search

linuxserver / docker-nextcloud

GNU General Public License v3.0
681 stars 128 forks source link

Make SSL Optional #206

Closed Adrian-at-CrimsonAzure closed 2 years ago

Adrian-at-CrimsonAzure commented 3 years ago

linuxserver.io

Desired Behavior

I should be able to use an environment variable like USE_SSL=0 or something to disable SSL so I can use my own reverse proxy without the extra encryption step. I know I can just edit nginx/site-confs/default but a built-in variable would be so much easier. I know this is a duplicate (#65), but I (and others judging by the votes on that issue) feel that the solution "just edit the file" is not in the spirit of linuxserver.io images which are nearly plug and play with no config monkeying.

At least add a section on the Docker Hub page with a heads up and an example on how to disable it?

github-actions[bot] commented 3 years ago

Thanks for opening your first issue here! Be sure to follow the bug or feature issue templates!

bartclone commented 3 years ago

So, same as #142 and #65 which were closed.

The LSIO Nextcloud container rewrites each request to port 80 to port 443 using a 301 redirect. This is a major PITA and prevents using the LSIO version in combination with Traefik2. A number of people think this behaviour is a bit odd, certainly as other LSIO containers do not exhibit this behaviour.

A way to override the default redirect to HTTPS is very desirable.

j0nnymoe commented 3 years ago

Just focusing on your traefik2 comment, I've been told the following settings will make it work fine:

      - traefik.enable=true
      - traefik.http.routers.nextcloud-all.rule=Host(`nextcloud.domain.com`)
      - traefik.http.routers.nextcloud-all.entrypoints=https,http
      - traefik.http.routers.nextcloud-all.service=nextcloud-svc
      - traefik.http.routers.nextcloud-all.middlewares=middleware-https-redirect
      - traefik.http.services.nextcloud-svc.loadbalancer.server.scheme=https
      - traefik.http.services.nextcloud-svc.loadbalancer.server.port=443
thespad commented 3 years ago

You will also need either

serversTransport:
      insecureSkipVerify: true

In your static config (will apply to all containers) or something like

http:
  serversTransports:
    ignorecert:
      insecureSkipVerify: true

In your dynamic config with a:

- traefik.http.services.foo.loadbalancer.serverstransport=ignorecert

Label on your container.

bartclone commented 3 years ago

I've been told the following settings will make it work fine:

      - traefik.http.routers.nextcloud-all.middlewares=middleware-https-redirect
      - traefik.http.services.nextcloud-svc.loadbalancer.server.scheme=https
      - traefik.http.services.nextcloud-svc.loadbalancer.server.port=443

and 

insecureSkipVerify: true

I'm fully aware of this solution. Problem is, this disable systemwide checking of (internal) certificates. Traefik2 doesn't offer disabling (yet) on router / per backend-host level.

This issue #206 is a typical ping-pong issue 'who's to blame and who's willing to adapt'. Pity LSIO, I'll just keep using the official NC image which offers plain HTTP backend access. So far so good.

thespad commented 3 years ago

Problem is, this disable systemwide checking of (internal) certificates. Traefik2 doesn't offer disabling (yet) on router / per backend-host level.

It does, and I provided a brief example of how to do it in my post.

github-actions[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

ErgoProxy1337 commented 2 years ago

Hello there. I had to struggle with this too and here is my solution for this:

services:
  traefik:
    image: traefik:2.5 # brie v2.5.x livarot v2.4.x # picodon v2.3.x
      command: # CLI arguments
      - --serversTransport.insecureSkipVerify=true # needed for self signed certificates
      ....
    labels:
      #- "autoheal=true"
      - "traefik.enable=true"
      # HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME0`)"
      ## Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      ## Middlewares
      # - "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file"
      - "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file"
  nextcloud:
    image: lscr.io/linuxserver/nextcloud:php8
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.nextcloud-rtr.entrypoints=https"
      - "traefik.http.routers.nextcloud-rtr.rule=HostHeader(`nc.$DOMAINNAME0`)"
      - "traefik.http.routers.nextcloud-rtr.tls=true"
      ## Middlewares
      - "traefik.http.routers.nextcloud-rtr.middlewares=chain-nextcloud@file"
      ## HTTP Services
      - "traefik.http.routers.nextcloud-rtr.service=nextcloud-svc"
      - "traefik.http.services.nextcloud-svc.loadbalancer.server.port=443"
      - "traefik.http.services.nextcloud-svc.loadbalancer.server.scheme=https" # needed too otherwise wont work

Content of chain-nextcloud@file

    chain-nextcloud:
      chain:
        middlewares:
          - middlewares-rate-limit
          - nextcloud-middlewares-secure-headers
          - nextcloud-redirect
http:
  middlewares:
    nextcloud-middlewares-secure-headers:
      headers:
        accessControlMaxAge: 100
        hostsProxyHeaders: ["X-Forwarded-Host"]
        sslRedirect: true
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customFrameOptionsValue: "SAMEORIGIN"
        contentTypeNosniff: true
        browserXssFilter: true
        referrerPolicy: "same-origin"
        permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()"
        customResponseHeaders:
          X-Robots-Tag: "none"
          server: ""

    nextcloud-redirect:
      redirectRegex:
        permanent: true
        regex: "https://(.*)/.well-known/(card|cal)dav"
        replacement: "https://${1}/remote.php/dav/"

    middlewares-rate-limit:
      rateLimit:
        average: 100
        burst: 50
bartclone commented 2 years ago

Thanks. The signifIcant part is the “ serversTransport.insecureSkipVerify”. LSIO is a just a PITA with Nextcloud, due to stubborn inflexibility not being able to provide plain internal http traffic, and internal https is selfsigned. I stick to the official NC docker release. No added value here.

thespad commented 2 years ago

Dude, we've given you a solution, it works without any issues. I'm literally using it myself right now. If you don't want to use our container that's fine but you don't need to keep coming back here to complain about it.

bartclone commented 2 years ago

No offence, sorry if you feel that way, “dude” ;)

-- Bart Koppers +31(0)620986845 @.***

diyfr commented 1 year ago

Comments https://github.com/linuxserver/docker-nextcloud/blob/master/root/defaults/default#L7#L15 or link this file in volume. ex : 

    volumes:
      - /home/datanextcloud:/data:rw
      - /home/docker/vol/nextcloud:/config:rw
      - /home/docker/config/nextcloud/default:/config/nginx/site-confs/default:ro