eightball/all-in-one
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2025-12-19 14:06:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
all-in-one/community-containers/caddy
History
Exact
Simon L. edba082dce
improve detail 
Signed-off-by: Simon L. <szaimen@e.mail.de>
2025-12-03 09:26:18 +01:00
..
caddy.json update aio-caddy to v4 and add option for proxy protocol 2025-11-26 13:03:42 +01:00
readme.md improve detail 2025-12-03 09:26:18 +01:00

readme.md

Caddy with geoblocking

This container bundles caddy and auto-configures it for you. It also covers vaultwarden by listening on bw.$NC_DOMAIN, if installed. It also covers stalwart by listening on mail.$NC_DOMAIN, if installed. It also covers jellyfin by listening on media.$NC_DOMAIN, if installed. It also covers lldap by listening on ldap.$NC_DOMAIN, if installed. It also covers nocodb by listening on tables.$NC_DOMAIN, if installed. It also covers jellyseerr by listening on requests.$NC_DOMAIN, if installed. It also covers nextcloud-exporter by listening on metrics.$NC_DOMAIN, if installed.

Notes

  • This container is incompatible with the npmplus community container. So make sure that you do not enable both at the same time!
  • Make sure that no other service is using port 443/tcp on your host as otherwise the containers will fail to start. You can check this with sudo netstat -tulpn | grep 443 before installing AIO.
  • Starting with AIO v12, the Talk port that was usually exposed on port 3478 is now set to port 443 udp and tcp and reachable via your-nc-domain.com. For the changes to become activated, you need to go to https://your-nc-domain.com/settings/admin/talk and delete all turn and stun servers. Then restart the containers and the new config should become active.
  • Starting with AIO v12, you can also limit vaultwarden, stalwart and lldap to certain ip-addresses. You can do so by creating a allowed-IPs-vaultwarden.txt, allowed-IPs-stalwart.txt, or allowed-IPs-lldap.txt file in the nextcloud-aio-caddy directory of your admin user and adding the ip-addresses in these files.
  • The container also supports the proxy protocol inside caddy. That means that you can run a supported web server in front of port 443/tcp and use the proxy protocol. You can enable this by configuring the APACHE_IP_BINDING environmental variable for the mastercontainer and set it to an ip-address from which the protocol shall be accepted. ⚠️ Note that the initial domain validation will not work correctly if you want to use the proxy protocol. So make sure to skip the domain validation in that case. See the documentation.
  • If you want to use this with vaultwarden, make sure that you point bw.your-nc-domain.com to your server using a cname record so that caddy can get a certificate automatically for vaultwarden.
  • If you want to use this with stalwart, make sure that you point mail.your-nc-domain.com to your server using an A, AAAA or CNAME record so that caddy can get a certificate automatically for stalwart.
  • If you want to use this with jellyfin, make sure that you point media.your-nc-domain.com to your server using a cname record so that caddy can get a certificate automatically for jellyfin.
  • If you want to use this with lldap, make sure that you point ldap.your-nc-domain.com to your server using a cname record so that caddy can get a certificate automatically for lldap.
  • If you want to use this with nocodb, make sure that you point tables.your-nc-domain.com to your server using a cname record so that caddy can get a certificate automatically for nocodb.
  • If you want to use this with jellyseerr, make sure that you point requests.your-nc-domain.com to your server using a cname record so that caddy can get a certificate automatically for jellyseerr.
  • If you want to use this with nextcloud-exporter, make sure that you point metrics.your-nc-domain.com to your server using a cname record so that caddy can get a certificate automatically for nextcloud-exporter.
  • After the container was started the first time, you should see a new nextcloud-aio-caddy folder and inside there an allowed-countries.txt file when you open the files app with the default admin user. In there you can adjust the allowed country codes for caddy by adding them to the first line, e.g. IT FR would allow access from italy and france. Private ip-ranges are always allowed. Additionally, in order to activate this config, you need to get an account at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and download the GeoLite2-Country.mmdb and upload it with this exact name into the nextcloud-aio-caddy folder. Afterwards restart all containers from the AIO interface and your new config should be active!
  • You can add your own Caddy configurations in /data/caddy-imports/ inside the Caddy container (sudo docker exec -it nextcloud-aio-caddy bash). These will be imported on container startup. Please note: If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
  • See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack

Repository

https://github.com/szaimen/aio-caddy

Maintainer

https://github.com/szaimen