search

vstoppe / mycloud

4 stars 0 forks source link

Your compose with Caddy - working solution with a few quirks #2

Open zilexa opened 3 years ago

zilexa commented 3 years ago

I am using your docker-compose, with docker-caddy-proxy for https/reverse proxy and for webserver. No need for nginx. The public Nextcloud security scan gives me an A+ rating and as far as I can test, everything works! (After 3 nights of trial & error since I am no expert). But in Settings> Overview I get a few warnings and hope you maybe can shed some light here, as most solutions online focus on Apache instead of PHP-FPM:

Your data directory and files are probably accessible from the Internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

Your web server is not properly set up to resolve “/.well-known/caldav”. Further information can be found in the documentation. Your web server is not properly set up to resolve “/.well-known/carddav”. Further information can be found in the documentation.

Why I think the webdav/carddav redirects are working:

  1. When I check (outside of my home network) https://next.mydomain.com/remote.php/dav I get the message This is the WebDAV interface. It can only be accessed by WebDAV clients such as the Nextcloud desktop sync client.
  2. When I use the Nextcloud Android app, after logging in, I can see + edit files just fine.

Why I think the data directory is not exposed: in your example here: https://github.com/vstoppe/mycloud/blob/master/nextcloud/dockercompose-files/docker-compose_05-fpm-redis-postgres-CODE.yml is the data dir not nextdata? In my example I use the same: $DOCKERDIR/nextcloud/var/nextdata:/var/nextdata In my Caddy container, I added the var/www/html folder from Nextcloud. Not the nextdata folder.

Would you mind having a look? 

version: "2.3"
services:
##_____________________ Caddy [CLOUD/web-proxy]
  caddy:
    container_name: caddy-proxy
    image: lucaslorentz/caddy-docker-proxy:ci-alpine
    restart: always
    networks: 
      - web-proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - $DOCKERDIR/caddy/caddy_data:/data
      - $DOCKERDIR/caddy/config:/config
      - $DOCKERDIR/nextcloud/var/www/html:/nextcloud/var/www/html  #Required access for Nextcloud, no NGINX needed!
    ports:
      - 80:80
      - 443:443
##
##____________________ NextCloud [CLOUD/Files/NextCloud]
  nextcloud:
    image: nextcloud:21-fpm
    container_name: nextcloud
    restart: always
    mem_limit: 2048m
    mem_reservation: 512m
    networks:
      - web-proxy
      - nextcloud
    depends_on:
      - nextcloud-db
      - nextcloud-cache
    environment:
      PUID: $PUID
      PGID: $PGID
      TZ: $TZ
      NEXTCLOUD_TRUSTED_DOMAINS: next.$DOMAIN
      NEXTCLOUD_ADMIN_USER: $USER1
      NEXTCLOUD_ADMIN_PASSWORD: $USER1PW
      POSTGRES_HOST: nextcloud-db
      POSTGRES_DB: nextcloud
      POSTGRES_USER: $USER
      POSTGRES_PASSWORD: $PW_INT
      REDIS_HOST: nextcloud-cache
      REDIS_HOST_PASSWORD: $PW_INT
      SMTP_HOST: $SMTPHOST
      SMTP_SECURE: tls
      SMTP_NAME: $SMTPUSER
      SMTP_PASSWORD: $SMTPPASS
      SMTP_FROM_ADDRESS: $EMAIL
      SMTP_PORT: 587
    volumes:
        # the actual data of the Nextcloud:
      - $DOCKERDIR/nextcloud/var/nextdata:/var/nextdata
        # Main folder needed for updating:
      - $DOCKERDIR/nextcloud/var/www/html:/var/www/html
        # local configuration
      - $DOCKERDIR/nextcloud/var/www/html/config:/var/www/html/config
        # userdata folder:
      - $USERDATA:/mnt/users
        # Custom settings for php fpm to make nextcloud work. The default settings resulted in the error:
        # WARNING: [pool www] server reached pm.max_children setting (5), consider raising it
      - $DOCKERDIR/nextcloud/etc/www-custom.ini:/usr/local/etc/php-fpm.d/zz-custom.conf
    labels:
      caddy: next.$DOMAIN
      caddy.tls: $EMAIL
      caddy.file_server: "" 
      caddy.root: "* /nextcloud/var/www/html"
      caddy.php_fastcgi: "{{upstreams 9000}}"
      caddy.php_fastcgi.root: "var/www/html"
      caddy.php_fastcgi.env: "front_controller_active true"
      caddy.encode: gzip
      caddy.rewrite_0: "/.well-known/carddav /remote.php/dav"
      caddy.rewrite_1: "/.well-known/caldav /remote.php/dav"
      caddy.header.Strict-Transport-Security: '"max-age=31536000;"' 
##____________________ NextCloud [CLOUD/Files/NextCloud/database]
  nextcloud-db:
    container_name: nextcloud-db
    image: postgres:12-alpine
    restart: always
    networks:
      - nextcloud
    environment:
      PUID: $PUID
      PGID: $PGID
      TZ: $TZ
      POSTGRES_USER: $USER
      POSTGRES_PASSWORD: $PW_INT
    volumes:
      - $DOCKERDIR/nextcloud/var/db:/var/lib/postgresql/data
      - /etc/localtime:/etc/localtime:ro
##____________________ NextCloud [CLOUD/Files/NextCloud/cache]
  nextcloud-cache:
    container_name: nextcloud-cache
    image: redis:alpine
    restart: always
    mem_limit: 2048m
    mem_reservation: 512m
    networks:
      - nextcloud
    command: redis-server --requirepass $PW_INT
    environment:
      PUID: $PUID
      PGID: $PGID
      TZ: $TZ
#
#
networks:
  web-proxy:
    driver: bridge
  nextcloud:
    driver: bridge
vstoppe commented 3 years ago

Hi Zilexa!

Maybe I can help a little bit.. Your setup differs a little from mine because of your docker-caddy-proxy. I have not experience with it, but it seems to do something similar like nignx-proxy.

Your data directory and files are probably accessible from the Internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.

The data directory is configures by the NEXTCLOUD_DATADIR variable, it defaults to "/var/www/html/data", just [see](https://hub.docker.com//nextcloud). This is usually in the document root of your web server.

You are defining this as a volume: $DOCKERDIR/nextcloud/var/nextdata:/var/nextdata

This doesn't have to be automatically your data dir. Either you configure: NEXTCLOUD_DATA_DIR=/var/nextdata in the environment file or as in the environment section of the docker-compose file.

I don't know what you are doing with the volumes in the caddy container..

Your web server is not properly set up to resolve “/.well-known/caldav”. Further information can be found in the documentation. Your web server is not properly set up to resolve “/.well-known/carddav”. Further information can be found in the documentation.

Why I think the webdav/carddav redirects are working:

  1. When I check (outside of my home network) https://next.mydomain.com/remote.php/dav I get the message This is the WebDAV interface. It can only be accessed by WebDAV clients such as the Nextcloud desktop sync client.

I guess this this is not the well known address. You just made a successful test to the Nextcloud caldav/carddav interface. I guess the well known address is the redirect from “/.well-known/caldav” => "/remote.php/dav". When I configure caldav / carddav from my mac I just have to set the server no "../remote.php/dav". I can just assume that the redirect is not working as expected. In my nginx.conf I also set a redirect. It looks similar. You could check by curl If you get a redirect:

curl https://next.mydoamin.de/.well-known/carddav

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.19.7</center>
</body>
</html>

I hope I could help out. :-)

PS: I didn't test with Nextcloud 21 so far, because I see the Nextcloud code quality as a little "limited". I usually wait for version .04 or so to be sure that the most obvious bugs are closed.

zilexa commented 3 years ago

Thanks so much for the feedback! I will look into it this weekend and report back! Caddy is great, it allows me to expose most webUIs with just 2-4 readable Compose labels. Only things like Nextcloud are a bit more complicated. I only discovered it a few wks ago.

Perhaps also of interest for you: FileRun. Now that I have played a few days with NextCloud, it definitely is king of apps and all sorts of collaboration features. But purely as Drive/Dropbox etc alternative, FileRun is definitely a better choice. But I like to have Nextcloud ready to spin up if I want to switch for Contacts & Calendar (& unlimited users, FR only allows 10 free users).