search

nextcloud / docker

⛴ Docker image of Nextcloud
https://hub.docker.com/_/nextcloud/
GNU Affero General Public License v3.0
6.08k stars 1.83k forks source link

Help to make fpm work properly with nginx #770

Closed ghost closed 5 years ago

ghost commented 5 years ago

Hi ! Sorry beforehand if my english is not perfect, it isn't my mother tongue. I couldn't make php-fpm work properly with nginx, even following the examples here.

Here is my folder structure:

./docker-compose.yml
./files
./files/MariaDB
./files/Nextcloud
./files/NGINX
./files/NGINX/conf.d
./files/NGINX/nginx.conf
./files/NGINX/conf.d/my_domain.conf

docker-compose.yml

version: "3.7"

services:
  service-mariadb:
    image: mariadb
    container_name: container-mariadb
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    volumes:
      - ./files/MariaDB:/var/lib/mysql:rw
    environment:
      - MYSQL_ROOT_PASSWORD=REPLACE_WITH_PASSWORD_MYSQL_ROOT
      - MYSQL_USER=nextcloud
      - MYSQL_PASSWORD=REPLACE_WITH_PASSWORD_MYSQL_USER
      - MYSQL_DATABASE=nextcloud

  service-nextcloud:
    image: nextcloud:fpm-alpine
    container_name: container-nextcloud
    depends_on:
      - service-mariadb
    volumes:
      - ./files/Nextcloud:/var/www/html:rw
    environment:
      - NEXTCLOUD_TRUSTED_DOMAINS=REPLACE_WITH_PUBLIC_IP
      - NEXTCLOUD_ADMIN_USER=REPLACE_WITH_USERNAME
      - NEXTCLOUD_ADMIN_PASSWORD=REPLACE_WITH_PASSWORD_NEXTCLOUD
      - MYSQL_HOST=service-mariadb
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_PASSWORD=REPLACE_WITH_PASSWORD_MYSQL_USER

  service-nginx:
    image: nginx:alpine
    container_name: container-nginx
    depends_on:
      - service-nextcloud
    ports:
      - 80:80
    volumes:
      - ./files/NGINX/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./files/NGINX/conf.d:/etc/nginx/conf.d:ro

./files/NGINX/conf.d

worker_processes    auto;
error_log           /var/log/nginx/error.log warn;
pid                 /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log          /var/log/nginx/access.log  main;
    sendfile            on;
    keepalive_timeout   65;

    server_tokens       off;

    include             /etc/nginx/conf.d/*.conf;
}

./files/NGINX/conf.d/my_domain.conf

upstream php-handler {
    server service-nextcloud:9000;
}

server {
    listen 80;
    listen [::]:80;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    # add_header Strict-Transport-Security "max-age=15768000;
    # includeSubDomains; preload;";
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;

    root /var/www/html;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;

    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
        return 301 $scheme://$host/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php$request_uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        # fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        # add_header Strict-Transport-Security "max-age=15768000;
        #  includeSubDomains; preload;";
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header Referrer-Policy no-referrer;

        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$request_uri;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

Versions

$ docker -v
Docker version 18.09.6, build 481bc77156
$ docker-compose -v
docker-compose version 1.24.0, build 0aa5906

Weird looking page 2019-06-06-21-02-58-Screenshot

Note: I removed the SSL from NGINX on purpose, to keep it simple... I have exactly the same issues with SSL enabled.

Thanks in advance if someone can say me what I'm doing wrong.

charlag commented 5 years ago

I guess you need to mount your nextcloud files (/var/www/html) into nginx container?.

ghost commented 5 years ago

I guess you need to mount your nextcloud files (/var/www/html) into nginx container?.

You are right, I totally forgot that.

Working perfect right now. Working

Fixed docker-compose.yml

version: "3.7"

services:
  service-mariadb:
    image: mariadb
    container_name: container-mariadb
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    volumes:
      - ./files/MariaDB:/var/lib/mysql:rw
    environment:
      - MYSQL_ROOT_PASSWORD=REPLACE_WITH_PASSWORD_MYSQL_ROOT
      - MYSQL_USER=nextcloud
      - MYSQL_PASSWORD=REPLACE_WITH_PASSWORD_MYSQL_USER
      - MYSQL_DATABASE=nextcloud

  service-nextcloud:
    image: nextcloud:fpm-alpine
    container_name: container-nextcloud
    depends_on:
      - service-mariadb
    volumes:
      - ./files/Nextcloud:/var/www/html:rw
    environment:
      - NEXTCLOUD_TRUSTED_DOMAINS=REPLACE_WITH_DOMAIN
      - NEXTCLOUD_ADMIN_USER=REPLACE_WITH_USERNAME
      - NEXTCLOUD_ADMIN_PASSWORD=REPLACE_WITH_PASSWORD_NEXTCLOUD
      - MYSQL_HOST=service-mariadb
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_PASSWORD=REPLACE_WITH_PASSWORD_MYSQL_USER

  service-nginx:
    image: nginx:alpine
    container_name: container-nginx
    depends_on:
      - service-nextcloud
    ports:
      - 80:80
    volumes:
      - ./files/Nextcloud:/var/www/html:rw
      - ./files/NGINX/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./files/NGINX/conf.d:/etc/nginx/conf.d:ro

Many thanks dude, it was driving me crazy.

charlag commented 5 years ago

Wow, it was a wild guess, I'm glad I could help! Was fiddling with similar things myself last week.