How to make nginx and certbot friends in docker-compose for Nextcloud?

Y

Yermek2021-02-27 23:53:03

Nginx

Yermek, 2021-02-27 23:53:03

Friends, hello!

Preamble: Ubuntu Server 20.04.2

Достался в стародавние времена в подарок HP Proliant MicroServer G7, на который была навешена Ubuntu Server со следующими сервисами: Plex Media Server, Transmission, OwnCloud, Samba. Все это добро крутилось на дисках, общей ёмкостью 2Tb.

Однако сначала диск, на котором крутилось облако, а в скоре и диск, на котором крутился медиа сервер, приказали долго жить.

Прикупил я себе 4x2TB диска. LVM'ом соединил 2 последовательно (Plex, Transmission, Samba) и 2 паралельно (Nextcloud). Воткнул любимую Ubuntu Server, и начал настраивать

Installed from the software on the host:

mc file manager
git to get rep
vim as a text editor
wakeonlan to wake up the main machine when not at home
Docker for other services

I decided to put the rest of the services in docker-compose files - I was tempted by the isolation of containers and the ability to quickly and transparently migrate.

There are no problems with transmission. Everything works according to the instructions

version: "2.1"
services:
    transmission:
        image: ghcr.io/linuxserver/transmission
        container_name: transmission
        environment:
            - PUID=1000
            - PGID=1000
            - TZ=Asia/Almaty
            - TRANSMISSION_WEB_HOME=/combustion-release/ 
            - USER=trs
            - PASS=*******
        volumes:
            - /media/torrents/data:/config
            - /media/torrents/downloads:/downloads
            - /media/torrents/watch:/watch
        ports:
            - 9091:9091
            - 51413:51413
            - 51413:51413/udp
        restart: always

Pulled cloud service docker-onlyoffice-nextcloud from GitHub . docker-compose up -d, and everything worked.

Really very slow.

Fastened postgres, redis. It got much better

Именованые тома заменил на относительные пути - надо что бы данные лежали на конкретном диске.

version: '3'
services:
  db:
    container_name: pg-server
    image: "postgres:12.5"
    restart: always
    environment:
        POSTGRES_PASSWORD: *******
        POSTGRES_USER: app_user
        POSTGRES_DB: cloud_db
    volumes:
        - ./data/pgdb:/var/lib/postgresql/data
  redis:
    container_name: redis-server
    image: redis:6.2.0-alpine
    restart: always
  app:
    container_name: app-server
    image: nextcloud:fpm
    restart: always
    expose:
      - '80'
      - '9000'
    volumes:
      - ./data/app:/var/www/html
    environment:
      REDIS_HOST: redis-server
  onlyoffice-document-server:
    container_name: onlyoffice-document-server
    image: onlyoffice/documentserver:latest
    restart: always
    expose:
      - '80'
      - '443'
    volumes:
      - ./data/document_data:/var/www/onlyoffice/Data
      - ./data/document_log:/var/log/onlyoffice
  nginx:
    container_name: nginx-server
    image: nginx:1.15-alpine
    restart: always
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./data/certbot/conf:/etc/nginx/certs
      - ./data/certbot/www:/var/www/certbot
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./data/app:/var/www/html
  certbot:
    container_name: certbot-server
    image: certbot/certbot
    volumes:
        - ./data/certbot/conf:/etc/letsencrypt
        - ./data/certbot/www:/var/www/certbot
        - ./data/certbot/logs:/var/log/letsencrypt

Про certbot - чуть позже

Well, for complete happiness, I wanted encryption.
On the old conf, everything went up without problems. Since Apache was installed for hosts, during installation, certbot saw the configuration, configured it itself, received certificates, set up a task to update them.

Here it turned out to be a little more complicated.
I found an article on how to make nginx friends with Let's Encrypt . I tried - it worked.

However, during the transfer, it turned out that when contacting the /.well-known/acme-challenge/server, it spits out a 403 error

. I looked at the nginx-server logs - there is a request, the response
is 403

. nginx redirects the request to this path to Nextcloud, although I would like it to just send the static from the container folder/var/www/certbot

Now the configuration is:

# user  www-data;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {

    upstream backend {
      server app-server:9000;
    }


    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  3600;

    map $http_host $this_host {
        "" $host;
        default $http_host;
    }

    map $http_x_forwarded_proto $the_scheme {
        default $http_x_forwarded_proto;
        "" $scheme;
    }

    map $http_x_forwarded_host $the_host {
       default $http_x_forwarded_host;
       "" $this_host;
    }

    server {
        listen 88;
        location / {
            root /var/www/certbot;
        }
    }
    server {
   	listen 80;

        # Add headers to serve security related headers
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;

        root /var/www/html;
        client_max_body_size 10G; # 0=unlimited - set max upload size
        fastcgi_buffers 128 8K;

        gzip off;

        index index.php;
        error_page 403 /core/templates/403.php;
        error_page 404 /core/templates/404.php;

        location /.well-known/acme-challenge/ {
            proxy_pass http://localhost:88;
            allow all;
        }

        # rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
        # rewrite ^/.well-known/caldav /remote.php/dav/ permanent;

        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }

        location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
            deny all;
        }

        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
            deny all;
        }

        location / {
            rewrite ^/remote/(.*) /remote.php last;
            rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
            try_files $uri $uri/ =404;
        }

  location ~* ^/ds-vpath/ {
    rewrite /ds-vpath/(.*) /$1  break;
                proxy_pass http://onlyoffice-document-server;
                proxy_redirect     off;

                client_max_body_size 100m;

                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
                proxy_set_header X-Forwarded-Proto $the_scheme;
        }

        location ~ \.php(?:$|/) {
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param HTTPS off;
            fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
            fastcgi_pass backend;
            fastcgi_intercept_errors on;
            fastcgi_read_timeout 3600;
        }

        # Adding the cache control header for js and css files
        # Make sure it is BELOW the location ~ \.php(?:$|/) { block
        location ~* \.(?:css|js)$ {
            add_header Cache-Control "public, max-age=7200";
            # Add headers to serve security related headers
            add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
            add_header X-Content-Type-Options nosniff;
            add_header X-Frame-Options "SAMEORIGIN";
            add_header X-XSS-Protection "1; mode=block";
            add_header X-Robots-Tag none;
            add_header X-Download-Options noopen;
            add_header X-Permitted-Cross-Domain-Policies none;
            # Optional: Don't log access to assets
            access_log off;
        }
        # Optional: Don't log access to other assets
        location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
            access_log off;
        }
    }
}

server {
        listen 88;
        location / {
            root /var/www/certbot;
        }
    }

- just added. The acme-challenge location used to be:

location /.well-known/acme-challenge/ {
            allow all;
            root /var/www/certbot;
        }

Here is what I commented - still does not help:

rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
        rewrite ^/.well-known/caldav /remote.php/dav/ permanent;

Actually the question is:
Why are the files not processed, but sent to the app-server?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

M

Mikhail Vasilyev, 2021-02-28
@vasilyevmn

Here there are options.
https://github.com/ONLYOFFICE/docker-onlyoffice-ne...