From 040b7411a4c442b0117b5a1fa7e3b783e280a17d Mon Sep 17 00:00:00 2001 From: jessebot Date: Fri, 26 Jul 2024 14:38:29 +0200 Subject: [PATCH 1/5] allow setting s3 concurrency, proxy, timeout, uploadPartSize, putSizeLimit, version, and verify_bucket_exists Signed-off-by: jessebot --- .config/s3.config.php | 9 ++++++++- README.md | 7 +++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.config/s3.config.php b/.config/s3.config.php index 9941c562..20f4d8dd 100644 --- a/.config/s3.config.php +++ b/.config/s3.config.php @@ -19,7 +19,14 @@ if (getenv('OBJECTSTORE_S3_BUCKET')) { // required for some non Amazon S3 implementations 'use_path_style' => $use_path == true && strtolower($use_path) !== 'false', // required for older protocol versions - 'legacy_auth' => $use_legacyauth == true && strtolower($use_legacyauth) !== 'false' + 'legacy_auth' => $use_legacyauth == true && strtolower($use_legacyauth) !== 'false', + 'concurrency' => getenv('OBJECTSTORE_S3_CONCURRENCY') ?: 5, + 'proxy' => getenv('OBJECTSTORE_S3_PROXY') ?: false, + 'timeout' => getenv('OBJECTSTORE_S3_TIMEOUT') ?: 15, + 'uploadPartSize' => getenv('OBJECTSTORE_S3_UPLOADPARTSIZE') ?: 524288000, + 'putSizeLimit' => getenv('OBJECTSTORE_S3_PUTSIZELIMIT') ?: 104857600, + 'version' => getenv('OBJECTSTORE_S3_VERSION') ?: "latest", + 'verify_bucket_exists' => getenv('OBJECTSTORE_S3_VERIFY_BUCKET_EXISTS') ?: true ) ) ); diff --git a/README.md b/README.md index b9f7a66d..cc98d340 100644 --- a/README.md +++ b/README.md @@ -192,6 +192,13 @@ To use an external S3 compatible object store as primary storage, set the follow - `OBJECTSTORE_S3_OBJECT_PREFIX` (default: `urn:oid:`): Prefix to prepend to the fileid - `OBJECTSTORE_S3_AUTOCREATE` (default: `true`): Create the container if it does not exist - `OBJECTSTORE_S3_SSE_C_KEY` (not set by default): Base64 encoded key with a maximum length of 32 bytes for server side encryption (SSE-C) +- `OBJECTSTORE_S3_CONCURRENCY` (default: `5`) defines the maximum number of concurrent multipart uploads +- `OBJECTSTORE_S3_PROXY` (default: `false`) +- `OBJECTSTORE_S3_TIMEOUT` (default: `15`) +- `OBJECTSTORE_S3_UPLOADPARTSIZE` (default: `524288000`) +- `OBJECTSTORE_S3_PUTSIZELIMIT` (default: `104857600`) +- `OBJECTSTORE_S3_VERSION` (default: `latest`) +- `OBJECTSTORE_S3_VERIFY_BUCKET_EXISTS` (default: `true`) Check the [Nextcloud documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3) for more information. From 0f899fe772b179e65fdb0bc77933d2c53b2724f7 Mon Sep 17 00:00:00 2001 From: Jesse Hitch Date: Tue, 24 Sep 2024 11:14:06 +0200 Subject: [PATCH 2/5] Update .config/s3.config.php - don't set defaults for new s3 values Signed-off-by: Jesse Hitch --- .config/s3.config.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.config/s3.config.php b/.config/s3.config.php index 20f4d8dd..2cbb4893 100644 --- a/.config/s3.config.php +++ b/.config/s3.config.php @@ -20,13 +20,13 @@ if (getenv('OBJECTSTORE_S3_BUCKET')) { 'use_path_style' => $use_path == true && strtolower($use_path) !== 'false', // required for older protocol versions 'legacy_auth' => $use_legacyauth == true && strtolower($use_legacyauth) !== 'false', - 'concurrency' => getenv('OBJECTSTORE_S3_CONCURRENCY') ?: 5, - 'proxy' => getenv('OBJECTSTORE_S3_PROXY') ?: false, - 'timeout' => getenv('OBJECTSTORE_S3_TIMEOUT') ?: 15, - 'uploadPartSize' => getenv('OBJECTSTORE_S3_UPLOADPARTSIZE') ?: 524288000, - 'putSizeLimit' => getenv('OBJECTSTORE_S3_PUTSIZELIMIT') ?: 104857600, - 'version' => getenv('OBJECTSTORE_S3_VERSION') ?: "latest", - 'verify_bucket_exists' => getenv('OBJECTSTORE_S3_VERIFY_BUCKET_EXISTS') ?: true + 'concurrency' => getenv('OBJECTSTORE_S3_CONCURRENCY') ?: '', + 'proxy' => getenv('OBJECTSTORE_S3_PROXY') ?: '', + 'timeout' => getenv('OBJECTSTORE_S3_TIMEOUT') ?: '', + 'uploadPartSize' => getenv('OBJECTSTORE_S3_UPLOADPARTSIZE') ?:'', + 'putSizeLimit' => getenv('OBJECTSTORE_S3_PUTSIZELIMIT') ?: '', + 'version' => getenv('OBJECTSTORE_S3_VERSION') ?: '', + 'verify_bucket_exists' => getenv('OBJECTSTORE_S3_VERIFY_BUCKET_EXISTS') ?: '' ) ) ); From 8c777a4144ff406db6adfe9d674e7411b2f8871e Mon Sep 17 00:00:00 2001 From: Kaloyan Nikolov Date: Tue, 8 Oct 2024 16:53:11 +0300 Subject: [PATCH 3/5] Update examples nginx configuration (#2307) * Update config based on the official docs Signed-off-by: Kaloyan Nikolov * Update all example nginx configs according to the documentation Signed-off-by: Kaloyan Nikolov --------- Signed-off-by: Kaloyan Nikolov --- .examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf | 5 +++-- .../docker-compose/insecure/postgres/fpm/web/nginx.conf | 5 +++-- .../with-nginx-proxy/mariadb/fpm/web/nginx.conf | 5 +++-- .../with-nginx-proxy/postgres/fpm/web/nginx.conf | 5 +++-- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf b/.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf index 5dff3389..1dd6e11d 100644 --- a/.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf +++ b/.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf @@ -14,6 +14,7 @@ http { default_type application/octet-stream; types { text/javascript mjs; + application/wasm wasm; } log_format main '$remote_addr - $remote_user [$time_local] "$request" ' @@ -143,7 +144,7 @@ http { # to the URI, resulting in a HTTP 500 error response. location ~ \.php(?:$|/) { # Required for legacy support - rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; @@ -166,7 +167,7 @@ http { } # Serve static files - location ~ \.(?:css|svg|js|mjs|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { + location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463$asset_immutable"; add_header Referrer-Policy "no-referrer" always; diff --git a/.examples/docker-compose/insecure/postgres/fpm/web/nginx.conf b/.examples/docker-compose/insecure/postgres/fpm/web/nginx.conf index 5dff3389..1dd6e11d 100644 --- a/.examples/docker-compose/insecure/postgres/fpm/web/nginx.conf +++ b/.examples/docker-compose/insecure/postgres/fpm/web/nginx.conf @@ -14,6 +14,7 @@ http { default_type application/octet-stream; types { text/javascript mjs; + application/wasm wasm; } log_format main '$remote_addr - $remote_user [$time_local] "$request" ' @@ -143,7 +144,7 @@ http { # to the URI, resulting in a HTTP 500 error response. location ~ \.php(?:$|/) { # Required for legacy support - rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; @@ -166,7 +167,7 @@ http { } # Serve static files - location ~ \.(?:css|svg|js|mjs|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { + location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463$asset_immutable"; add_header Referrer-Policy "no-referrer" always; diff --git a/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf b/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf index 02215270..a3c9f28b 100644 --- a/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf +++ b/.examples/docker-compose/with-nginx-proxy/mariadb/fpm/web/nginx.conf @@ -14,6 +14,7 @@ http { default_type application/octet-stream; types { text/javascript mjs; + application/wasm wasm; } log_format main '$remote_addr - $remote_user [$time_local] "$request" ' @@ -143,7 +144,7 @@ http { # to the URI, resulting in a HTTP 500 error response. location ~ \.php(?:$|/) { # Required for legacy support - rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; @@ -166,7 +167,7 @@ http { } # Serve static files - location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { + location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463$asset_immutable"; add_header Referrer-Policy "no-referrer" always; diff --git a/.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/nginx.conf b/.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/nginx.conf index d7d29c68..a3c9f28b 100644 --- a/.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/nginx.conf +++ b/.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/nginx.conf @@ -14,6 +14,7 @@ http { default_type application/octet-stream; types { text/javascript mjs; + application/wasm wasm; } log_format main '$remote_addr - $remote_user [$time_local] "$request" ' @@ -143,7 +144,7 @@ http { # to the URI, resulting in a HTTP 500 error response. location ~ \.php(?:$|/) { # Required for legacy support - rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; @@ -166,7 +167,7 @@ http { } # Serve static files - location ~ \.(?:css|svg|js|mjs|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { + location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463$asset_immutable"; add_header Referrer-Policy "no-referrer" always; From a9f9885e655bf1b16b7c8d3a5131ef161065492e Mon Sep 17 00:00:00 2001 From: Dominic Giebert Date: Tue, 8 Oct 2024 16:19:59 +0200 Subject: [PATCH 4/5] Add FORWARDED_FOR_HEADERS to the reverse-proxy config (#2272) * Add FORWARDED_FOR_HEADERS to the reverse-proxy config Signed-off-by: Dominic Giebert * Add FORWARDED_FOR_HEADERS to documentation Signed-off-by: Dominic Giebert --------- Signed-off-by: Dominic Giebert --- .config/reverse-proxy.config.php | 5 +++++ README.md | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.config/reverse-proxy.config.php b/.config/reverse-proxy.config.php index 7df0415e..30c660ff 100644 --- a/.config/reverse-proxy.config.php +++ b/.config/reverse-proxy.config.php @@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES'); if ($trustedProxies) { $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies))); } + +$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS'); +if ($forwardedForHeaders) { + $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders))); +} diff --git a/README.md b/README.md index abe5b25b..d8f41dcb 100644 --- a/README.md +++ b/README.md @@ -261,7 +261,7 @@ To use the hooks triggered by the `entrypoint` script, either ``` -## Using the apache image behind a reverse proxy and auto configure server host and protocol +## Using the image behind a reverse proxy and auto configure server host and protocol The apache image will replace the remote addr (IP address visible to Nextcloud) with the IP address from `X-Real-IP` if the request is coming from a proxy in `10.0.0.0/8`, `172.16.0.0/12` or `192.168.0.0/16` by default. If you want Nextcloud to pick up the server host (`HTTP_X_FORWARDED_HOST`), protocol (`HTTP_X_FORWARDED_PROTO`) and client IP (`HTTP_X_FORWARDED_FOR`) from a trusted proxy, then disable rewrite IP and add the reverse proxy's IP address to `TRUSTED_PROXIES`. @@ -276,6 +276,7 @@ If the `TRUSTED_PROXIES` approach does not work for you, try using fixed values - `OVERWRITECLIURL` (empty by default): Set the cli url of the proxy (e.g. https://mydnsname.example.com) - `OVERWRITEWEBROOT` (empty by default): Set the absolute path of the proxy. - `OVERWRITECONDADDR` (empty by default): Regex to overwrite the values dependent on the remote address. +- `FORWARDED_FOR_HEADERS` (empty by default): HTTP headers with the original client IP address Check the [Nexcloud documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html) for more details. From 6c1075b88d7184b067ce7c685ed55d136f7f0635 Mon Sep 17 00:00:00 2001 From: GitHub Workflow Date: Tue, 8 Oct 2024 14:20:13 +0000 Subject: [PATCH 5/5] Runs update.sh --- 28/apache/config/reverse-proxy.config.php | 5 +++++ 28/fpm-alpine/config/reverse-proxy.config.php | 5 +++++ 28/fpm/config/reverse-proxy.config.php | 5 +++++ 29/apache/config/reverse-proxy.config.php | 5 +++++ 29/fpm-alpine/config/reverse-proxy.config.php | 5 +++++ 29/fpm/config/reverse-proxy.config.php | 5 +++++ 30/apache/config/reverse-proxy.config.php | 5 +++++ 30/fpm-alpine/config/reverse-proxy.config.php | 5 +++++ 30/fpm/config/reverse-proxy.config.php | 5 +++++ 9 files changed, 45 insertions(+) diff --git a/28/apache/config/reverse-proxy.config.php b/28/apache/config/reverse-proxy.config.php index 7df0415e..30c660ff 100644 --- a/28/apache/config/reverse-proxy.config.php +++ b/28/apache/config/reverse-proxy.config.php @@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES'); if ($trustedProxies) { $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies))); } + +$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS'); +if ($forwardedForHeaders) { + $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders))); +} diff --git a/28/fpm-alpine/config/reverse-proxy.config.php b/28/fpm-alpine/config/reverse-proxy.config.php index 7df0415e..30c660ff 100644 --- a/28/fpm-alpine/config/reverse-proxy.config.php +++ b/28/fpm-alpine/config/reverse-proxy.config.php @@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES'); if ($trustedProxies) { $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies))); } + +$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS'); +if ($forwardedForHeaders) { + $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders))); +} diff --git a/28/fpm/config/reverse-proxy.config.php b/28/fpm/config/reverse-proxy.config.php index 7df0415e..30c660ff 100644 --- a/28/fpm/config/reverse-proxy.config.php +++ b/28/fpm/config/reverse-proxy.config.php @@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES'); if ($trustedProxies) { $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies))); } + +$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS'); +if ($forwardedForHeaders) { + $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders))); +} diff --git a/29/apache/config/reverse-proxy.config.php b/29/apache/config/reverse-proxy.config.php index 7df0415e..30c660ff 100644 --- a/29/apache/config/reverse-proxy.config.php +++ b/29/apache/config/reverse-proxy.config.php @@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES'); if ($trustedProxies) { $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies))); } + +$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS'); +if ($forwardedForHeaders) { + $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders))); +} diff --git a/29/fpm-alpine/config/reverse-proxy.config.php b/29/fpm-alpine/config/reverse-proxy.config.php index 7df0415e..30c660ff 100644 --- a/29/fpm-alpine/config/reverse-proxy.config.php +++ b/29/fpm-alpine/config/reverse-proxy.config.php @@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES'); if ($trustedProxies) { $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies))); } + +$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS'); +if ($forwardedForHeaders) { + $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders))); +} diff --git a/29/fpm/config/reverse-proxy.config.php b/29/fpm/config/reverse-proxy.config.php index 7df0415e..30c660ff 100644 --- a/29/fpm/config/reverse-proxy.config.php +++ b/29/fpm/config/reverse-proxy.config.php @@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES'); if ($trustedProxies) { $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies))); } + +$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS'); +if ($forwardedForHeaders) { + $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders))); +} diff --git a/30/apache/config/reverse-proxy.config.php b/30/apache/config/reverse-proxy.config.php index 7df0415e..30c660ff 100644 --- a/30/apache/config/reverse-proxy.config.php +++ b/30/apache/config/reverse-proxy.config.php @@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES'); if ($trustedProxies) { $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies))); } + +$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS'); +if ($forwardedForHeaders) { + $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders))); +} diff --git a/30/fpm-alpine/config/reverse-proxy.config.php b/30/fpm-alpine/config/reverse-proxy.config.php index 7df0415e..30c660ff 100644 --- a/30/fpm-alpine/config/reverse-proxy.config.php +++ b/30/fpm-alpine/config/reverse-proxy.config.php @@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES'); if ($trustedProxies) { $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies))); } + +$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS'); +if ($forwardedForHeaders) { + $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders))); +} diff --git a/30/fpm/config/reverse-proxy.config.php b/30/fpm/config/reverse-proxy.config.php index 7df0415e..30c660ff 100644 --- a/30/fpm/config/reverse-proxy.config.php +++ b/30/fpm/config/reverse-proxy.config.php @@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES'); if ($trustedProxies) { $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies))); } + +$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS'); +if ($forwardedForHeaders) { + $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders))); +}