diff --git a/config-static/nginx/params/headers_params b/config-static/nginx/params/headers_params index e05f961163c9d8b5b881cc52cd8ceedb2508265b..e8feaa906ccf13b26c65fe4bcb3127f25c401f0f 100644 --- a/config-static/nginx/params/headers_params +++ b/config-static/nginx/params/headers_params @@ -3,5 +3,8 @@ add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=15768000"; add_header Referrer-Policy "same-origin"; +add_header X-Robots-Tag none; +add_header X-Download-Options noopen; +add_header X-Permitted-Cross-Domain-Policies none; fastcgi_hide_header X-Powered-By; server_tokens off; diff --git a/scripts/show-info.sh b/scripts/show-info.sh index fbbe6849a627516ca879f2c5a949c38811862618..e25eb5f0a9ee8a444440de3b933065acb6297bd0 100755 --- a/scripts/show-info.sh +++ b/scripts/show-info.sh @@ -6,7 +6,7 @@ source /mnt/repo-base/scripts/base.sh SPAM_UI=$(grep server_name $(grep -l mailserver:11334 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') RSPAMD_PASSWORD=$(grep ^RSPAMD_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') -NEXTCLOUD_UI=$(grep server_name $(grep -l nextcloud:80 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') +NEXTCLOUD_UI=$(grep server_name $(grep -l nextcloud:9000 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') NEXTCLOUD_ADMIN_USER=$(grep ^NEXTCLOUD_ADMIN_USER= "$ENVFILE" | awk -F= '{ print $NF }') NEXTCLOUD_ADMIN_PASSWORD=$(grep ^NEXTCLOUD_ADMIN_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') diff --git a/templates/docker-compose/docker-compose-base.yml b/templates/docker-compose/docker-compose-base.yml index e5571d315be0805ae6090c7166f1152b8963de5c..23121a1467ad299d7155539c1cb6800c247c94bf 100644 --- a/templates/docker-compose/docker-compose-base.yml +++ b/templates/docker-compose/docker-compose-base.yml @@ -102,7 +102,7 @@ services: - mariadb nextcloud: - image: nextcloud:15.0.12 + image: nextcloud:16.0.5-fpm container_name: nextcloud restart: always networks: diff --git a/templates/docker-compose/docker-compose-networks.yml b/templates/docker-compose/docker-compose-networks.yml index a903b4f1dee4ff71c601a9ad7bbd0e192f6adc9e..84840ecf676efd1ddb7a7563d85e84a8c2392e26 100644 --- a/templates/docker-compose/docker-compose-networks.yml +++ b/templates/docker-compose/docker-compose-networks.yml @@ -14,6 +14,8 @@ - /mnt/repo-base/config-dynamic/letsencrypt/certstore:/certs - /mnt/repo-base/config-dynamic/nginx/passwds:/passwds - /mnt/repo-base/config-dynamic/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge + - /mnt/repo-base/volumes/nextcloud/html:/var/www/html + - /mnt/repo-base/volumes/nextcloud/custom_apps:/var/www/html/custom_apps/ depends_on: - nextcloud - create-account diff --git a/templates/nginx/sites-enabled/nextcloud.conf b/templates/nginx/sites-enabled/nextcloud.conf index 6383641e9dd8cc4ca8665b269cb6c1a3e99f29f9..f8aebf5c55f6c2204460141d2eb52ad52f261217 100644 --- a/templates/nginx/sites-enabled/nextcloud.conf +++ b/templates/nginx/sites-enabled/nextcloud.conf @@ -1,47 +1,95 @@ +upstream php-handler { + server nextcloud:9000; +} + server { - listen 8000; - server_name @@@DOMAIN@@@; - location /.well-known/acme-challenge/ { - alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; - } - location / { - return 301 https://$host$request_uri; - } + listen 8000; + server_name @@@DOMAIN@@@; + location /.well-known/acme-challenge/ { + alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; + } + location / { + return 301 https://$host$request_uri; + } } server { - listen 4430 ssl http2; - server_name @@@DOMAIN@@@; - - ssl_certificate /certs/live/@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/@@@DOMAIN@@@/privkey.pem; - - include /etc/nginx/params/ssl_params; - # Nextcloud already sets these headers, the include would just duplicate them - #include /etc/nginx/params/headers_params; - add_header Strict-Transport-Security "max-age=15552000;includeSubDomains;preload"; - server_tokens off; - client_max_body_size 4096M; - - #auth_basic "Who's this?"; - #auth_basic_user_file /passwds/.htpasswd; - location = /.well-known/carddav { - return 301 $scheme://$host/remote.php/dav; - } - location = /.well-known/caldav { - return 301 $scheme://$host/remote.php/dav; - } - location / { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://nextcloud:80; - # https://docs.nextcloud.com/server/stable/admin_manual/configuration_files/big_file_upload_configuration.html#nginx - proxy_buffering off; - include /etc/nginx/params/proxy_params; - } - location ~ (\.(?:css|js|woff2?|svg|gif)$|^/core/img/background.png$) { - proxy_pass http://nextcloud:80; - include /etc/nginx/params/proxy_params; - add_header Cache-Control "public, max-age=15778463"; - } + listen 4430 ssl http2; + server_name @@@DOMAIN@@@; + + ssl_certificate /certs/live/@@@DOMAIN@@@/fullchain.pem; + ssl_certificate_key /certs/live/@@@DOMAIN@@@/privkey.pem; + + include /etc/nginx/params/ssl_params; + # We include these headers directly because some are already set by Nextcloud. + #include /etc/nginx/params/headers_params; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Strict-Transport-Security "max-age=15768000"; + add_header Referrer-Policy "same-origin"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + fastcgi_hide_header X-Powered-By; + server_tokens off; + + client_max_body_size 4096M; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + # Enable compression for JS/CSS/HTML bundle, for improved client load times. + # It might be nice to compress JSON, but leaving that out to protect against potential + # compression+encryption information leak attacks like BREACH. + gzip_types application/atom+xml application/javascript application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + root /var/www/html; + + location / { + rewrite ^ /index.php; + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { + fastcgi_split_path_info ^(.+\.php)(/.*)$; + try_files $fastcgi_script_name =404; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + # fastcgi_param HTTPS on; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + location ~ (\.(?:css|js|woff2?|svg|gif|png|jpg|ico)$|^/core/img/background.png$) { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + access_log off; + } }