"
- "traefik.http.services.nextcloud-svc.loadbalancer.server.scheme=https" # needed too otherwise wont work
Content of chain-nextcloud@file
chain-nextcloud:
chain:
middlewares:
- middlewares-rate-limit
- nextcloud-middlewares-secure-headers
- nextcloud-redirect
http:
middlewares:
nextcloud-middlewares-secure-headers:
headers:
accessControlMaxAge: 100
hostsProxyHeaders: ["X-Forwarded-Host"]
sslRedirect: true
stsSeconds: 63072000
stsIncludeSubdomains: true
stsPreload: true
forceSTSHeader: true
customFrameOptionsValue: "SAMEORIGIN"
contentTypeNosniff: true
browserXssFilter: true
referrerPolicy: "same-origin"
permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()"
customResponseHeaders:
X-Robots-Tag: "none"
server: ""
nextcloud-redirect:
redirectRegex:
permanent: true
regex: "https://(.*)/.well-known/(card|cal)dav"
replacement: "https://${1}/remote.php/dav/"
middlewares-rate-limit:
rateLimit:
average: 100
burst: 50
Thanks. The signifIcant part is the “ serversTransport.insecureSkipVerify”. LSIO is a just a PITA with Nextcloud, due to stubborn inflexibility not being able to provide plain internal http traffic, and internal https is selfsigned. I stick to the official NC docker release. No added value here.
Dude, we've given you a solution, it works without any issues. I'm literally using it myself right now. If you don't want to use our container that's fine but you don't need to keep coming back here to complain about it.
No offence, sorry if you feel that way, “dude” ;)
-- Bart Koppers +31(0)620986845 @.***
Comments https://github.com/linuxserver/docker-nextcloud/blob/master/root/defaults/default#L7#L15 or link this file in volume. ex :
volumes:
- /home/datanextcloud:/data:rw
- /home/docker/vol/nextcloud:/config:rw
- /home/docker/config/nextcloud/default:/config/nginx/site-confs/default:ro
Desired Behavior
I should be able to use an environment variable like
USE_SSL=0
or something to disable SSL so I can use my own reverse proxy without the extra encryption step. I know I can just editnginx/site-confs/default
but a built-in variable would be so much easier. I know this is a duplicate (#65), but I (and others judging by the votes on that issue) feel that the solution "just edit the file" is not in the spirit of linuxserver.io images which are nearly plug and play with no config monkeying.At least add a section on the Docker Hub page with a heads up and an example on how to disable it?