From be55bbe7c1e9bc89827cfada472b1ada2eae239d Mon Sep 17 00:00:00 2001
From: Simon L <szaimen@e.mail.de>
Date: Thu, 7 Sep 2023 16:55:29 +0200
Subject: [PATCH 1/2] nextcloud - limit access to php-fpm

Signed-off-by: Simon L <szaimen@e.mail.de>
---
 Containers/nextcloud/Dockerfile    |  1 +
 Containers/nextcloud/entrypoint.sh |  7 ++-----
 Containers/nextcloud/start.sh      | 17 +++++++++++++++++
 3 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/Containers/nextcloud/Dockerfile b/Containers/nextcloud/Dockerfile
index 0f04ef08..b9e3e78a 100644
--- a/Containers/nextcloud/Dockerfile
+++ b/Containers/nextcloud/Dockerfile
@@ -189,6 +189,7 @@ RUN set -ex; \
         sudo \
         grep \
         nodejs \
+        bind-tools \
         coreutils; \
     \
     grep -q '^pm = dynamic' /usr/local/etc/php-fpm.d/www.conf; \
diff --git a/Containers/nextcloud/entrypoint.sh b/Containers/nextcloud/entrypoint.sh
index f58f94ca..06d5d166 100644
--- a/Containers/nextcloud/entrypoint.sh
+++ b/Containers/nextcloud/entrypoint.sh
@@ -524,11 +524,8 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
     # Fix https://github.com/nextcloud/all-in-one/issues/188:
     php /var/www/html/occ config:system:set allow_local_remote_servers --type=bool --value=true
     # Make collabora more save
-    COLLABORA_IPv4_ADDRESS="$(echo "<?php echo gethostbyname('$NC_DOMAIN');" | php | head -1)"
-    COLLABORA_IPv6_ADDRESS="<?php \$record = dns_get_record('$NC_DOMAIN', DNS_AAAA);"
-    # shellcheck disable=SC2016
-    COLLABORA_IPv6_ADDRESS+='if (!empty($record)) {echo $record[0]["ipv6"];}'
-    COLLABORA_IPv6_ADDRESS="$(echo "$COLLABORA_IPv6_ADDRESS" | php | head -1)"
+    COLLABORA_IPv4_ADDRESS="$(dig "$NC_DOMAIN" A +short | grep '^[0-9.]\+$' | sort | head -n1)"
+    COLLABORA_IPv6_ADDRESS="$(dig "$NC_DOMAIN" AAAA +short | grep '^[0-9a-f:]\+$' | sort | head -n1)"
     COLLABORA_ALLOW_LIST="$(php /var/www/html/occ config:app:get richdocuments wopi_allowlist)"
     if [ -n "$COLLABORA_IPv4_ADDRESS" ]; then
         if ! echo "$COLLABORA_ALLOW_LIST" | grep -q "$COLLABORA_IPv4_ADDRESS"; then
diff --git a/Containers/nextcloud/start.sh b/Containers/nextcloud/start.sh
index 58330db3..5ca9da6c 100644
--- a/Containers/nextcloud/start.sh
+++ b/Containers/nextcloud/start.sh
@@ -25,6 +25,23 @@ if [ -f "/var/www/html/config/config.php" ]; then
     fi
 fi
 
+set -x
+IPv4_ADDRESS_APACHE="$(dig nextcloud-aio-apache A +short | grep '^[0-9.]\+$' | sort | head -n1)"
+IPv6_ADDRESS_APACHE="$(dig nextcloud-aio-apache AAAA +short | grep '^[0-9a-f:]\+$' | sort | head -n1)"
+IPv4_ADDRESS_MASTERCONTAINER="$(dig nextcloud-aio-mastercontainer A +short | grep '^[0-9.]\+$' | sort | head -n1)"
+IPv6_ADDRESS_MASTERCONTAINER="$(dig nextcloud-aio-mastercontainer AAAA +short | grep '^[0-9a-f:]\+$' | sort | head -n1)"
+IPv4_ADDRESS_NOTIFY_PUSH="$(dig nextcloud-aio-notify-push A +short | grep '^[0-9.]\+$' | sort | head -n1)"
+IPv6_ADDRESS_NOTIFY_PUSH="$(dig nextcloud-aio-notify-push AAAA +short | grep '^[0-9a-f:]\+$' | sort | head -n1)"
+IPv4_ADDRESS_DSP="$(dig nextcloud-aio-docker-socket-proxy A +short | grep '^[0-9.]\+$' | sort | head -n1)"
+IPv6_ADDRESS_DSP="$(dig nextcloud-aio-docker-socket-proxy AAAA +short | grep '^[0-9a-f:]\+$' | sort | head -n1)"
+set +x
+
+sed -i "s|^;listen.allowed_clients|listen.allowed_clients|" /usr/local/etc/php-fpm.d/www.conf
+sed -i "s|listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1,$IPv4_ADDRESS_APACHE,$IPv6_ADDRESS_APACHE,$IPv4_ADDRESS_MASTERCONTAINER,$IPv6_ADDRESS_MASTERCONTAINER,$IPv4_ADDRESS_NOTIFY_PUSH,$IPv6_ADDRESS_NOTIFY_PUSH,$IPv4_ADDRESS_DSP,$IPv6_ADDRESS_DSP|" /usr/local/etc/php-fpm.d/www.conf
+sed -i "listen.allowed_clients/s/,,//" /usr/local/etc/php-fpm.d/www.conf
+sed -i "listen.allowed_clients/s/,$//" /usr/local/etc/php-fpm.d/www.conf
+grep listen.allowed_clients /usr/local/etc/php-fpm.d/www.conf
+
 # Trust additional Cacerts, if the user provided $TRUSTED_CACERTS_DIR
 if [ -n "$TRUSTED_CACERTS_DIR" ]; then
     echo "User required to trust additional CA certificates, running 'update-ca-certificates.'"

From dbb08337171b29f9069ca8b7b3a9c6e0460ac7ee Mon Sep 17 00:00:00 2001
From: Simon L <szaimen@e.mail.de>
Date: Wed, 27 Sep 2023 17:03:04 +0200
Subject: [PATCH 2/2] address review

Signed-off-by: Simon L <szaimen@e.mail.de>

Co-authored-by: Zoey <zoey@z0ey.de>
Signed-off-by: Simon L. <szaimen@e.mail.de>
---
 Containers/nextcloud/start.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Containers/nextcloud/start.sh b/Containers/nextcloud/start.sh
index 5ca9da6c..01ed09e4 100644
--- a/Containers/nextcloud/start.sh
+++ b/Containers/nextcloud/start.sh
@@ -38,7 +38,7 @@ set +x
 
 sed -i "s|^;listen.allowed_clients|listen.allowed_clients|" /usr/local/etc/php-fpm.d/www.conf
 sed -i "s|listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1,$IPv4_ADDRESS_APACHE,$IPv6_ADDRESS_APACHE,$IPv4_ADDRESS_MASTERCONTAINER,$IPv6_ADDRESS_MASTERCONTAINER,$IPv4_ADDRESS_NOTIFY_PUSH,$IPv6_ADDRESS_NOTIFY_PUSH,$IPv4_ADDRESS_DSP,$IPv6_ADDRESS_DSP|" /usr/local/etc/php-fpm.d/www.conf
-sed -i "listen.allowed_clients/s/,,//" /usr/local/etc/php-fpm.d/www.conf
+sed -i "listen.allowed_clients/s/,,/,/" /usr/local/etc/php-fpm.d/www.conf
 sed -i "listen.allowed_clients/s/,$//" /usr/local/etc/php-fpm.d/www.conf
 grep listen.allowed_clients /usr/local/etc/php-fpm.d/www.conf