From 571edd4bb4c72ca2fcd8b45a2b2ad11a53f63b70 Mon Sep 17 00:00:00 2001 From: Jean-Yves <7360784+docjyJ@users.noreply.github.com> Date: Sat, 29 Jun 2024 19:23:26 +0200 Subject: [PATCH 1/5] Implement internal mode Signed-off-by: Jean-Yves <7360784+docjyJ@users.noreply.github.com> --- php/src/Docker/DockerActionManager.php | 10 +++++++--- reverse-proxy.md | 2 ++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php index d36ad4af..57bcadc5 100644 --- a/php/src/Docker/DockerActionManager.php +++ b/php/src/Docker/DockerActionManager.php @@ -137,7 +137,7 @@ class DockerActionManager } elseif($internalPort === '%TALK_PORT%') { $internalPort = $this->configurationManager->GetTalkPort(); } - + if ($internalPort !== "" && $internalPort !== 'host') { $connection = @fsockopen($containerName, (int)$internalPort, $errno, $errstr, 0.2); if ($connection) { @@ -438,7 +438,7 @@ class DockerActionManager $requestBody['HostConfig']['RestartPolicy']['Name'] = $container->GetRestartPolicy(); $requestBody['HostConfig']['ReadonlyRootfs'] = $container->GetReadOnlySetting(); - + $exposedPorts = []; if ($container->GetInternalPort() !== 'host') { foreach($container->GetPorts()->GetPorts() as $value) { @@ -478,6 +478,10 @@ class DockerActionManager $ipBinding = $value->ipBinding; if ($ipBinding === '%APACHE_IP_BINDING%') { $ipBinding = $this->configurationManager->GetApacheIPBinding(); + // Do not expose if AIO is in internal network mode + if ($ipBinding === '@INTERNAL') { + continue; + } } $portWithProtocol = $port . '/' . $protocol; $requestBody['HostConfig']['PortBindings'][$portWithProtocol] = [ @@ -708,7 +712,7 @@ class DockerActionManager if (!isset($imageOutput['RepoDigests'])) { error_log('RepoDigests is not set of container ' . $containerName); return null; - } + } if (!is_array($imageOutput['RepoDigests'])) { error_log('RepoDigests of ' . $containerName . ' is not an array which is not allowed!'); diff --git a/reverse-proxy.md b/reverse-proxy.md index d76e0c6c..aa15ed43 100644 --- a/reverse-proxy.md +++ b/reverse-proxy.md @@ -8,6 +8,8 @@ A [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) is basically a we In order to run Nextcloud behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else), you need to specify the port that AIO's Apache container shall use, add a specific config to your web server or reverse proxy and modify the startup command a bit. All examples below will use port `11000` as example `APACHE_PORT` which will be exposed on the host to receive unencrypted HTTP traffic from the reverse proxy. **Advice:** If you need https between Nextcloud and the reverse proxy because it is running on a different server in the same network, simply add another reverse proxy to the chain that runs on the same server like AIO and takes care of https proxying (most likely via self-signed cert). Another option is to create a VPN between the server that runs AIO and the server that runs the reverse proxy which takes care of encrypting the connection. +If you are using a reverse proxy attached to the `nextcloud-aio` virtual network (like the [caddy community container](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy)), you can set the `APACHE_IP_BINDING` to `@INTERNAL` to disable the exposure of the Apache container to the host network. + **Attention:** The process to run Nextcloud behind a reverse proxy consists of at least steps 1, 2 and 4: 1. **Configure the reverse proxy! See [point 1](#1-configure-the-reverse-proxy)** 1. **Use this startup command! See [point 2](#2-use-this-startup-command)** From b3977ed1c8bb52ca4993b639a239d6a8ed859ab6 Mon Sep 17 00:00:00 2001 From: Jean-Yves <7360784+docjyJ@users.noreply.github.com> Date: Mon, 1 Jul 2024 20:28:35 +0200 Subject: [PATCH 2/5] Update start.sh Signed-off-by: Jean-Yves <7360784+docjyJ@users.noreply.github.com> --- Containers/mastercontainer/start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Containers/mastercontainer/start.sh b/Containers/mastercontainer/start.sh index f215f6c6..f4121c92 100644 --- a/Containers/mastercontainer/start.sh +++ b/Containers/mastercontainer/start.sh @@ -180,7 +180,7 @@ It is set to '$APACHE_PORT'." fi fi if [ -n "$APACHE_IP_BINDING" ]; then - if ! echo "$APACHE_IP_BINDING" | grep -q '^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$\|^[0-9a-f:]\+$'; then + if ! echo "$APACHE_IP_BINDING" | grep -q '^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$\|^[0-9a-f:]\+$\|^@INTERNAL$'; then print_red "You provided an ip-address for the apache container's ip-binding but it was not a valid ip-address. It is set to '$APACHE_IP_BINDING'." exit 1 From c8d461a0613f4de5b5b0c610ae5796d08ab2a228 Mon Sep 17 00:00:00 2001 From: Jean-Yves <7360784+docjyJ@users.noreply.github.com> Date: Tue, 9 Jul 2024 15:06:58 +0200 Subject: [PATCH 3/5] Update reverse-proxy.md add sample for @INTERNAL Signed-off-by: Jean-Yves <7360784+docjyJ@users.noreply.github.com> --- reverse-proxy.md | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/reverse-proxy.md b/reverse-proxy.md index aa15ed43..4c62e3c1 100644 --- a/reverse-proxy.md +++ b/reverse-proxy.md @@ -8,8 +8,6 @@ A [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) is basically a we In order to run Nextcloud behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else), you need to specify the port that AIO's Apache container shall use, add a specific config to your web server or reverse proxy and modify the startup command a bit. All examples below will use port `11000` as example `APACHE_PORT` which will be exposed on the host to receive unencrypted HTTP traffic from the reverse proxy. **Advice:** If you need https between Nextcloud and the reverse proxy because it is running on a different server in the same network, simply add another reverse proxy to the chain that runs on the same server like AIO and takes care of https proxying (most likely via self-signed cert). Another option is to create a VPN between the server that runs AIO and the server that runs the reverse proxy which takes care of encrypting the connection. -If you are using a reverse proxy attached to the `nextcloud-aio` virtual network (like the [caddy community container](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy)), you can set the `APACHE_IP_BINDING` to `@INTERNAL` to disable the exposure of the Apache container to the host network. - **Attention:** The process to run Nextcloud behind a reverse proxy consists of at least steps 1, 2 and 4: 1. **Configure the reverse proxy! See [point 1](#1-configure-the-reverse-proxy)** 1. **Use this startup command! See [point 2](#2-use-this-startup-command)** @@ -41,7 +39,9 @@ If you are using a reverse proxy attached to the `nextcloud-aio` virtual network For this setup, you can use as target `host.docker.internal:$APACHE_PORT` instead of `localhost:$APACHE_PORT`. **⚠️ Important:** In order to make this work on Docker for Linux, you need to add `--add-host=host.docker.internal:host-gateway` to the docker run command of your reverse proxy container or `extra_hosts: ["host.docker.internal:host-gateway"]` in docker compose (it works on Docker Desktop by default). - Another option and actually the recommended way in this case is to use `--network host` option (or `network_mode: host` for docker-compose) as setting for the reverse proxy container to connect it to the host network. If you are using a firewall on the server, you need to open ports 80 and 443 for the reverse proxy manually. By doing so, the default sample configurations that point at `localhost:$APACHE_PORT` should work without having to modify them. + Another option and **actually the recommended way** in this case is to use `--network host` option (or `network_mode: host` for docker-compose) as setting for the reverse proxy container to connect it to the host network. If you are using a firewall on the server, you need to open ports 80 and 443 for the reverse proxy manually. By doing so, the default sample configurations that point at `localhost:$APACHE_PORT` should work without having to modify them. + + You can also not expose the container by setting the `APACHE_IP_BINDING` environment variable to `@INTERNAL` and use as target `nextcloud-aio-apache:$APACHE_PORT`. This option could break the domain verification, to keep the proxy must point to `nextcloud-aio-domaincheck:$APACHE_PORT` in case the Apache server is closed. A sample configuration is provide for caddy. @@ -151,6 +151,19 @@ The Caddyfile is a text file called `Caddyfile` (no extension) which – if you **Advice:** You may have a look at [this](https://github.com/nextcloud/all-in-one/discussions/575#discussion-4055615) for a more complete example. +If you want to use docker virtual networking you can use this instead: +``` +https://:443 { + reverse_proxy { + to http://nextcloud-aio-apache:80 http://nextcloud-aio-domaincheck:80 + lb_policy first + health_uri / + health_port 80 + health_interval 60s + } +} +``` + ### Caddy with ACME DNS-challenge From 3cdb855df33260670eb1a267e571b2ea8486175b Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Thu, 11 Jul 2024 14:26:08 +0200 Subject: [PATCH 4/5] set apache_ip_binding to internal for caddy community container and remove legacy code Signed-off-by: Simon L. --- community-containers/caddy/caddy.json | 2 +- php/containers.json | 1 - php/src/Docker/DockerActionManager.php | 2 -- 3 files changed, 1 insertion(+), 4 deletions(-) diff --git a/community-containers/caddy/caddy.json b/community-containers/caddy/caddy.json index 561c5219..2bd68e3a 100644 --- a/community-containers/caddy/caddy.json +++ b/community-containers/caddy/caddy.json @@ -38,7 +38,7 @@ } ], "aio_variables": [ - "apache_ip_binding=127.0.0.1", + "apache_ip_binding=@INTERNAL", "apache_port=11000" ], "nextcloud_exec_commands": [ diff --git a/php/containers.json b/php/containers.json index ffead0d8..1bf3bfd9 100644 --- a/php/containers.json +++ b/php/containers.json @@ -221,7 +221,6 @@ "DOCKER_SOCKET_PROXY_ENABLED=%DOCKER_SOCKET_PROXY_ENABLED%", "REMOVE_DISABLED_APPS=%REMOVE_DISABLED_APPS%", "APACHE_PORT=%APACHE_PORT%", - "APACHE_IP_BINDING=%APACHE_IP_BINDING%", "ADDITIONAL_TRUSTED_PROXY=%CADDY_IP_ADDRESS%", "THIS_IS_AIO=true", "IMAGINARY_SECRET=%IMAGINARY_SECRET%" diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php index 57bcadc5..8b2e8a3e 100644 --- a/php/src/Docker/DockerActionManager.php +++ b/php/src/Docker/DockerActionManager.php @@ -295,8 +295,6 @@ class DockerActionManager $replacements[1] = $this->configurationManager->GetSelectedRestoreTime(); } elseif ($out[1] === 'APACHE_PORT') { $replacements[1] = $this->configurationManager->GetApachePort(); - } elseif ($out[1] === 'APACHE_IP_BINDING') { - $replacements[1] = $this->configurationManager->GetApacheIPBinding(); } elseif ($out[1] === 'TALK_PORT') { $replacements[1] = $this->configurationManager->GetTalkPort(); } elseif ($out[1] === 'NEXTCLOUD_MOUNT') { From c69aa5634988d1e1fa95bb71dc6871d224676d7c Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Thu, 11 Jul 2024 14:27:27 +0200 Subject: [PATCH 5/5] revert changes to reverse-proxy.md Signed-off-by: Simon L. --- reverse-proxy.md | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/reverse-proxy.md b/reverse-proxy.md index 4c62e3c1..d76e0c6c 100644 --- a/reverse-proxy.md +++ b/reverse-proxy.md @@ -39,9 +39,7 @@ In order to run Nextcloud behind a web server or reverse proxy (like Apache, Ngi For this setup, you can use as target `host.docker.internal:$APACHE_PORT` instead of `localhost:$APACHE_PORT`. **⚠️ Important:** In order to make this work on Docker for Linux, you need to add `--add-host=host.docker.internal:host-gateway` to the docker run command of your reverse proxy container or `extra_hosts: ["host.docker.internal:host-gateway"]` in docker compose (it works on Docker Desktop by default). - Another option and **actually the recommended way** in this case is to use `--network host` option (or `network_mode: host` for docker-compose) as setting for the reverse proxy container to connect it to the host network. If you are using a firewall on the server, you need to open ports 80 and 443 for the reverse proxy manually. By doing so, the default sample configurations that point at `localhost:$APACHE_PORT` should work without having to modify them. - - You can also not expose the container by setting the `APACHE_IP_BINDING` environment variable to `@INTERNAL` and use as target `nextcloud-aio-apache:$APACHE_PORT`. This option could break the domain verification, to keep the proxy must point to `nextcloud-aio-domaincheck:$APACHE_PORT` in case the Apache server is closed. A sample configuration is provide for caddy. + Another option and actually the recommended way in this case is to use `--network host` option (or `network_mode: host` for docker-compose) as setting for the reverse proxy container to connect it to the host network. If you are using a firewall on the server, you need to open ports 80 and 443 for the reverse proxy manually. By doing so, the default sample configurations that point at `localhost:$APACHE_PORT` should work without having to modify them. @@ -151,19 +149,6 @@ The Caddyfile is a text file called `Caddyfile` (no extension) which – if you **Advice:** You may have a look at [this](https://github.com/nextcloud/all-in-one/discussions/575#discussion-4055615) for a more complete example. -If you want to use docker virtual networking you can use this instead: -``` -https://:443 { - reverse_proxy { - to http://nextcloud-aio-apache:80 http://nextcloud-aio-domaincheck:80 - lb_policy first - health_uri / - health_port 80 - health_interval 60s - } -} -``` - ### Caddy with ACME DNS-challenge