From 9f8d6e0c3b76c3b0b941eb430d6645a2be35af5c Mon Sep 17 00:00:00 2001 From: Felix Ableitner Date: Fri, 18 Oct 2019 16:26:19 +0200 Subject: [PATCH 1/5] Use fpm image for Nextcloud --- config-static/nginx/params/headers_params | 3 + scripts/show-info.sh | 2 +- .../docker-compose/docker-compose-base.yml | 2 +- .../docker-compose-networks.yml | 1 + templates/nginx/sites-enabled/nextcloud.conf | 121 ++++++++++++------ 5 files changed, 85 insertions(+), 44 deletions(-) diff --git a/config-static/nginx/params/headers_params b/config-static/nginx/params/headers_params index e05f961..e8feaa9 100644 --- a/config-static/nginx/params/headers_params +++ b/config-static/nginx/params/headers_params @@ -3,5 +3,8 @@ add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=15768000"; add_header Referrer-Policy "same-origin"; +add_header X-Robots-Tag none; +add_header X-Download-Options noopen; +add_header X-Permitted-Cross-Domain-Policies none; fastcgi_hide_header X-Powered-By; server_tokens off; diff --git a/scripts/show-info.sh b/scripts/show-info.sh index fbbe684..e25eb5f 100755 --- a/scripts/show-info.sh +++ b/scripts/show-info.sh @@ -6,7 +6,7 @@ source /mnt/repo-base/scripts/base.sh SPAM_UI=$(grep server_name $(grep -l mailserver:11334 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') RSPAMD_PASSWORD=$(grep ^RSPAMD_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') -NEXTCLOUD_UI=$(grep server_name $(grep -l nextcloud:80 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') +NEXTCLOUD_UI=$(grep server_name $(grep -l nextcloud:9000 /mnt/repo-base/config-dynamic/nginx/sites-enabled/*.conf) | sort -u | head -n1 | awk '{ print $2 }' | sed 's/;$//g') NEXTCLOUD_ADMIN_USER=$(grep ^NEXTCLOUD_ADMIN_USER= "$ENVFILE" | awk -F= '{ print $NF }') NEXTCLOUD_ADMIN_PASSWORD=$(grep ^NEXTCLOUD_ADMIN_PASSWORD= "$ENVFILE" | awk -F= '{ print $NF }') diff --git a/templates/docker-compose/docker-compose-base.yml b/templates/docker-compose/docker-compose-base.yml index e5571d3..2de2c6f 100644 --- a/templates/docker-compose/docker-compose-base.yml +++ b/templates/docker-compose/docker-compose-base.yml @@ -102,7 +102,7 @@ services: - mariadb nextcloud: - image: nextcloud:15.0.12 + image: nextcloud:15.0.12-fpm container_name: nextcloud restart: always networks: diff --git a/templates/docker-compose/docker-compose-networks.yml b/templates/docker-compose/docker-compose-networks.yml index a903b4f..412d776 100644 --- a/templates/docker-compose/docker-compose-networks.yml +++ b/templates/docker-compose/docker-compose-networks.yml @@ -14,6 +14,7 @@ - /mnt/repo-base/config-dynamic/letsencrypt/certstore:/certs - /mnt/repo-base/config-dynamic/nginx/passwds:/passwds - /mnt/repo-base/config-dynamic/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge + - /mnt/repo-base/volumes/nextcloud/html:/var/www/html depends_on: - nextcloud - create-account diff --git a/templates/nginx/sites-enabled/nextcloud.conf b/templates/nginx/sites-enabled/nextcloud.conf index 6383641..84e05ee 100644 --- a/templates/nginx/sites-enabled/nextcloud.conf +++ b/templates/nginx/sites-enabled/nextcloud.conf @@ -1,47 +1,84 @@ +upstream php-handler { + server nextcloud:9000; +} + server { - listen 8000; - server_name @@@DOMAIN@@@; - location /.well-known/acme-challenge/ { - alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; - } - location / { - return 301 https://$host$request_uri; - } + listen 8000; + server_name @@@DOMAIN@@@; + location /.well-known/acme-challenge/ { + alias /etc/letsencrypt/acme-challenge/.well-known/acme-challenge/; + } + location / { + return 301 https://$host$request_uri; + } } server { - listen 4430 ssl http2; - server_name @@@DOMAIN@@@; - - ssl_certificate /certs/live/@@@DOMAIN@@@/fullchain.pem; - ssl_certificate_key /certs/live/@@@DOMAIN@@@/privkey.pem; - - include /etc/nginx/params/ssl_params; - # Nextcloud already sets these headers, the include would just duplicate them - #include /etc/nginx/params/headers_params; - add_header Strict-Transport-Security "max-age=15552000;includeSubDomains;preload"; - server_tokens off; - client_max_body_size 4096M; - - #auth_basic "Who's this?"; - #auth_basic_user_file /passwds/.htpasswd; - location = /.well-known/carddav { - return 301 $scheme://$host/remote.php/dav; - } - location = /.well-known/caldav { - return 301 $scheme://$host/remote.php/dav; - } - location / { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://nextcloud:80; - # https://docs.nextcloud.com/server/stable/admin_manual/configuration_files/big_file_upload_configuration.html#nginx - proxy_buffering off; - include /etc/nginx/params/proxy_params; - } - location ~ (\.(?:css|js|woff2?|svg|gif)$|^/core/img/background.png$) { - proxy_pass http://nextcloud:80; - include /etc/nginx/params/proxy_params; - add_header Cache-Control "public, max-age=15778463"; - } + listen 4430 ssl http2; + server_name @@@DOMAIN@@@; + + ssl_certificate /certs/live/@@@DOMAIN@@@/fullchain.pem; + ssl_certificate_key /certs/live/@@@DOMAIN@@@/privkey.pem; + + include /etc/nginx/params/ssl_params; + include /etc/nginx/params/headers_params; + + client_max_body_size 4096M; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + # Enable compression for JS/CSS/HTML bundle, for improved client load times. + # It might be nice to compress JSON, but leaving that out to protect against potential + # compression+encryption information leak attacks like BREACH. + gzip_types application/atom+xml application/javascript application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + root /var/www/html; + + location / { + rewrite ^ /index.php$request_uri; + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { + fastcgi_split_path_info ^(.+\.php)(/.*)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + # fastcgi_param HTTPS on; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + location ~ (\.(?:css|js|woff2?|svg|gif)$|^/core/img/background.png$) { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + access_log off; + } } -- GitLab From e7f9248378fcac5fe0360b82614144a27454a5e8 Mon Sep 17 00:00:00 2001 From: Felix Ableitner Date: Mon, 21 Oct 2019 13:09:18 +0200 Subject: [PATCH 2/5] add security headers, fix custom_apps --- templates/docker-compose/docker-compose-networks.yml | 1 + templates/nginx/sites-enabled/nextcloud.conf | 12 +++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/templates/docker-compose/docker-compose-networks.yml b/templates/docker-compose/docker-compose-networks.yml index 412d776..84840ec 100644 --- a/templates/docker-compose/docker-compose-networks.yml +++ b/templates/docker-compose/docker-compose-networks.yml @@ -15,6 +15,7 @@ - /mnt/repo-base/config-dynamic/nginx/passwds:/passwds - /mnt/repo-base/config-dynamic/letsencrypt/acme-challenge:/etc/letsencrypt/acme-challenge - /mnt/repo-base/volumes/nextcloud/html:/var/www/html + - /mnt/repo-base/volumes/nextcloud/custom_apps:/var/www/html/custom_apps/ depends_on: - nextcloud - create-account diff --git a/templates/nginx/sites-enabled/nextcloud.conf b/templates/nginx/sites-enabled/nextcloud.conf index 84e05ee..9a5e214 100644 --- a/templates/nginx/sites-enabled/nextcloud.conf +++ b/templates/nginx/sites-enabled/nextcloud.conf @@ -21,7 +21,17 @@ server { ssl_certificate_key /certs/live/@@@DOMAIN@@@/privkey.pem; include /etc/nginx/params/ssl_params; - include /etc/nginx/params/headers_params; + # We include these headers directly because some are already set by Nextcloud. + #include /etc/nginx/params/headers_params; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Strict-Transport-Security "max-age=15768000"; + add_header Referrer-Policy "same-origin"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + fastcgi_hide_header X-Powered-By; + server_tokens off; client_max_body_size 4096M; fastcgi_buffers 64 4K; -- GitLab From 565509fce20e6a7e978ded759cd59819e1068eee Mon Sep 17 00:00:00 2001 From: Felix Ableitner Date: Tue, 5 Nov 2019 14:49:54 +0100 Subject: [PATCH 3/5] apply security patch for php-fpm vuln --- templates/nginx/sites-enabled/nextcloud.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/nginx/sites-enabled/nextcloud.conf b/templates/nginx/sites-enabled/nextcloud.conf index 9a5e214..dd5d1ab 100644 --- a/templates/nginx/sites-enabled/nextcloud.conf +++ b/templates/nginx/sites-enabled/nextcloud.conf @@ -50,7 +50,7 @@ server { root /var/www/html; location / { - rewrite ^ /index.php$request_uri; + rewrite ^ /index.php; } location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { @@ -62,6 +62,7 @@ server { location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { fastcgi_split_path_info ^(.+\.php)(/.*)$; + try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; -- GitLab From ff556209eb10eceb513769f8d636a31625026982 Mon Sep 17 00:00:00 2001 From: Felix Ableitner Date: Fri, 8 Nov 2019 12:59:43 +0100 Subject: [PATCH 4/5] fix image loading problem in rainloop --- templates/nginx/sites-enabled/nextcloud.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/nginx/sites-enabled/nextcloud.conf b/templates/nginx/sites-enabled/nextcloud.conf index dd5d1ab..f8aebf5 100644 --- a/templates/nginx/sites-enabled/nextcloud.conf +++ b/templates/nginx/sites-enabled/nextcloud.conf @@ -81,7 +81,7 @@ server { location = /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; } - location ~ (\.(?:css|js|woff2?|svg|gif)$|^/core/img/background.png$) { + location ~ (\.(?:css|js|woff2?|svg|gif|png|jpg|ico)$|^/core/img/background.png$) { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; add_header X-Content-Type-Options nosniff; -- GitLab From 93f9034e4b87aca0844d0fc344e31f7680f04d21 Mon Sep 17 00:00:00 2001 From: Felix Ableitner Date: Mon, 11 Nov 2019 12:52:30 +0100 Subject: [PATCH 5/5] use nextcloud 16 --- templates/docker-compose/docker-compose-base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/docker-compose/docker-compose-base.yml b/templates/docker-compose/docker-compose-base.yml index 2de2c6f..23121a1 100644 --- a/templates/docker-compose/docker-compose-base.yml +++ b/templates/docker-compose/docker-compose-base.yml @@ -102,7 +102,7 @@ services: - mariadb nextcloud: - image: nextcloud:15.0.12-fpm + image: nextcloud:16.0.5-fpm container_name: nextcloud restart: always networks: -- GitLab