From 043884f7fbf9063e9474b8b5429dd016316a942d Mon Sep 17 00:00:00 2001
From: Quentin Duchemin <quentinduchemin@tuta.io>
Date: Thu, 20 Aug 2020 19:09:22 +0200
Subject: [PATCH] [NC] Update CeT (missing doc)
---
pica-nextcloud/docker-compose-cet.yml | 48 +++++---
pica-nextcloud/nginx_cet.conf | 161 ++++++++++++++++++++++++++
2 files changed, 195 insertions(+), 14 deletions(-)
create mode 100644 pica-nextcloud/nginx_cet.conf
diff --git a/pica-nextcloud/docker-compose-cet.yml b/pica-nextcloud/docker-compose-cet.yml
index a778a777..c0886b04 100644
--- a/pica-nextcloud/docker-compose-cet.yml
+++ b/pica-nextcloud/docker-compose-cet.yml
@@ -1,18 +1,41 @@
version: '3.7'
-# TODO switch to volumes
networks:
docker_default:
- name: docker_default:
+ name: docker_default
cloud_cet:
name: cloud_cet
+volumes:
+ nextcloud_cet:
+ name: nextcloud_cet
+ nextcloud_cet_db:
+ name: nextcloud_cet_db
+
services:
cloudcet:
- build:
- context: ./15.0
- dockerfile: ./15.0/Dockerfile
container_name: cloudcet
- image: registry.picasoft.net/nextcloud:15.0
+ image: nextcloud:19.0-fpm
+ networks:
+ - cloud_cet
+ volumes:
+ - nextcloud_cet:/var/www/html
+ env_file: ./secrets/cloudcet.secrets
+ environment:
+ - POSTGRES_HOST=cloudcet_db
+ depends_on:
+ - cloudcet_db
+ - cloudcet_web
+ restart: unless-stopped
+
+ cloudcet_web:
+ image: nginx:alpine
+ container_name: cloudcet_web
+ volumes:
+ - nextcloud_cet:/var/www/html:ro
+ - ./nginx_cet.conf:/etc/nginx/nginx.conf:ro
+ env_file: ./secrets/cloudcet.secrets
+ ports:
+ - 2002:80
labels:
- "traefik.frontend.rule=Host:cloudcet.picasoft.net"
- "traefik.port=80"
@@ -20,17 +43,14 @@ services:
networks:
- docker_default
- cloud_cet
- volumes:
- - /DATA/docker/cet/nc:/var/www/html
- depends_on:
- - cloudcet_db
- restart: unless-stopped
+ restart: unless-stopped
cloudcet_db:
container_name: cloudcet_db
image: postgres:9.6
volumes:
- - /DATA/docker/cet/nc_db:/var/lib/postgresql/data
- env_file:
- - ./secrets/cloudcet.secrets
+ - nextcloud_cet_db:/var/lib/postgresql/data
+ env_file: ./secrets/cloudcet.secrets
+ networks:
+ - cloud_cet
restart: unless-stopped
diff --git a/pica-nextcloud/nginx_cet.conf b/pica-nextcloud/nginx_cet.conf
new file mode 100644
index 00000000..a102830e
--- /dev/null
+++ b/pica-nextcloud/nginx_cet.conf
@@ -0,0 +1,161 @@
+worker_processes auto;
+
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+
+events {
+ worker_connections 1024;
+}
+
+
+http {
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ access_log /var/log/nginx/access.log main;
+
+ sendfile on;
+ #tcp_nopush on;
+
+ keepalive_timeout 65;
+
+ set_real_ip_from 10.0.0.0/8;
+ set_real_ip_from 172.16.0.0/12;
+ set_real_ip_from 192.168.0.0/16;
+ real_ip_header X-Real-IP;
+
+ #gzip on;
+
+ upstream php-handler {
+ server cloudcet:9000;
+ }
+
+ server {
+ listen 80;
+
+ # WARNING: Only add the preload option once you read about
+ # the consequences in https://hstspreload.org/. This option
+ # will add the domain to a hardcoded list that is shipped
+ # in all major browsers and getting removed from this list
+ # could take several months.
+ add_header Referrer-Policy "no-referrer" always;
+ add_header X-Content-Type-Options "nosniff" always;
+ add_header X-Download-Options "noopen" always;
+ add_header X-Frame-Options "SAMEORIGIN" always;
+ add_header X-Permitted-Cross-Domain-Policies "none" always;
+ add_header X-Robots-Tag "none" always;
+ add_header X-XSS-Protection "1; mode=block" always;
+ fastcgi_hide_header X-Powered-By;
+ root /var/www/html;
+
+ location = /robots.txt {
+ allow all;
+ log_not_found off;
+ access_log off;
+ }
+
+ # The following 2 rules are only needed for the user_webfinger app.
+ # Uncomment it if you're planning to use this app.
+ #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+ #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
+ # last;
+
+ location = /.well-known/carddav {
+ return 301 $scheme://$host/remote.php/dav;
+ }
+ location = /.well-known/caldav {
+ return 301 $scheme://$host/remote.php/dav;
+ }
+
+ # set max upload size
+ client_max_body_size 10G;
+ fastcgi_buffers 64 4K;
+
+ # Enable gzip but do not remove ETag headers
+ gzip on;
+ gzip_vary on;
+ gzip_comp_level 4;
+ gzip_min_length 256;
+ gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+ gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+ # Uncomment if your server is build with the ngx_pagespeed module
+ # This module is currently not supported.
+ #pagespeed off;
+
+ location / {
+ rewrite ^ /index.php;
+ }
+
+ location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
+ deny all;
+ }
+ location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
+ deny all;
+ }
+
+ location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+ fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+ set $path_info $fastcgi_path_info;
+ try_files $fastcgi_script_name =404;
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param PATH_INFO $path_info;
+ # fastcgi_param HTTPS on;
+
+ # Avoid sending the security headers twice
+ fastcgi_param modHeadersAvailable true;
+
+ # Enable pretty urls
+ fastcgi_param front_controller_active true;
+ fastcgi_pass php-handler;
+ fastcgi_intercept_errors on;
+ fastcgi_request_buffering off;
+ }
+
+ location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
+ try_files $uri/ =404;
+ index index.php;
+ }
+
+ # Adding the cache control header for js, css and map files
+ # Make sure it is BELOW the PHP block
+ location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+ try_files $uri /index.php$request_uri;
+ add_header Cache-Control "public, max-age=15778463";
+ # Add headers to serve security related headers (It is intended to
+ # have those duplicated to the ones above)
+ # Before enabling Strict-Transport-Security headers please read into
+ # this topic first.
+ #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+ #
+ # WARNING: Only add the preload option once you read about
+ # the consequences in https://hstspreload.org/. This option
+ # will add the domain to a hardcoded list that is shipped
+ # in all major browsers and getting removed from this list
+ # could take several months.
+ add_header Referrer-Policy "no-referrer" always;
+ add_header X-Content-Type-Options "nosniff" always;
+ add_header X-Download-Options "noopen" always;
+ add_header X-Frame-Options "SAMEORIGIN" always;
+ add_header X-Permitted-Cross-Domain-Policies "none" always;
+ add_header X-Robots-Tag "none" always;
+ add_header X-XSS-Protection "1; mode=block" always;
+
+ # Optional: Don't log access to assets
+ access_log off;
+ }
+
+ location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
+ try_files $uri /index.php$request_uri;
+ # Optional: Don't log access to other assets
+ access_log off;
+ }
+ }
+
+}
--
GitLab