Merge 0f899fe772 into 6c1075b88d

Runs update.sh
Add FORWARDED_FOR_HEADERS to the reverse-proxy config (#2272 )
2025-07-28 01:18:06 +02:00 · 2024-10-09 09:02:03 -04:00 · 2024-10-08 14:20:13 +00:00 · 2024-10-08 16:19:59 +02:00 · 2024-10-08 15:53:11 +02:00 · 2024-09-24 11:14:06 +02:00
16 changed files with 79 additions and 10 deletions
--- a/.config/reverse-proxy.config.php
+++ b/.config/reverse-proxy.config.php
@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
  $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}
--- a/.config/s3.config.php
+++ b/.config/s3.config.php
@ -19,7 +19,14 @@ if (getenv('OBJECTSTORE_S3_BUCKET')) {
        // required for some non Amazon S3 implementations
        'use_path_style' => $use_path == true && strtolower($use_path) !== 'false',
        // required for older protocol versions
-        'legacy_auth' => $use_legacyauth == true && strtolower($use_legacyauth) !== 'false'
+        'legacy_auth' => $use_legacyauth == true && strtolower($use_legacyauth) !== 'false',
+        'concurrency' => getenv('OBJECTSTORE_S3_CONCURRENCY') ?: '',
+        'proxy' => getenv('OBJECTSTORE_S3_PROXY') ?: '',
+        'timeout' => getenv('OBJECTSTORE_S3_TIMEOUT') ?: '',
+        'uploadPartSize' => getenv('OBJECTSTORE_S3_UPLOADPARTSIZE') ?:'',
+        'putSizeLimit' => getenv('OBJECTSTORE_S3_PUTSIZELIMIT') ?: '',
+        'version' => getenv('OBJECTSTORE_S3_VERSION') ?: '',
+        'verify_bucket_exists' => getenv('OBJECTSTORE_S3_VERIFY_BUCKET_EXISTS') ?: ''
      )
    )
  );
--- a/.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf
+++ b/.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf
@ -14,6 +14,7 @@ http {
    default_type  application/octet-stream;
    types {
        text/javascript mjs;
+        application/wasm wasm;
    }

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
@ -143,7 +144,7 @@ http {
        # to the URI, resulting in a HTTP 500 error response.
        location ~ \.php(?:$|/) {
            # Required for legacy support
-            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;

            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            set $path_info $fastcgi_path_info;
@ -166,7 +167,7 @@ http {
        }

        # Serve static files
-        location ~ \.(?:css|svg|js|mjs|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
+        location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
            try_files $uri /index.php$request_uri;
            add_header Cache-Control "public, max-age=15778463$asset_immutable";
            add_header Referrer-Policy                   "no-referrer"       always;
--- a/.examples/docker-compose/insecure/postgres/fpm/web/nginx.conf
+++ b/.examples/docker-compose/insecure/postgres/fpm/web/nginx.conf
@ -14,6 +14,7 @@ http {
    default_type  application/octet-stream;
    types {
        text/javascript mjs;
+        application/wasm wasm;
    }

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
@ -143,7 +144,7 @@ http {
        # to the URI, resulting in a HTTP 500 error response.
        location ~ \.php(?:$|/) {
            # Required for legacy support
-            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;

            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            set $path_info $fastcgi_path_info;
@ -166,7 +167,7 @@ http {
        }

        # Serve static files
-        location ~ \.(?:css|svg|js|mjs|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
+        location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
            try_files $uri /index.php$request_uri;
            add_header Cache-Control "public, max-age=15778463$asset_immutable";
            add_header Referrer-Policy                   "no-referrer"       always;
--- a/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf
+++ b/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf
@ -14,6 +14,7 @@ http {
    default_type  application/octet-stream;
    types {
        text/javascript mjs;
+        application/wasm wasm;
    }

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
@ -143,7 +144,7 @@ http {
        # to the URI, resulting in a HTTP 500 error response.
        location ~ \.php(?:$|/) {
            # Required for legacy support
-            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;

            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            set $path_info $fastcgi_path_info;
@ -166,7 +167,7 @@ http {
        }

        # Serve static files
-        location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
+        location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
            try_files $uri /index.php$request_uri;
            add_header Cache-Control "public, max-age=15778463$asset_immutable";
            add_header Referrer-Policy                   "no-referrer"       always;
--- a/.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/nginx.conf
+++ b/.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/nginx.conf
@ -14,6 +14,7 @@ http {
    default_type  application/octet-stream;
    types {
        text/javascript mjs;
+        application/wasm wasm;
    }

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
@ -143,7 +144,7 @@ http {
        # to the URI, resulting in a HTTP 500 error response.
        location ~ \.php(?:$|/) {
            # Required for legacy support
-            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;

            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            set $path_info $fastcgi_path_info;
@ -166,7 +167,7 @@ http {
        }

        # Serve static files
-        location ~ \.(?:css|svg|js|mjs|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
+        location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
            try_files $uri /index.php$request_uri;
            add_header Cache-Control "public, max-age=15778463$asset_immutable";
            add_header Referrer-Policy                   "no-referrer"       always;
--- a/28/apache/config/reverse-proxy.config.php
+++ b/28/apache/config/reverse-proxy.config.php
@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
  $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}
--- a/28/fpm-alpine/config/reverse-proxy.config.php
+++ b/28/fpm-alpine/config/reverse-proxy.config.php
@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
  $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}
--- a/28/fpm/config/reverse-proxy.config.php
+++ b/28/fpm/config/reverse-proxy.config.php
@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
  $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}
--- a/29/apache/config/reverse-proxy.config.php
+++ b/29/apache/config/reverse-proxy.config.php
@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
  $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}
--- a/29/fpm-alpine/config/reverse-proxy.config.php
+++ b/29/fpm-alpine/config/reverse-proxy.config.php
@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
  $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}
--- a/29/fpm/config/reverse-proxy.config.php
+++ b/29/fpm/config/reverse-proxy.config.php
@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
  $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}
--- a/30/apache/config/reverse-proxy.config.php
+++ b/30/apache/config/reverse-proxy.config.php
@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
  $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}
--- a/30/fpm-alpine/config/reverse-proxy.config.php
+++ b/30/fpm-alpine/config/reverse-proxy.config.php
@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
  $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}
--- a/30/fpm/config/reverse-proxy.config.php
+++ b/30/fpm/config/reverse-proxy.config.php
@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
  $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}
--- a/README.md
+++ b/README.md
@ -191,6 +191,13 @@ To use an external S3 compatible object store as primary storage, set the follow
 - `OBJECTSTORE_S3_OBJECT_PREFIX` (default: `urn:oid:`): Prefix to prepend to the fileid
 - `OBJECTSTORE_S3_AUTOCREATE` (default: `true`): Create the container if it does not exist
 - `OBJECTSTORE_S3_SSE_C_KEY` (not set by default): Base64 encoded key with a maximum length of 32 bytes for server side encryption (SSE-C)
+- `OBJECTSTORE_S3_CONCURRENCY` (default: `5`) defines the maximum number of concurrent multipart uploads
+- `OBJECTSTORE_S3_PROXY` (default: `false`)
+- `OBJECTSTORE_S3_TIMEOUT` (default: `15`)
+- `OBJECTSTORE_S3_UPLOADPARTSIZE` (default: `524288000`)
+- `OBJECTSTORE_S3_PUTSIZELIMIT` (default: `104857600`)
+- `OBJECTSTORE_S3_VERSION` (default: `latest`)
+- `OBJECTSTORE_S3_VERIFY_BUCKET_EXISTS` (default: `true`)

 Check the [Nextcloud documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3) for more information.

@ -261,7 +268,7 @@ To use the hooks triggered by the `entrypoint` script, either
 ```


-## Using the apache image behind a reverse proxy and auto configure server host and protocol
+## Using the image behind a reverse proxy and auto configure server host and protocol

 The apache image will replace the remote addr (IP address visible to Nextcloud) with the IP address from `X-Real-IP` if the request is coming from a proxy in `10.0.0.0/8`, `172.16.0.0/12` or `192.168.0.0/16` by default. If you want Nextcloud to pick up the server host (`HTTP_X_FORWARDED_HOST`), protocol (`HTTP_X_FORWARDED_PROTO`) and client IP (`HTTP_X_FORWARDED_FOR`) from a trusted proxy, then disable rewrite IP and add the reverse proxy's IP address to `TRUSTED_PROXIES`.

@ -276,6 +283,7 @@ If the `TRUSTED_PROXIES` approach does not work for you, try using fixed values
 - `OVERWRITECLIURL` (empty by default): Set the cli url of the proxy (e.g. https://mydnsname.example.com)
 - `OVERWRITEWEBROOT` (empty by default): Set the absolute path of the proxy.
 - `OVERWRITECONDADDR` (empty by default): Regex to overwrite the values dependent on the remote address.
+- `FORWARDED_FOR_HEADERS` (empty by default): HTTP headers with the original client IP address

 Check the [Nexcloud documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html) for more details.
Author	SHA1	Message	Date
Jesse Hitch	262a256614	Merge `0f899fe772` into `6c1075b88d`	2024-10-09 09:02:03 -04:00
GitHub Workflow	6c1075b88d	Runs update.sh	2024-10-08 14:20:13 +00:00
Dominic Giebert	a9f9885e65	Add FORWARDED_FOR_HEADERS to the reverse-proxy config (#2272 ) * Add FORWARDED_FOR_HEADERS to the reverse-proxy config Signed-off-by: Dominic Giebert <dominic.giebert@suse.com> * Add FORWARDED_FOR_HEADERS to documentation Signed-off-by: Dominic Giebert <dominic.giebert@suse.com> --------- Signed-off-by: Dominic Giebert <dominic.giebert@suse.com>	2024-10-08 16:19:59 +02:00
Kaloyan Nikolov	8c777a4144	Update examples nginx configuration (#2307 ) * Update config based on the official docs Signed-off-by: Kaloyan Nikolov <tzerber@gmail.com> * Update all example nginx configs according to the documentation Signed-off-by: Kaloyan Nikolov <tzerber@gmail.com> --------- Signed-off-by: Kaloyan Nikolov <tzerber@gmail.com>	2024-10-08 15:53:11 +02:00
Jesse Hitch	0f899fe772	Update .config/s3.config.php - don't set defaults for new s3 values Signed-off-by: Jesse Hitch <jessebot@linux.com>	2024-09-24 11:14:06 +02:00
jessebot	040b7411a4	allow setting s3 concurrency, proxy, timeout, uploadPartSize, putSizeLimit, version, and verify_bucket_exists Signed-off-by: jessebot <jessebot@linux.com>	2024-07-29 12:48:13 +02:00