Merge aaeecafbe7 into 6c1075b88d

* Add FORWARDED_FOR_HEADERS to the reverse-proxy config

Signed-off-by: Dominic Giebert <dominic.giebert@suse.com>

* Add FORWARDED_FOR_HEADERS to documentation

Signed-off-by: Dominic Giebert <dominic.giebert@suse.com>

---------

Signed-off-by: Dominic Giebert <dominic.giebert@suse.com>

.config/reverse-proxy.config.php

@@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
   $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}

28/apache/config/reverse-proxy.config.php

@@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
   $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}

28/fpm-alpine/config/reverse-proxy.config.php

@@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
   $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}

28/fpm/config/reverse-proxy.config.php

@@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
   $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}

29/apache/config/reverse-proxy.config.php

@@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
   $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}

29/fpm-alpine/config/reverse-proxy.config.php

@@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
   $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}

29/fpm/config/reverse-proxy.config.php

@@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
   $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}

30/apache/config/reverse-proxy.config.php

@@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
   $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}

30/fpm-alpine/config/reverse-proxy.config.php

@@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
   $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}

30/fpm/config/reverse-proxy.config.php

@@ -28,3 +28,8 @@ $trustedProxies = getenv('TRUSTED_PROXIES');
 if ($trustedProxies) {
   $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
 }
+
+$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+if ($forwardedForHeaders) {
+  $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+}

README.md

@@ -46,6 +46,12 @@ $ docker run -d nextcloud:fpm
 
 As the fastCGI-Process is not capable of serving static files (style sheets, images, ...), the webserver needs access to these files. This can be achieved with the `volumes-from` option. You can find more information in the [docker compose section](#running-this-image-with-docker-compose).
 
+### Alpine image variant
+
+Alpine variants of the fpm image are available by appending `-alpine` to the tag - e.g. `nextcloud:stable-fpm-alpine`.
+
+**Beware that Alpine variants can have incompatibilities with some applications**. For example, Alpine images do not meet the [system requirements for OnlyOffice](https://github.com/nextcloud/documentserver_community#requirements) nor [Nextcloud Office (CODE/Collabora)](https://github.com/CollaboraOnline/richdocumentscode#system-requirements) due to Alpine's use of *musl libc*.
+
 ## Using an external database
 By default, this container uses SQLite for data storage but the Nextcloud setup wizard (appears on first run) allows connecting to an existing MySQL/MariaDB or PostgreSQL database. You can also link a database container, e. g. `--link my-mysql:mysql`, and then use `mysql` as the database host on setup. More info is in the docker compose section.
 
@@ -261,7 +267,7 @@ To use the hooks triggered by the `entrypoint` script, either
 ```
 
 
-## Using the apache image behind a reverse proxy and auto configure server host and protocol
+## Using the image behind a reverse proxy and auto configure server host and protocol
 
 The apache image will replace the remote addr (IP address visible to Nextcloud) with the IP address from `X-Real-IP` if the request is coming from a proxy in `10.0.0.0/8`, `172.16.0.0/12` or `192.168.0.0/16` by default. If you want Nextcloud to pick up the server host (`HTTP_X_FORWARDED_HOST`), protocol (`HTTP_X_FORWARDED_PROTO`) and client IP (`HTTP_X_FORWARDED_FOR`) from a trusted proxy, then disable rewrite IP and add the reverse proxy's IP address to `TRUSTED_PROXIES`.
 
@@ -276,6 +282,7 @@ If the `TRUSTED_PROXIES` approach does not work for you, try using fixed values
 - `OVERWRITECLIURL` (empty by default): Set the cli url of the proxy (e.g. https://mydnsname.example.com)
 - `OVERWRITEWEBROOT` (empty by default): Set the absolute path of the proxy.
 - `OVERWRITECONDADDR` (empty by default): Regex to overwrite the values dependent on the remote address.
+- `FORWARDED_FOR_HEADERS` (empty by default): HTTP headers with the original client IP address
 
 Check the [Nexcloud documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html) for more details.