From f5f8c836d21a0503d223971c7717880b62145357 Mon Sep 17 00:00:00 2001 From: Simon L Date: Tue, 26 Sep 2023 15:50:16 +0200 Subject: [PATCH 1/2] mastercontainer - use Caddy for generating self-singed cert Signed-off-by: Simon L --- Containers/mastercontainer/Caddyfile | 9 ++++++++- Containers/mastercontainer/Dockerfile | 15 +++------------ .../mastercontainer/mastercontainer.conf | 13 ------------- Containers/mastercontainer/start.sh | 18 ------------------ 4 files changed, 11 insertions(+), 44 deletions(-) diff --git a/Containers/mastercontainer/Caddyfile b/Containers/mastercontainer/Caddyfile index ba6a281d..404a1507 100644 --- a/Containers/mastercontainer/Caddyfile +++ b/Containers/mastercontainer/Caddyfile @@ -21,7 +21,14 @@ } http://:80 { - redir https://{host}{uri} + redir https://{host}{uri} +} + +https://:8080 { + reverse_proxy localhost:8000 + tls internal { + on_demand + } } https://:8443 { diff --git a/Containers/mastercontainer/Dockerfile b/Containers/mastercontainer/Dockerfile index 4e35534b..75a0757f 100644 --- a/Containers/mastercontainer/Dockerfile +++ b/Containers/mastercontainer/Dockerfile @@ -23,6 +23,7 @@ RUN set -ex; \ usermod -u 333 -g 333 xfs; \ groupmod -g 33 www-data; \ usermod -u 33 -g 33 www-data; \ + apk del --no-cache shadow; \ \ apk add --no-cache \ util-linux-misc \ @@ -31,10 +32,9 @@ RUN set -ex; \ bash \ apache2 \ apache2-proxy \ - apache2-ssl \ supervisor \ - openssl \ sudo \ + nss \ netcat-openbsd \ curl \ grep; \ @@ -65,6 +65,7 @@ RUN set -ex; \ chmod +x /usr/local/bin/composer; \ cd /var/www/docker-aio; \ git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \ + apk del --no-cache git; \ find ./ -maxdepth 1 -mindepth 1 -not -path ./php -not -path ./community-containers -exec rm -r {} \; ; \ chown www-data:www-data -R /var/www/docker-aio; \ cd php; \ @@ -77,10 +78,6 @@ RUN set -ex; \ rm -r php/data; \ rm -r php/session; \ \ - mkdir -p /etc/apache2/certs; \ - cd /etc/apache2/certs; \ - openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout /etc/apache2/certs/ssl.key -out /etc/apache2/certs/ssl.crt; \ - \ sed -i \ -e '/^Listen /d' \ -e 's/^LogLevel .*/LogLevel error/' \ @@ -99,13 +96,7 @@ RUN set -ex; \ -e 's/\(ScriptAlias \)/#\1/' \ /etc/apache2/httpd.conf; \ mkdir -p /etc/apache2/logs; \ - rm /etc/apache2/conf.d/ssl.conf; \ echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \ - grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \ - sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \ - echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \ - echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \ - echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \ echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \ \ rm -f /etc/apache2/conf.d/default.conf \ diff --git a/Containers/mastercontainer/mastercontainer.conf b/Containers/mastercontainer/mastercontainer.conf index 701cb420..0d12e406 100644 --- a/Containers/mastercontainer/mastercontainer.conf +++ b/Containers/mastercontainer/mastercontainer.conf @@ -38,19 +38,6 @@ Listen 8080 -# Https host - - # Proxy to https - ProxyPass / http://localhost:8000/ - ProxyPassReverse / http://localhost:8000/ - ProxyPreserveHost On - # SSL - SSLCertificateKeyFile /etc/apache2/certs/ssl.key - SSLCertificateFile /etc/apache2/certs/ssl.crt - SSLEngine on - SSLProtocol -all +TLSv1.2 +TLSv1.3 - - # Increase timeout in case e.g. the initial download takes a long time Timeout 7200 ProxyTimeout 7200 diff --git a/Containers/mastercontainer/start.sh b/Containers/mastercontainer/start.sh index 1c26b099..336ccb19 100644 --- a/Containers/mastercontainer/start.sh +++ b/Containers/mastercontainer/start.sh @@ -300,7 +300,6 @@ fi mkdir -p /mnt/docker-aio-config/data/ mkdir -p /mnt/docker-aio-config/session/ mkdir -p /mnt/docker-aio-config/caddy/ -mkdir -p /mnt/docker-aio-config/certs/ # Adjust permissions for all instances chmod 770 -R /mnt/docker-aio-config @@ -308,7 +307,6 @@ chmod 777 /mnt/docker-aio-config chown www-data:www-data -R /mnt/docker-aio-config/data/ chown www-data:www-data -R /mnt/docker-aio-config/session/ chown www-data:www-data -R /mnt/docker-aio-config/caddy/ -chown root:root -R /mnt/docker-aio-config/certs/ # Don't allow access to the AIO interface from the Nextcloud container # Probably more cosmetic than anything but at least an attempt @@ -324,22 +322,6 @@ allow from all APACHE_CONF fi -# Adjust certs -GENERATED_CERTS="/mnt/docker-aio-config/certs" -TMP_CERTS="/etc/apache2/certs" -mkdir -p "$GENERATED_CERTS" -cd "$GENERATED_CERTS" || exit 1 -if ! [ -f ./ssl.crt ] && ! [ -f ./ssl.key ]; then - openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt -fi -if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then - cd "$TMP_CERTS" || exit 1 - rm ./ssl.crt - rm ./ssl.key - cp "$GENERATED_CERTS/ssl.crt" ./ - cp "$GENERATED_CERTS/ssl.key" ./ -fi - print_green "Initial startup of Nextcloud All-in-One complete! You should be able to open the Nextcloud AIO Interface now on port 8080 of this server! E.g. https://internal.ip.of.this.server:8080 From 131dc62508063297c80c7d456b7aefa3f84f63a6 Mon Sep 17 00:00:00 2001 From: Simon L Date: Wed, 27 Sep 2023 21:42:31 +0200 Subject: [PATCH 2/2] trust private ranges for port 8080 Signed-off-by: Simon L --- Containers/mastercontainer/Caddyfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Containers/mastercontainer/Caddyfile b/Containers/mastercontainer/Caddyfile index 404a1507..e78fe8f3 100644 --- a/Containers/mastercontainer/Caddyfile +++ b/Containers/mastercontainer/Caddyfile @@ -25,7 +25,9 @@ http://:80 { } https://:8080 { - reverse_proxy localhost:8000 + reverse_proxy localhost:8000 { + trusted_proxies private_ranges + } tls internal { on_demand }