Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mastercontainer - use Caddy for generating self-singed cert #3416

Merged
merged 2 commits into from
Sep 29, 2023
Merged

mastercontainer - use Caddy for generating self-singed cert #3416

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f5f8c83
mastercontainer - use Caddy for generating self-singed cert
szaimen Sep 26, 2023
131dc62
trust private ranges for port 8080
szaimen Sep 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion Containers/mastercontainer/Caddyfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,16 @@
}

http://:80 {
redir https://{host}{uri}
redir https://{host}{uri}
}

https://:8080 {
reverse_proxy localhost:8000 {
trusted_proxies private_ranges
}
tls internal {
on_demand
szaimen marked this conversation as resolved.
Show resolved Hide resolved
}
}

https://:8443 {
Expand Down
15 changes: 3 additions & 12 deletions Containers/mastercontainer/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ RUN set -ex; \
usermod -u 333 -g 333 xfs; \
groupmod -g 33 www-data; \
usermod -u 33 -g 33 www-data; \
apk del --no-cache shadow; \
\
apk add --no-cache \
util-linux-misc \
Expand All @@ -31,10 +32,9 @@ RUN set -ex; \
bash \
apache2 \
apache2-proxy \
apache2-ssl \
supervisor \
openssl \
sudo \
nss \
netcat-openbsd \
curl \
grep; \
Expand Down Expand Up @@ -65,6 +65,7 @@ RUN set -ex; \
chmod +x /usr/local/bin/composer; \
cd /var/www/docker-aio; \
git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
apk del --no-cache git; \
find ./ -maxdepth 1 -mindepth 1 -not -path ./php -not -path ./community-containers -exec rm -r {} \; ; \
chown www-data:www-data -R /var/www/docker-aio; \
cd php; \
Expand All @@ -77,10 +78,6 @@ RUN set -ex; \
rm -r php/data; \
rm -r php/session; \
\
mkdir -p /etc/apache2/certs; \
cd /etc/apache2/certs; \
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout /etc/apache2/certs/ssl.key -out /etc/apache2/certs/ssl.crt; \
\
sed -i \
-e '/^Listen /d' \
-e 's/^LogLevel .*/LogLevel error/' \
Expand All @@ -99,13 +96,7 @@ RUN set -ex; \
-e 's/\(ScriptAlias \)/#\1/' \
/etc/apache2/httpd.conf; \
mkdir -p /etc/apache2/logs; \
rm /etc/apache2/conf.d/ssl.conf; \
echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \
grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \
sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \
echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \
echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \
echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \
echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \
\
rm -f /etc/apache2/conf.d/default.conf \
Expand Down
13 changes: 0 additions & 13 deletions Containers/mastercontainer/mastercontainer.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,19 +38,6 @@ Listen 8080
</Directory>
</VirtualHost>

# Https host
<VirtualHost *:8080>
# Proxy to https
ProxyPass / http://localhost:8000/
ProxyPassReverse / http://localhost:8000/
ProxyPreserveHost On
# SSL
SSLCertificateKeyFile /etc/apache2/certs/ssl.key
SSLCertificateFile /etc/apache2/certs/ssl.crt
SSLEngine on
SSLProtocol -all +TLSv1.2 +TLSv1.3
</VirtualHost>

# Increase timeout in case e.g. the initial download takes a long time
Timeout 7200
ProxyTimeout 7200
18 changes: 0 additions & 18 deletions Containers/mastercontainer/start.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -300,15 +300,13 @@ fi
mkdir -p /mnt/docker-aio-config/data/
mkdir -p /mnt/docker-aio-config/session/
mkdir -p /mnt/docker-aio-config/caddy/
mkdir -p /mnt/docker-aio-config/certs/

# Adjust permissions for all instances
chmod 770 -R /mnt/docker-aio-config
chmod 777 /mnt/docker-aio-config
chown www-data:www-data -R /mnt/docker-aio-config/data/
chown www-data:www-data -R /mnt/docker-aio-config/session/
chown www-data:www-data -R /mnt/docker-aio-config/caddy/
chown root:root -R /mnt/docker-aio-config/certs/

# Don't allow access to the AIO interface from the Nextcloud container
# Probably more cosmetic than anything but at least an attempt
Expand All @@ -324,22 +322,6 @@ allow from all
APACHE_CONF
fi

# Adjust certs
GENERATED_CERTS="/mnt/docker-aio-config/certs"
TMP_CERTS="/etc/apache2/certs"
mkdir -p "$GENERATED_CERTS"
cd "$GENERATED_CERTS" || exit 1
if ! [ -f ./ssl.crt ] && ! [ -f ./ssl.key ]; then
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt
fi
if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then
cd "$TMP_CERTS" || exit 1
rm ./ssl.crt
rm ./ssl.key
cp "$GENERATED_CERTS/ssl.crt" ./
cp "$GENERATED_CERTS/ssl.key" ./
fi

print_green "Initial startup of Nextcloud All-in-One complete!
You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
E.g. https://internal.ip.of.this.server:8080
Expand Down