eightball/all-in-one
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2026-02-04 04:56:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

replace apache with a second caddy

Browse source 
Signed-off-by: Zoey <zoey@z0ey.de>
This commit is contained in:
Zoey 2025-10-17 21:01:58 +02:00
parent 9c0334d3f0
commit c6c9d8ab9c
9 changed files with 92 additions and 196 deletions
Download patch file Download diff file Expand all files Collapse all files

37
Containers/mastercontainer/Caddyfile
View file

@ -1,37 +0,0 @@
{
# auto_https will create redirects for https://{host}:8443 instead of https://{host}
# https redirects are added manually in the http://:80 block
auto_https disable_redirects
storage file_system {
root /mnt/docker-aio-config/caddy/
}
log {
level ERROR
}
servers {
protocols h1 h2 h2c
}
on_demand_tls {
ask http://127.0.0.1:9876/
}
}
http://:80 {
redir https://{host}{uri} permanent
}
https://:8443 {
reverse_proxy 127.0.0.1:8000
tls {
on_demand
issuer acme {
disable_tlsalpn_challenge
}
}
}

52
Containers/mastercontainer/Dockerfile
View file

@ -21,9 +21,8 @@ COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker
COPY community-containers /var/www/docker-aio/community-containers COPY community-containers /var/www/docker-aio/community-containers
COPY php /var/www/docker-aio/php COPY php /var/www/docker-aio/php
COPY --chmod=775 Containers/mastercontainer/*.sh / COPY --chmod=775 Containers/mastercontainer/*.sh /
COPY --chmod=664 Containers/mastercontainer/Caddyfile /Caddyfile COPY --chmod=664 Containers/mastercontainer/*.Caddyfile /
COPY --chmod=664 Containers/mastercontainer/supervisord.conf /supervisord.conf COPY --chmod=664 Containers/mastercontainer/supervisord.conf /supervisord.conf
COPY Containers/mastercontainer/mastercontainer.conf /etc/apache2/sites-available/mastercontainer.conf
WORKDIR /var/www/docker-aio WORKDIR /var/www/docker-aio
@ -37,13 +36,8 @@ RUN set -ex; \
apk add --no-cache \ apk add --no-cache \
util-linux-misc \ util-linux-misc \
ca-certificates \ ca-certificates \
wget \
bash \ bash \
apache2 \
apache2-proxy \
apache2-ssl \
supervisor \ supervisor \
openssl \
sudo \ sudo \
netcat-openbsd \ netcat-openbsd \
curl \ curl \
@ -67,11 +61,13 @@ RUN set -ex; \
sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \ sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \ sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \ sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \ grep -q 'listen =' /usr/local/etc/php-fpm.d/www.conf; \
sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \ sed -i 's|listen =.*|;listen = /run/php.sock # handled in zz-docker.conf|' /usr/local/etc/php-fpm.d/www.conf; \
grep -q 'listen =' /usr/local/etc/php-fpm.d/zz-docker.conf; \
sed -i 's|listen =.*|listen = /run/php.sock|' /usr/local/etc/php-fpm.d/zz-docker.conf; \
\ \
apk add --no-cache git; \ apk add --no-cache git; \
wget https://getcomposer.org/installer -O - | php -- --install-dir=/usr/local/bin --filename=composer; \ curl https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer; \
chmod +x /usr/local/bin/composer; \ chmod +x /usr/local/bin/composer; \
cd /var/www/docker-aio; \ cd /var/www/docker-aio; \
rm -r ./php/tests; \ rm -r ./php/tests; \
@ -86,42 +82,6 @@ RUN set -ex; \
rm -r php/data; \ rm -r php/data; \
rm -r php/session; \ rm -r php/session; \
\ \
mkdir -p /etc/apache2/certs; \
cd /etc/apache2/certs; \
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout /etc/apache2/certs/ssl.key -out /etc/apache2/certs/ssl.crt; \
\
sed -i \
-e '/^Listen /d' \
-e 's/^LogLevel .*/LogLevel error/' \
-e 's|^ErrorLog .*|ErrorLog /proc/self/fd/2|' \
-e 's/User apache/User www-data/g' \
-e 's/Group apache/Group www-data/g' \
-e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
-e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \
-e 's/^#\(LoadModule .*mod_env.so\)/\1/' \
-e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \
-e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \
-e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \
-e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
-e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
-e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
-e 's/\(ScriptAlias \)/#\1/' \
/etc/apache2/httpd.conf; \
mkdir -p /etc/apache2/logs; \
rm /etc/apache2/conf.d/ssl.conf; \
echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \
grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \
sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \
echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \
echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \
echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \
echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \
\
rm -f /etc/apache2/conf.d/default.conf \
/etc/apache2/conf.d/userdir.conf \
/etc/apache2/conf.d/info.conf; \
\
rm -rf /var/www/localhost/cgi-bin/; \
mkdir /var/log/supervisord; \ mkdir /var/log/supervisord; \
mkdir /var/run/supervisord; mkdir /var/run/supervisord;

39
Containers/mastercontainer/acme.Caddyfile Normal file
View file

@ -0,0 +1,39 @@
{
# auto_https will create redirects for https://{host}:8443 instead of https://{host}
# https redirects are added manually in the http://:80 block
auto_https disable_redirects
storage file_system {
root /mnt/docker-aio-config/caddy/
}
log {
level ERROR
}
servers {
protocols h1 h2 h2c
}
on_demand_tls {
ask http://127.0.0.1:9876/
}
}
http://:80 {
redir https://{host}{uri} permanent
}
https://:8443 {
root * /var/www/docker-aio/php/public
encode
php_fastcgi unix//run/php.sock
file_server
tls {
on_demand
issuer acme {
disable_tlsalpn_challenge
}
}
}

3
Containers/mastercontainer/healthcheck.sh
View file

@ -2,9 +2,8 @@
if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
nc -z 127.0.0.1 80 || exit 1 nc -z 127.0.0.1 80 || exit 1
nc -z 127.0.0.1 8000 || exit 1
nc -z 127.0.0.1 8080 || exit 1 nc -z 127.0.0.1 8080 || exit 1
nc -z 127.0.0.1 8443 || exit 1 nc -z 127.0.0.1 8443 || exit 1
nc -z 127.0.0.1 9000 || exit 1 [ -f /run/php.sock ] || exit 1
nc -z 127.0.0.1 9876 || exit 1 nc -z 127.0.0.1 9876 || exit 1
fi fi

29
Containers/mastercontainer/internal.Caddyfile Normal file
View file

@ -0,0 +1,29 @@
{
auto_https off
storage file_system {
root /mnt/docker-aio-config/caddy/
}
log {
level ERROR
}
servers {
protocols h1 h2
}
skip_install_trust
}
https://:8080 {
root * /var/www/docker-aio/php/public
encode
php_fastcgi unix//run/php.sock
file_server
tls {
on_demand
issuer internal
}
}

62
Containers/mastercontainer/mastercontainer.conf
View file

@ -1,62 +0,0 @@
Listen 127.0.0.1:8000
Listen 8080 https
# Deny access to .ht files
<Files ".ht*">
Require all denied
</Files>
# Http host
<VirtualHost 127.0.0.1:8000>
ServerName 127.0.0.1
# Add error log
CustomLog /proc/self/fd/1 proxy
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
ErrorLog /proc/self/fd/2
ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
LogLevel warn
# PHP match
<FilesMatch "\.php$">
SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>
# Master dir
DocumentRoot /var/www/docker-aio/php/public/
<Directory /var/www/docker-aio/php/public/>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [QSA,L]
Options Indexes FollowSymLinks
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
Satisfy Any
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
</VirtualHost>
# Https host
<VirtualHost *:8080>
# Proxy to https
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
ProxyPreserveHost On
# SSL
SSLCertificateKeyFile /etc/apache2/certs/ssl.key
SSLCertificateFile /etc/apache2/certs/ssl.crt
SSLEngine on
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLSessionTickets off
</VirtualHost>
# Increase timeout in case e.g. the initial download takes a long time
Timeout 7200
ProxyTimeout 7200
# See https://httpd.apache.org/docs/trunk/mod/core.html#traceenable
TraceEnable Off

36
Containers/mastercontainer/start.sh
View file

@ -371,36 +371,6 @@ chown www-data:www-data -R /mnt/docker-aio-config/session/
chown www-data:www-data -R /mnt/docker-aio-config/caddy/ chown www-data:www-data -R /mnt/docker-aio-config/caddy/
chown root:root -R /mnt/docker-aio-config/certs/ chown root:root -R /mnt/docker-aio-config/certs/
# Don't allow access to the AIO interface from the Nextcloud container
# Probably more cosmetic than anything but at least an attempt
if ! grep -q '# nextcloud-aio-block' /etc/apache2/httpd.conf; then
cat << APACHE_CONF >> /etc/apache2/httpd.conf
# nextcloud-aio-block-start
<Location />
order allow,deny
deny from nextcloud-aio-nextcloud.nextcloud-aio
allow from all
</Location>
# nextcloud-aio-block-end
APACHE_CONF
fi
# Adjust certs
GENERATED_CERTS="/mnt/docker-aio-config/certs"
TMP_CERTS="/etc/apache2/certs"
mkdir -p "$GENERATED_CERTS"
cd "$GENERATED_CERTS" || exit 1
if ! [ -f ./ssl.crt ] && ! [ -f ./ssl.key ]; then
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt
fi
if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then
cd "$TMP_CERTS" || exit 1
rm ./ssl.crt
rm ./ssl.key
cp "$GENERATED_CERTS/ssl.crt" ./
cp "$GENERATED_CERTS/ssl.key" ./
fi
print_green "Initial startup of Nextcloud All-in-One complete! print_green "Initial startup of Nextcloud All-in-One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server! You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080 E.g. https://internal.ip.of.this.server:8080
@ -412,16 +382,14 @@ https://your-domain-that-points-to-this-server.tld:8443"
# Set the timezone to Etc/UTC # Set the timezone to Etc/UTC
export TZ=Etc/UTC export TZ=Etc/UTC
# Fix apache startup
rm -f /var/run/apache2/httpd.pid
# Fix caddy startup # Fix caddy startup
if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then
rm -rf /mnt/docker-aio-config/caddy/locks/* rm -rf /mnt/docker-aio-config/caddy/locks/*
fi fi
# Fix the Caddyfile format # Fix the Caddyfile format
caddy fmt --overwrite /Caddyfile caddy fmt --overwrite /acme.Caddyfile
caddy fmt --overwrite /internal.Caddyfile
# Fix caddy log # Fix caddy log
chmod 777 /root chmod 777 /root

20
Containers/mastercontainer/supervisord.conf
View file

@ -16,20 +16,20 @@ stderr_logfile_maxbytes=0
command=php-fpm command=php-fpm
user=root user=root
[program:apache] [program:caddy-internal]
# Stdout logging is disabled as otherwise the logs are spammed
stdout_logfile=NONE
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=httpd -DFOREGROUND
user=root
[program:caddy]
stdout_logfile=/dev/stdout stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0 stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0 stderr_logfile_maxbytes=0
command=/usr/bin/caddy run --config /Caddyfile command=/usr/bin/caddy run --config /internal.Caddyfile
user=www-data
[program:caddy-acme]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=/usr/bin/caddy run --config /acme.Caddyfile
user=www-data user=www-data
[program:cron] [program:cron]

10
php/domain-validator.php
View file

@ -3,15 +3,15 @@
$domain = $_GET['domain'] ?? ''; $domain = $_GET['domain'] ?? '';
if (!str_contains($domain, '.')) { if (!str_contains($domain, '.')) {
http_response_code(400); http_response_code(400);
} elseif (str_contains($domain, '/')) { } elseif (str_contains($domain, '/')) {
http_response_code(400); http_response_code(400);
} elseif (str_contains($domain, ':')) { } elseif (str_contains($domain, ':')) {
http_response_code(400); http_response_code(400);
} elseif (filter_var($domain, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) === false) { } elseif (filter_var($domain, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) === false) {
http_response_code(400); http_response_code(400);
} elseif (filter_var($domain, FILTER_VALIDATE_IP)) { } elseif (filter_var($domain, FILTER_VALIDATE_IP)) {
http_response_code(400); http_response_code(400);
} else { } else {
// Commented because logging is disabled as otherwise all attempts will be logged which spams the logs // Commented because logging is disabled as otherwise all attempts will be logged which spams the logs
// error_log($domain . ' was accepted as valid domain.'); // error_log($domain . ' was accepted as valid domain.');