From c5135e3a4e02e86f748327c2ad1d6383070c0a5d Mon Sep 17 00:00:00 2001 From: Simon L Date: Fri, 20 Oct 2023 17:02:20 +0200 Subject: [PATCH] nextcloud container - allowed clients - only limit access in known use cases Signed-off-by: Simon L --- Containers/nextcloud/start.sh | 23 ++++++++++++++--------- php/containers.json | 4 +++- php/src/Docker/DockerActionManager.php | 2 ++ 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/Containers/nextcloud/start.sh b/Containers/nextcloud/start.sh index bb2a3519..47426a89 100644 --- a/Containers/nextcloud/start.sh +++ b/Containers/nextcloud/start.sh @@ -135,15 +135,20 @@ while [ -z "$(dig nextcloud-aio-apache A +short)" ]; do echo "Waiting for nextcloud-aio-apache to start..." sleep 5 done -IPv4_ADDRESS_APACHE="$(dig nextcloud-aio-apache A +short | grep '^[0-9.]\+$' | sort | head -n1)" -IPv6_ADDRESS_APACHE="$(dig nextcloud-aio-apache AAAA +short | grep '^[0-9a-f:]\+$' | sort | head -n1)" -IPv4_ADDRESS_MASTERCONTAINER="$(dig nextcloud-aio-mastercontainer A +short | grep '^[0-9.]\+$' | sort | head -n1)" -IPv6_ADDRESS_MASTERCONTAINER="$(dig nextcloud-aio-mastercontainer AAAA +short | grep '^[0-9a-f:]\+$' | sort | head -n1)" -sed -i "s|^;listen.allowed_clients|listen.allowed_clients|" /usr/local/etc/php-fpm.d/www.conf -sed -i "s|listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1,$IPv4_ADDRESS_APACHE,$IPv6_ADDRESS_APACHE,$IPv4_ADDRESS_MASTERCONTAINER,$IPv6_ADDRESS_MASTERCONTAINER|" /usr/local/etc/php-fpm.d/www.conf -sed -i "/^listen.allowed_clients/s/,,/,/g" /usr/local/etc/php-fpm.d/www.conf -sed -i "/^listen.allowed_clients/s/,$//" /usr/local/etc/php-fpm.d/www.conf -grep listen.allowed_clients /usr/local/etc/php-fpm.d/www.conf +set -x +if [ "$APACHE_PORT" = 443 ] || [ "$APACHE_IP_BINDING" = "127.0.0.1" ] || [ "$APACHE_IP_BINDING" = "::1" ]; then + IPv4_ADDRESS_APACHE="$(dig nextcloud-aio-apache A +short | grep '^[0-9.]\+$' | sort | head -n1)" + IPv6_ADDRESS_APACHE="$(dig nextcloud-aio-apache AAAA +short | grep '^[0-9a-f:]\+$' | sort | head -n1)" + IPv4_ADDRESS_MASTERCONTAINER="$(dig nextcloud-aio-mastercontainer A +short | grep '^[0-9.]\+$' | sort | head -n1)" + IPv6_ADDRESS_MASTERCONTAINER="$(dig nextcloud-aio-mastercontainer AAAA +short | grep '^[0-9a-f:]\+$' | sort | head -n1)" + + sed -i "s|^;listen.allowed_clients|listen.allowed_clients|" /usr/local/etc/php-fpm.d/www.conf + sed -i "s|listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1,$IPv4_ADDRESS_APACHE,$IPv6_ADDRESS_APACHE,$IPv4_ADDRESS_MASTERCONTAINER,$IPv6_ADDRESS_MASTERCONTAINER|" /usr/local/etc/php-fpm.d/www.conf + sed -i "/^listen.allowed_clients/s/,,/,/g" /usr/local/etc/php-fpm.d/www.conf + sed -i "/^listen.allowed_clients/s/,$//" /usr/local/etc/php-fpm.d/www.conf + grep listen.allowed_clients /usr/local/etc/php-fpm.d/www.conf +fi +set +x exec "$@" diff --git a/php/containers.json b/php/containers.json index 50cd91eb..c75ffab1 100644 --- a/php/containers.json +++ b/php/containers.json @@ -210,7 +210,9 @@ "TALK_RECORDING_HOST=nextcloud-aio-talk-recording", "FULLTEXTSEARCH_PASSWORD=%FULLTEXTSEARCH_PASSWORD%", "DOCKER_SOCKET_PROXY_ENABLED=%DOCKER_SOCKET_PROXY_ENABLED%", - "REMOVE_DISABLED_APPS=%REMOVE_DISABLED_APPS%" + "REMOVE_DISABLED_APPS=%REMOVE_DISABLED_APPS%", + "APACHE_PORT=%APACHE_PORT%", + "APACHE_IP_BINDING=%APACHE_IP_BINDING%" ], "restart": "unless-stopped", "devices": [ diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php index 03c8c8c8..d9942fbe 100644 --- a/php/src/Docker/DockerActionManager.php +++ b/php/src/Docker/DockerActionManager.php @@ -289,6 +289,8 @@ class DockerActionManager $replacements[1] = $this->configurationManager->GetSelectedRestoreTime(); } elseif ($out[1] === 'APACHE_PORT') { $replacements[1] = $this->configurationManager->GetApachePort(); + } elseif ($out[1] === 'APACHE_IP_BINDING') { + $replacements[1] = $this->configurationManager->GetApacheIPBinding(); } elseif ($out[1] === 'TALK_PORT') { $replacements[1] = $this->configurationManager->GetTalkPort(); } elseif ($out[1] === 'NEXTCLOUD_MOUNT') {