eightball/all-in-one
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2026-02-04 04:56:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

Merge 7c093f39e7 into 9c0334d3f0

Browse source
This commit is contained in:
Zoey 2026-02-03 14:46:37 +01:00 committed by GitHub
commit d133e5c859
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 98 additions and 197 deletions
Download patch file Download diff file Expand all files Collapse all files

37
Containers/mastercontainer/Caddyfile
View file

@ -1,37 +0,0 @@
{
# auto_https will create redirects for https://{host}:8443 instead of https://{host}
# https redirects are added manually in the http://:80 block
auto_https disable_redirects
storage file_system {
root /mnt/docker-aio-config/caddy/
}
log {
level ERROR
}
servers {
protocols h1 h2 h2c
}
on_demand_tls {
ask http://127.0.0.1:9876/
}
}
http://:80 {
redir https://{host}{uri} permanent
}
https://:8443 {
reverse_proxy 127.0.0.1:8000
tls {
on_demand
issuer acme {
disable_tlsalpn_challenge
}
}
}

52
Containers/mastercontainer/Dockerfile
View file

@ -21,9 +21,8 @@ COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker
COPY community-containers /var/www/docker-aio/community-containers COPY community-containers /var/www/docker-aio/community-containers
COPY php /var/www/docker-aio/php COPY php /var/www/docker-aio/php
COPY --chmod=775 Containers/mastercontainer/*.sh / COPY --chmod=775 Containers/mastercontainer/*.sh /
COPY --chmod=664 Containers/mastercontainer/Caddyfile /Caddyfile COPY --chmod=664 Containers/mastercontainer/*.Caddyfile /
COPY --chmod=664 Containers/mastercontainer/supervisord.conf /supervisord.conf COPY --chmod=664 Containers/mastercontainer/supervisord.conf /supervisord.conf
COPY Containers/mastercontainer/mastercontainer.conf /etc/apache2/sites-available/mastercontainer.conf
WORKDIR /var/www/docker-aio WORKDIR /var/www/docker-aio
@ -37,13 +36,8 @@ RUN set -ex; \
apk add --no-cache \ apk add --no-cache \
util-linux-misc \ util-linux-misc \
ca-certificates \ ca-certificates \
wget \
bash \ bash \
apache2 \
apache2-proxy \
apache2-ssl \
supervisor \ supervisor \
openssl \
sudo \ sudo \
netcat-openbsd \ netcat-openbsd \
curl \ curl \
@ -67,11 +61,13 @@ RUN set -ex; \
sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \ sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \ sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \ sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \ grep -q 'listen =' /usr/local/etc/php-fpm.d/www.conf; \
sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \ sed -i 's|listen =.*|;listen = /run/php.sock # handled in zz-docker.conf|' /usr/local/etc/php-fpm.d/www.conf; \
grep -q 'listen =' /usr/local/etc/php-fpm.d/zz-docker.conf; \
sed -i 's|listen =.*|listen = /run/php.sock|' /usr/local/etc/php-fpm.d/zz-docker.conf; \
\ \
apk add --no-cache git; \ apk add --no-cache git; \
wget https://getcomposer.org/installer -O - | php -- --install-dir=/usr/local/bin --filename=composer; \ curl https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer; \
chmod +x /usr/local/bin/composer; \ chmod +x /usr/local/bin/composer; \
cd /var/www/docker-aio; \ cd /var/www/docker-aio; \
rm -r ./php/tests; \ rm -r ./php/tests; \
@ -86,42 +82,6 @@ RUN set -ex; \
rm -r php/data; \ rm -r php/data; \
rm -r php/session; \ rm -r php/session; \
\ \
mkdir -p /etc/apache2/certs; \
cd /etc/apache2/certs; \
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout /etc/apache2/certs/ssl.key -out /etc/apache2/certs/ssl.crt; \
\
sed -i \
-e '/^Listen /d' \
-e 's/^LogLevel .*/LogLevel error/' \
-e 's|^ErrorLog .*|ErrorLog /proc/self/fd/2|' \
-e 's/User apache/User www-data/g' \
-e 's/Group apache/Group www-data/g' \
-e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
-e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \
-e 's/^#\(LoadModule .*mod_env.so\)/\1/' \
-e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \
-e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \
-e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \
-e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
-e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
-e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
-e 's/\(ScriptAlias \)/#\1/' \
/etc/apache2/httpd.conf; \
mkdir -p /etc/apache2/logs; \
rm /etc/apache2/conf.d/ssl.conf; \
echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \
grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \
sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \
echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \
echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \
echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \
echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \
\
rm -f /etc/apache2/conf.d/default.conf \
/etc/apache2/conf.d/userdir.conf \
/etc/apache2/conf.d/info.conf; \
\
rm -rf /var/www/localhost/cgi-bin/; \
mkdir /var/log/supervisord; \ mkdir /var/log/supervisord; \
mkdir /var/run/supervisord; mkdir /var/run/supervisord;

4
Containers/mastercontainer/README.md
View file

@ -12,8 +12,8 @@ The mastercontainer acts as the central orchestration service for the deployment
of all other containers in the Nextcloud All-in-One stack. It hosts: of all other containers in the Nextcloud All-in-One stack. It hosts:
- A dedicated PHP SAPI/backend (php-fpm) for AIO itself (not Nextcloud Server) - A dedicated PHP SAPI/backend (php-fpm) for AIO itself (not Nextcloud Server)
- An Apache service for accessing the AIO interface via a self-signed HTTPS VirtualHost on 8080/tcp - A Caddy server enabling self-signed HTTPS access to the AIO frontend on port 8080/tcp.
- A Caddy reverse proxy service enabling HTTPS access to the AIO frontend on port 8443/tcp. - A Caddy server enabling trusted HTTPS access to the AIO frontend on port 8443/tcp.
- Caddy will automatically issue a Let's Encrypt issued certificate if port 80 and 8443 - Caddy will automatically issue a Let's Encrypt issued certificate if port 80 and 8443
is open/forwarded and a domain pointer is in place; then, simply open the Nextcloud AIO interface using the is open/forwarded and a domain pointer is in place; then, simply open the Nextcloud AIO interface using the
domain (`https://your-domain-that-points-to-this-server.tld:8443`). The Let's Encrypt certificate request will domain (`https://your-domain-that-points-to-this-server.tld:8443`). The Let's Encrypt certificate request will

41
Containers/mastercontainer/acme.Caddyfile Normal file
View file

@ -0,0 +1,41 @@
{
# auto_https will create redirects for https://{host}:8443 instead of https://{host}
# https redirects are added manually in the http://:80 block
auto_https disable_redirects
storage file_system {
root /mnt/docker-aio-config/caddy/
}
log {
level ERROR
}
servers {
protocols h1 h2 h2c
}
on_demand_tls {
ask http://127.0.0.1:9876/
}
skip_install_trust
}
http://:80 {
redir https://{host}{uri} permanent
}
https://:8443 {
root * /var/www/docker-aio/php/public
encode
php_fastcgi unix//run/php.sock
file_server
tls {
on_demand
issuer acme {
disable_tlsalpn_challenge
}
}
}

3
Containers/mastercontainer/healthcheck.sh
View file

@ -2,9 +2,8 @@
if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
nc -z 127.0.0.1 80 || exit 1 nc -z 127.0.0.1 80 || exit 1
nc -z 127.0.0.1 8000 || exit 1
nc -z 127.0.0.1 8080 || exit 1 nc -z 127.0.0.1 8080 || exit 1
nc -z 127.0.0.1 8443 || exit 1 nc -z 127.0.0.1 8443 || exit 1
nc -z 127.0.0.1 9000 || exit 1 [ -f /run/php.sock ] || exit 1
nc -z 127.0.0.1 9876 || exit 1 nc -z 127.0.0.1 9876 || exit 1
fi fi

29
Containers/mastercontainer/internal.Caddyfile Normal file
View file

@ -0,0 +1,29 @@
{
auto_https off
storage file_system {
root /mnt/docker-aio-config/caddy/
}
log {
level ERROR
}
servers {
protocols h1 h2
}
skip_install_trust
}
https://:8080 {
root * /var/www/docker-aio/php/public
encode
php_fastcgi unix//run/php.sock
file_server
tls {
on_demand
issuer internal
}
}

62
Containers/mastercontainer/mastercontainer.conf
View file

@ -1,62 +0,0 @@
Listen 127.0.0.1:8000
Listen 8080 https
# Deny access to .ht files
<Files ".ht*">
Require all denied
</Files>
# Http host
<VirtualHost 127.0.0.1:8000>
ServerName 127.0.0.1
# Add error log
CustomLog /proc/self/fd/1 proxy
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
ErrorLog /proc/self/fd/2
ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
LogLevel warn
# PHP match
<FilesMatch "\.php$">
SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>
# Master dir
DocumentRoot /var/www/docker-aio/php/public/
<Directory /var/www/docker-aio/php/public/>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [QSA,L]
Options Indexes FollowSymLinks
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
Satisfy Any
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
</VirtualHost>
# Https host
<VirtualHost *:8080>
# Proxy to https
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
ProxyPreserveHost On
# SSL
SSLCertificateKeyFile /etc/apache2/certs/ssl.key
SSLCertificateFile /etc/apache2/certs/ssl.crt
SSLEngine on
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLSessionTickets off
</VirtualHost>
# Increase timeout in case e.g. the initial download takes a long time
Timeout 7200
ProxyTimeout 7200
# See https://httpd.apache.org/docs/trunk/mod/core.html#traceenable
TraceEnable Off

37
Containers/mastercontainer/start.sh
View file

@ -371,36 +371,6 @@ chown www-data:www-data -R /mnt/docker-aio-config/session/
chown www-data:www-data -R /mnt/docker-aio-config/caddy/ chown www-data:www-data -R /mnt/docker-aio-config/caddy/
chown root:root -R /mnt/docker-aio-config/certs/ chown root:root -R /mnt/docker-aio-config/certs/
# Don't allow access to the AIO interface from the Nextcloud container
# Probably more cosmetic than anything but at least an attempt
if ! grep -q '# nextcloud-aio-block' /etc/apache2/httpd.conf; then
cat << APACHE_CONF >> /etc/apache2/httpd.conf
# nextcloud-aio-block-start
<Location />
order allow,deny
deny from nextcloud-aio-nextcloud.nextcloud-aio
allow from all
</Location>
# nextcloud-aio-block-end
APACHE_CONF
fi
# Adjust certs
GENERATED_CERTS="/mnt/docker-aio-config/certs"
TMP_CERTS="/etc/apache2/certs"
mkdir -p "$GENERATED_CERTS"
cd "$GENERATED_CERTS" || exit 1
if ! [ -f ./ssl.crt ] && ! [ -f ./ssl.key ]; then
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt
fi
if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then
cd "$TMP_CERTS" || exit 1
rm ./ssl.crt
rm ./ssl.key
cp "$GENERATED_CERTS/ssl.crt" ./
cp "$GENERATED_CERTS/ssl.key" ./
fi
print_green "Initial startup of Nextcloud All-in-One complete! print_green "Initial startup of Nextcloud All-in-One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server! You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080 E.g. https://internal.ip.of.this.server:8080
@ -412,8 +382,8 @@ https://your-domain-that-points-to-this-server.tld:8443"
# Set the timezone to Etc/UTC # Set the timezone to Etc/UTC
export TZ=Etc/UTC export TZ=Etc/UTC
# Fix apache startup # Remove unused certs
rm -f /var/run/apache2/httpd.pid rm -vrf /mnt/docker-aio-config/certs
# Fix caddy startup # Fix caddy startup
if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then
@ -421,7 +391,8 @@ if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then
fi fi
# Fix the Caddyfile format # Fix the Caddyfile format
caddy fmt --overwrite /Caddyfile caddy fmt --overwrite /acme.Caddyfile
caddy fmt --overwrite /internal.Caddyfile
# Fix caddy log # Fix caddy log
chmod 777 /root chmod 777 /root

20
Containers/mastercontainer/supervisord.conf
View file

@ -16,20 +16,20 @@ stderr_logfile_maxbytes=0
command=php-fpm command=php-fpm
user=root user=root
[program:apache] [program:caddy-internal]
# Stdout logging is disabled as otherwise the logs are spammed
stdout_logfile=NONE
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=httpd -DFOREGROUND
user=root
[program:caddy]
stdout_logfile=/dev/stdout stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0 stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0 stderr_logfile_maxbytes=0
command=/usr/bin/caddy run --config /Caddyfile command=/usr/bin/caddy run --config /internal.Caddyfile
user=www-data
[program:caddy-acme]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=/usr/bin/caddy run --config /acme.Caddyfile
user=www-data user=www-data
[program:cron] [program:cron]

10
php/domain-validator.php
View file

@ -3,15 +3,15 @@
$domain = $_GET['domain'] ?? ''; $domain = $_GET['domain'] ?? '';
if (!str_contains($domain, '.')) { if (!str_contains($domain, '.')) {
http_response_code(400); http_response_code(400);
} elseif (str_contains($domain, '/')) { } elseif (str_contains($domain, '/')) {
http_response_code(400); http_response_code(400);
} elseif (str_contains($domain, ':')) { } elseif (str_contains($domain, ':')) {
http_response_code(400); http_response_code(400);
} elseif (filter_var($domain, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) === false) { } elseif (filter_var($domain, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) === false) {
http_response_code(400); http_response_code(400);
} elseif (filter_var($domain, FILTER_VALIDATE_IP)) { } elseif (filter_var($domain, FILTER_VALIDATE_IP)) {
http_response_code(400); http_response_code(400);
} else { } else {
// Commented because logging is disabled as otherwise all attempts will be logged which spams the logs // Commented because logging is disabled as otherwise all attempts will be logged which spams the logs
// error_log($domain . ' was accepted as valid domain.'); // error_log($domain . ' was accepted as valid domain.');