Skip to content

Commit

Permalink
Merge pull request #3416 from nextcloud/enh/noid/use-caddy-for-self-s…
Browse files Browse the repository at this point in the history
…igned-cert

mastercontainer - use Caddy for generating self-singed cert
  • Loading branch information
szaimen authored Sep 29, 2023
2 parents 211ef36 + 131dc62 commit b0c859a
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 44 deletions.
11 changes: 10 additions & 1 deletion Containers/mastercontainer/Caddyfile
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,16 @@
}

http://:80 {
redir https://{host}{uri}
redir https://{host}{uri}
}

https://:8080 {
reverse_proxy localhost:8000 {
trusted_proxies private_ranges
}
tls internal {
on_demand
}
}

https://:8443 {
Expand Down
15 changes: 3 additions & 12 deletions Containers/mastercontainer/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ RUN set -ex; \
usermod -u 333 -g 333 xfs; \
groupmod -g 33 www-data; \
usermod -u 33 -g 33 www-data; \
apk del --no-cache shadow; \
\
apk add --no-cache \
util-linux-misc \
Expand All @@ -31,10 +32,9 @@ RUN set -ex; \
bash \
apache2 \
apache2-proxy \
apache2-ssl \
supervisor \
openssl \
sudo \
nss \
netcat-openbsd \
curl \
grep; \
Expand Down Expand Up @@ -65,6 +65,7 @@ RUN set -ex; \
chmod +x /usr/local/bin/composer; \
cd /var/www/docker-aio; \
git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
apk del --no-cache git; \
find ./ -maxdepth 1 -mindepth 1 -not -path ./php -not -path ./community-containers -exec rm -r {} \; ; \
chown www-data:www-data -R /var/www/docker-aio; \
cd php; \
Expand All @@ -77,10 +78,6 @@ RUN set -ex; \
rm -r php/data; \
rm -r php/session; \
\
mkdir -p /etc/apache2/certs; \
cd /etc/apache2/certs; \
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout /etc/apache2/certs/ssl.key -out /etc/apache2/certs/ssl.crt; \
\
sed -i \
-e '/^Listen /d' \
-e 's/^LogLevel .*/LogLevel error/' \
Expand All @@ -99,13 +96,7 @@ RUN set -ex; \
-e 's/\(ScriptAlias \)/#\1/' \
/etc/apache2/httpd.conf; \
mkdir -p /etc/apache2/logs; \
rm /etc/apache2/conf.d/ssl.conf; \
echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \
grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \
sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \
echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \
echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \
echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \
echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \
\
rm -f /etc/apache2/conf.d/default.conf \
Expand Down
13 changes: 0 additions & 13 deletions Containers/mastercontainer/mastercontainer.conf
Original file line number Diff line number Diff line change
Expand Up @@ -38,19 +38,6 @@ Listen 8080
</Directory>
</VirtualHost>

# Https host
<VirtualHost *:8080>
# Proxy to https
ProxyPass / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/
ProxyPreserveHost On
# SSL
SSLCertificateKeyFile /etc/apache2/certs/ssl.key
SSLCertificateFile /etc/apache2/certs/ssl.crt
SSLEngine on
SSLProtocol -all +TLSv1.2 +TLSv1.3
</VirtualHost>

# Increase timeout in case e.g. the initial download takes a long time
Timeout 7200
ProxyTimeout 7200
18 changes: 0 additions & 18 deletions Containers/mastercontainer/start.sh
Original file line number Diff line number Diff line change
Expand Up @@ -300,15 +300,13 @@ fi
mkdir -p /mnt/docker-aio-config/data/
mkdir -p /mnt/docker-aio-config/session/
mkdir -p /mnt/docker-aio-config/caddy/
mkdir -p /mnt/docker-aio-config/certs/

# Adjust permissions for all instances
chmod 770 -R /mnt/docker-aio-config
chmod 777 /mnt/docker-aio-config
chown www-data:www-data -R /mnt/docker-aio-config/data/
chown www-data:www-data -R /mnt/docker-aio-config/session/
chown www-data:www-data -R /mnt/docker-aio-config/caddy/
chown root:root -R /mnt/docker-aio-config/certs/

# Don't allow access to the AIO interface from the Nextcloud container
# Probably more cosmetic than anything but at least an attempt
Expand All @@ -324,22 +322,6 @@ allow from all
APACHE_CONF
fi

# Adjust certs
GENERATED_CERTS="/mnt/docker-aio-config/certs"
TMP_CERTS="/etc/apache2/certs"
mkdir -p "$GENERATED_CERTS"
cd "$GENERATED_CERTS" || exit 1
if ! [ -f ./ssl.crt ] && ! [ -f ./ssl.key ]; then
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt
fi
if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then
cd "$TMP_CERTS" || exit 1
rm ./ssl.crt
rm ./ssl.key
cp "$GENERATED_CERTS/ssl.crt" ./
cp "$GENERATED_CERTS/ssl.key" ./
fi

print_green "Initial startup of Nextcloud All-in-One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080
Expand Down

0 comments on commit b0c859a

Please sign in to comment.