From bf0267892003f2288f27a6e79b1e4c419c23e12b Mon Sep 17 00:00:00 2001 From: Zoey Date: Fri, 17 Oct 2025 21:01:58 +0200 Subject: [PATCH 1/4] replace apache with a second caddy Signed-off-by: Zoey --- Containers/mastercontainer/Caddyfile | 37 ----------- Containers/mastercontainer/Dockerfile | 52 ++-------------- Containers/mastercontainer/acme.Caddyfile | 39 ++++++++++++ Containers/mastercontainer/healthcheck.sh | 3 +- Containers/mastercontainer/internal.Caddyfile | 29 +++++++++ .../mastercontainer/mastercontainer.conf | 62 ------------------- Containers/mastercontainer/start.sh | 36 +---------- Containers/mastercontainer/supervisord.conf | 20 +++--- php/domain-validator.php | 10 +-- 9 files changed, 92 insertions(+), 196 deletions(-) delete mode 100644 Containers/mastercontainer/Caddyfile create mode 100644 Containers/mastercontainer/acme.Caddyfile create mode 100644 Containers/mastercontainer/internal.Caddyfile delete mode 100644 Containers/mastercontainer/mastercontainer.conf diff --git a/Containers/mastercontainer/Caddyfile b/Containers/mastercontainer/Caddyfile deleted file mode 100644 index da0e222d..00000000 --- a/Containers/mastercontainer/Caddyfile +++ /dev/null @@ -1,37 +0,0 @@ -{ - # auto_https will create redirects for https://{host}:8443 instead of https://{host} - # https redirects are added manually in the http://:80 block - auto_https disable_redirects - - storage file_system { - root /mnt/docker-aio-config/caddy/ - } - - log { - level ERROR - } - - servers { - protocols h1 h2 h2c - } - - on_demand_tls { - ask http://127.0.0.1:9876/ - } -} - -http://:80 { - redir https://{host}{uri} permanent -} - -https://:8443 { - - reverse_proxy 127.0.0.1:8000 - - tls { - on_demand - issuer acme { - disable_tlsalpn_challenge - } - } -} diff --git a/Containers/mastercontainer/Dockerfile b/Containers/mastercontainer/Dockerfile index c1cbaa59..7e64da04 100644 --- a/Containers/mastercontainer/Dockerfile +++ b/Containers/mastercontainer/Dockerfile @@ -18,9 +18,8 @@ COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker COPY community-containers /var/www/docker-aio/community-containers COPY php /var/www/docker-aio/php COPY --chmod=775 Containers/mastercontainer/*.sh / -COPY --chmod=664 Containers/mastercontainer/Caddyfile /Caddyfile +COPY --chmod=664 Containers/mastercontainer/*.Caddyfile / COPY --chmod=664 Containers/mastercontainer/supervisord.conf /supervisord.conf -COPY Containers/mastercontainer/mastercontainer.conf /etc/apache2/sites-available/mastercontainer.conf WORKDIR /var/www/docker-aio @@ -34,13 +33,8 @@ RUN set -ex; \ apk add --no-cache \ util-linux-misc \ ca-certificates \ - wget \ bash \ - apache2 \ - apache2-proxy \ - apache2-ssl \ supervisor \ - openssl \ sudo \ netcat-openbsd \ curl \ @@ -64,11 +58,13 @@ RUN set -ex; \ sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \ sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \ sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \ - grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \ - sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \ + grep -q 'listen =' /usr/local/etc/php-fpm.d/www.conf; \ + sed -i 's|listen =.*|;listen = /run/php.sock # handled in zz-docker.conf|' /usr/local/etc/php-fpm.d/www.conf; \ + grep -q 'listen =' /usr/local/etc/php-fpm.d/zz-docker.conf; \ + sed -i 's|listen =.*|listen = /run/php.sock|' /usr/local/etc/php-fpm.d/zz-docker.conf; \ \ apk add --no-cache git; \ - wget https://getcomposer.org/installer -O - | php -- --install-dir=/usr/local/bin --filename=composer; \ + curl https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer; \ chmod +x /usr/local/bin/composer; \ cd /var/www/docker-aio; \ rm -r ./php/tests; \ @@ -83,42 +79,6 @@ RUN set -ex; \ rm -r php/data; \ rm -r php/session; \ \ - mkdir -p /etc/apache2/certs; \ - cd /etc/apache2/certs; \ - openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout /etc/apache2/certs/ssl.key -out /etc/apache2/certs/ssl.crt; \ - \ - sed -i \ - -e '/^Listen /d' \ - -e 's/^LogLevel .*/LogLevel error/' \ - -e 's|^ErrorLog .*|ErrorLog /proc/self/fd/2|' \ - -e 's/User apache/User www-data/g' \ - -e 's/Group apache/Group www-data/g' \ - -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_env.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \ - -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \ - -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \ - -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \ - -e 's/\(ScriptAlias \)/#\1/' \ - /etc/apache2/httpd.conf; \ - mkdir -p /etc/apache2/logs; \ - rm /etc/apache2/conf.d/ssl.conf; \ - echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \ - grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \ - sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \ - echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \ - echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \ - echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \ - echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \ - \ - rm -f /etc/apache2/conf.d/default.conf \ - /etc/apache2/conf.d/userdir.conf \ - /etc/apache2/conf.d/info.conf; \ - \ - rm -rf /var/www/localhost/cgi-bin/; \ mkdir /var/log/supervisord; \ mkdir /var/run/supervisord; diff --git a/Containers/mastercontainer/acme.Caddyfile b/Containers/mastercontainer/acme.Caddyfile new file mode 100644 index 00000000..61eae552 --- /dev/null +++ b/Containers/mastercontainer/acme.Caddyfile @@ -0,0 +1,39 @@ +{ + # auto_https will create redirects for https://{host}:8443 instead of https://{host} + # https redirects are added manually in the http://:80 block + auto_https disable_redirects + + storage file_system { + root /mnt/docker-aio-config/caddy/ + } + + log { + level ERROR + } + + servers { + protocols h1 h2 h2c + } + + on_demand_tls { + ask http://127.0.0.1:9876/ + } +} + +http://:80 { + redir https://{host}{uri} permanent +} + +https://:8443 { + root * /var/www/docker-aio/php/public + encode + php_fastcgi unix//run/php.sock + file_server + + tls { + on_demand + issuer acme { + disable_tlsalpn_challenge + } + } +} diff --git a/Containers/mastercontainer/healthcheck.sh b/Containers/mastercontainer/healthcheck.sh index 72187591..29ad40a6 100644 --- a/Containers/mastercontainer/healthcheck.sh +++ b/Containers/mastercontainer/healthcheck.sh @@ -2,9 +2,8 @@ if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then nc -z 127.0.0.1 80 || exit 1 - nc -z 127.0.0.1 8000 || exit 1 nc -z 127.0.0.1 8080 || exit 1 nc -z 127.0.0.1 8443 || exit 1 - nc -z 127.0.0.1 9000 || exit 1 + [ -f /run/php.sock ] || exit 1 nc -z 127.0.0.1 9876 || exit 1 fi diff --git a/Containers/mastercontainer/internal.Caddyfile b/Containers/mastercontainer/internal.Caddyfile new file mode 100644 index 00000000..8e8ea311 --- /dev/null +++ b/Containers/mastercontainer/internal.Caddyfile @@ -0,0 +1,29 @@ +{ + auto_https off + + storage file_system { + root /mnt/docker-aio-config/caddy/ + } + + log { + level ERROR + } + + servers { + protocols h1 h2 + } + + skip_install_trust +} + +https://:8080 { + root * /var/www/docker-aio/php/public + encode + php_fastcgi unix//run/php.sock + file_server + + tls { + on_demand + issuer internal + } +} diff --git a/Containers/mastercontainer/mastercontainer.conf b/Containers/mastercontainer/mastercontainer.conf deleted file mode 100644 index 7d294694..00000000 --- a/Containers/mastercontainer/mastercontainer.conf +++ /dev/null @@ -1,62 +0,0 @@ -Listen 127.0.0.1:8000 -Listen 8080 https - -# Deny access to .ht files - - Require all denied - - -# Http host - - ServerName 127.0.0.1 - - # Add error log - CustomLog /proc/self/fd/1 proxy - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy - ErrorLog /proc/self/fd/2 - ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]" - LogLevel warn - - # PHP match - - SetHandler "proxy:fcgi://127.0.0.1:9000" - - # Master dir - DocumentRoot /var/www/docker-aio/php/public/ - - RewriteEngine On - RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule ^ index.php [QSA,L] - Options Indexes FollowSymLinks - Require all granted - AllowOverride All - Options FollowSymLinks MultiViews - Satisfy Any - - Dav off - - - - -# Https host - - # Proxy to https - ProxyPass / http://127.0.0.1:8000/ - ProxyPassReverse / http://127.0.0.1:8000/ - ProxyPreserveHost On - # SSL - SSLCertificateKeyFile /etc/apache2/certs/ssl.key - SSLCertificateFile /etc/apache2/certs/ssl.crt - SSLEngine on - SSLProtocol -all +TLSv1.2 +TLSv1.3 - SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 - SSLHonorCipherOrder off - SSLSessionTickets off - - -# Increase timeout in case e.g. the initial download takes a long time -Timeout 7200 -ProxyTimeout 7200 - -# See https://httpd.apache.org/docs/trunk/mod/core.html#traceenable -TraceEnable Off diff --git a/Containers/mastercontainer/start.sh b/Containers/mastercontainer/start.sh index 616068f3..faa725df 100644 --- a/Containers/mastercontainer/start.sh +++ b/Containers/mastercontainer/start.sh @@ -331,36 +331,6 @@ chown www-data:www-data -R /mnt/docker-aio-config/session/ chown www-data:www-data -R /mnt/docker-aio-config/caddy/ chown root:root -R /mnt/docker-aio-config/certs/ -# Don't allow access to the AIO interface from the Nextcloud container -# Probably more cosmetic than anything but at least an attempt -if ! grep -q '# nextcloud-aio-block' /etc/apache2/httpd.conf; then - cat << APACHE_CONF >> /etc/apache2/httpd.conf -# nextcloud-aio-block-start - -order allow,deny -deny from nextcloud-aio-nextcloud.nextcloud-aio -allow from all - -# nextcloud-aio-block-end -APACHE_CONF -fi - -# Adjust certs -GENERATED_CERTS="/mnt/docker-aio-config/certs" -TMP_CERTS="/etc/apache2/certs" -mkdir -p "$GENERATED_CERTS" -cd "$GENERATED_CERTS" || exit 1 -if ! [ -f ./ssl.crt ] && ! [ -f ./ssl.key ]; then - openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt -fi -if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then - cd "$TMP_CERTS" || exit 1 - rm ./ssl.crt - rm ./ssl.key - cp "$GENERATED_CERTS/ssl.crt" ./ - cp "$GENERATED_CERTS/ssl.key" ./ -fi - print_green "Initial startup of Nextcloud All-in-One complete! You should be able to open the Nextcloud AIO Interface now on port 8080 of this server! E.g. https://internal.ip.of.this.server:8080 @@ -372,16 +342,14 @@ https://your-domain-that-points-to-this-server.tld:8443" # Set the timezone to Etc/UTC export TZ=Etc/UTC -# Fix apache startup -rm -f /var/run/apache2/httpd.pid - # Fix caddy startup if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then rm -rf /mnt/docker-aio-config/caddy/locks/* fi # Fix the Caddyfile format -caddy fmt --overwrite /Caddyfile +caddy fmt --overwrite /acme.Caddyfile +caddy fmt --overwrite /internal.Caddyfile # Fix caddy log chmod 777 /root diff --git a/Containers/mastercontainer/supervisord.conf b/Containers/mastercontainer/supervisord.conf index fa5d0845..9fbb9516 100644 --- a/Containers/mastercontainer/supervisord.conf +++ b/Containers/mastercontainer/supervisord.conf @@ -16,20 +16,20 @@ stderr_logfile_maxbytes=0 command=php-fpm user=root -[program:apache] -# Stdout logging is disabled as otherwise the logs are spammed -stdout_logfile=NONE -stderr_logfile=/dev/stderr -stderr_logfile_maxbytes=0 -command=httpd -DFOREGROUND -user=root - -[program:caddy] +[program:caddy-internal] stdout_logfile=/dev/stdout stdout_logfile_maxbytes=0 stderr_logfile=/dev/stderr stderr_logfile_maxbytes=0 -command=/usr/bin/caddy run --config /Caddyfile +command=/usr/bin/caddy run --config /internal.Caddyfile +user=www-data + +[program:caddy-acme] +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +command=/usr/bin/caddy run --config /acme.Caddyfile user=www-data [program:cron] diff --git a/php/domain-validator.php b/php/domain-validator.php index 57506b8a..4ac92690 100644 --- a/php/domain-validator.php +++ b/php/domain-validator.php @@ -3,15 +3,15 @@ $domain = $_GET['domain'] ?? ''; if (!str_contains($domain, '.')) { - http_response_code(400); + http_response_code(400); } elseif (str_contains($domain, '/')) { - http_response_code(400); + http_response_code(400); } elseif (str_contains($domain, ':')) { - http_response_code(400); + http_response_code(400); } elseif (filter_var($domain, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) === false) { - http_response_code(400); + http_response_code(400); } elseif (filter_var($domain, FILTER_VALIDATE_IP)) { - http_response_code(400); + http_response_code(400); } else { // Commented because logging is disabled as otherwise all attempts will be logged which spams the logs // error_log($domain . ' was accepted as valid domain.'); From 89e6ca5efa79a5636cdc6835b2eb27e317a3d958 Mon Sep 17 00:00:00 2001 From: Zoey Date: Mon, 20 Oct 2025 18:39:06 +0200 Subject: [PATCH 2/4] mastercontainer/README.md: apache=>caddy Signed-off-by: Zoey --- Containers/mastercontainer/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Containers/mastercontainer/README.md b/Containers/mastercontainer/README.md index de6b535d..7206a5f3 100644 --- a/Containers/mastercontainer/README.md +++ b/Containers/mastercontainer/README.md @@ -12,8 +12,8 @@ The mastercontainer acts as the central orchestration service for the deployment of all other containers in the Nextcloud All-in-One stack. It hosts: - A dedicated PHP SAPI/backend (php-fpm) for AIO itself (not Nextcloud Server) -- An Apache service for accessing the AIO interface via a self-signed HTTPS VirtualHost on 8080/tcp -- A Caddy reverse proxy service enabling HTTPS access to the AIO frontend on port 8443/tcp. +- A Caddy server enabling self-signed HTTPS access to the AIO frontend on port 8080/tcp. +- A Caddy server enabling trusted HTTPS access to the AIO frontend on port 8443/tcp. - Caddy will automatically issue a Let's Encrypt issued certificate if port 80 and 8443 is open/forwarded and a domain pointer is in place; then, simply open the Nextcloud AIO interface using the domain (`https://your-domain-that-points-to-this-server.tld:8443`). The Let's Encrypt certificate request will From 41b4a6b36bcd89834afed04f11c623559457b7c8 Mon Sep 17 00:00:00 2001 From: Zoey Date: Mon, 20 Oct 2025 18:41:27 +0200 Subject: [PATCH 3/4] Remove unused certs from docker-aio-config Signed-off-by: Zoey --- Containers/mastercontainer/start.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Containers/mastercontainer/start.sh b/Containers/mastercontainer/start.sh index faa725df..5d7ae954 100644 --- a/Containers/mastercontainer/start.sh +++ b/Containers/mastercontainer/start.sh @@ -342,6 +342,9 @@ https://your-domain-that-points-to-this-server.tld:8443" # Set the timezone to Etc/UTC export TZ=Etc/UTC +# Remove unused certs +rm -vrf /mnt/docker-aio-config/certs + # Fix caddy startup if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then rm -rf /mnt/docker-aio-config/caddy/locks/* From 396acf315879d4442671601bda578f7898cae412 Mon Sep 17 00:00:00 2001 From: Zoey Date: Thu, 23 Oct 2025 14:45:58 +0200 Subject: [PATCH 4/4] set skip_install_trust in all Caddyfiles Signed-off-by: Zoey --- Containers/mastercontainer/acme.Caddyfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Containers/mastercontainer/acme.Caddyfile b/Containers/mastercontainer/acme.Caddyfile index 61eae552..25fa6ab9 100644 --- a/Containers/mastercontainer/acme.Caddyfile +++ b/Containers/mastercontainer/acme.Caddyfile @@ -18,6 +18,8 @@ on_demand_tls { ask http://127.0.0.1:9876/ } + + skip_install_trust } http://:80 {