Caddy + Nextlcoud fpm, both in docker containers

KopfKrieg · January 9, 2019, 3:37pm

Hey everyone,

I’d like to setup Caddy with Nextcloud, but everything I try only results in errors.

I’m using abiosoft’s docker image for Caddy and the official Nextcloud fpm docker image for, well, Nextcloud. Unfortunately I can’t seem to get Caddy and Nextcloud working together.

My docker-compose looks like this (I’ve stripped down the whole thing):

version: "2"

services:
  caddy:
    image: abiosoft/caddy:php
    container_name: caddy
    restart: always
    networks:
      - proxy
    ports:
      - "80:80"
      - "443:443"
    environment:
      CADDYPATH: "/etc/caddycerts"
      ACME_AGREE: "true"
    volumes:
      - /root/compose/caddy/Caddyfile:/etc/Caddyfile
      - /root/compose/caddy/certs:/etc/caddycerts
      - /root/compose/caddy/www:/srv
      - /var/www/nextcloud:/var/www/html

  nextcloud:
    image: nextcloud:15-fpm
    container_name: nextcloud
    restart: always
    networks:
      - proxy
    volumes:
      - /var/www/nextcloud:/var/www/html

networks:
  proxy:
    external: true

And my Caddyfile looks like this (again, a stripped down version only showing the necessary, configuration is take from the official caddy examplefiles):

example.org {
    tls mail@example.org

    on startup php-fpm7

    root    /var/www/html
    errors  /var/www/html/errors.log
    log     /var/www/html/access.log
    browse

    fastcgi / nextcloud:9000 {
        env PATH /bin
    }

    header / {
         Strict-Transport-Security "max-age=15768000;"
    }

    # checks for images
        rewrite {
            ext .svg .gif .png .html .ttf .woff .ico .jpg .jpeg
        r ^/index.php/(.+)$
        to /{1} /index.php?{1}
    }

    rewrite {
                r ^/\.well-known/host-meta$
                to /public.php?service=host-meta&{query}
        }
    rewrite {
                r ^/\.well-known/host-meta\.json$
                to /public.php?service=host-meta-json&{query}
        }
    rewrite {
                r ^/\.well-known/webfinger$
                to /public.php?service=webfinger&{query}
        }

    rewrite {
        r ^/index.php/.*$
        to /index.php?{query}
    }

    # client support (e.g. os x calendar / contacts)
    redir /.well-known/carddav /remote.php/carddav 301
    redir /.well-known/caldav /remote.php/caldav 301

    # remove trailing / as it causes errors with php-fpm
    rewrite {
        r ^/remote.php/(webdav|caldav|carddav|dav)(\/?)(\/?)$
        to /remote.php/{1}
    }

    rewrite {
        r ^/remote.php/(webdav|caldav|carddav|dav)/(.+?)(\/?)(\/?)$
        to /remote.php/{1}/{2}
    }

    rewrite {
        r ^/public.php/(dav|webdav|caldav|carddav)(\/?)(\/?)$
        to /public.php/{1}
    }

    rewrite {
        r ^/public.php/(dav|webdav|caldav|carddav)/(.+)(\/?)(\/?)$
        to /public.php/{1}/{2}
    }

    # .htaccess / data / config / ... shouldn't be accessible from outside
    status 403 {
        /.htaccess
        /data
        /config
        /db_structure
        /.xml
        /README
    }
}

But unfortunately, if I execute the whole thing, my browser shows only a “Access denied.”. Caddy redirects the traffic without any issues, but the nextcloud container shows the following (from docker-compose logs):

nextcloud    | [09-Jan-2019 15:23:23] NOTICE: fpm is running, pid 1
nextcloud    | [09-Jan-2019 15:23:23] NOTICE: ready to handle connections
nextcloud    | [09-Jan-2019 15:23:29] WARNING: [pool www] child 17 said into stderr: "NOTICE: Access to the script '/var/www/html' has been denied (see security.limit_extensions)"
nextcloud    | 172.21.0.5 -  09/Jan/2019:15:23:29 +0000 "GET /" 403
nextcloud    | 172.21.0.5 -  09/Jan/2019:15:23:29 +0000 "GET /" 403
nextcloud    | [09-Jan-2019 15:23:29] WARNING: [pool www] child 18 said into stderr: "NOTICE: Access to the script '/var/www/html' has been denied (see security.limit_extensions)"

Anyone got an idea on how to solve this? Or does anyone know how to use Caddy’s fpm module with an external container running php?! I’m trying since days to get any results but no matter what I try, it always fails the same way.

And I’d really like to use Nextcloud fpm.

Whitestrake · January 10, 2019, 12:16am

Hi @KopfKrieg, welcome to the Caddy community! Lets take a look…

nextcloud | [09-Jan-2019 15:23:29] WARNING: [pool www] child 18 said into stderr: "NOTICE: Access to the script '/var/www/html' has been denied (see security.limit_extensions)"

Seems like the FPM container is trying to execute a directory as a PHP script, but by default, FPM doesn’t allow you to execute PHP scripts that don’t actually end in .php. On top of that, the directory is clearly not a PHP script to begin with, so this request would fail even if the extensions limit weren’t enforced.

Your fastcgi directive:

is missing the php preset present in the examples repository:

	fastcgi / 127.0.0.1:9000 php {
		env PATH /bin
	}

This preset configures a few things - including ensuring only PHP files should be proxied through FastCGI, and that index.php should be used for index requests. Try adding this preset back in.

https://caddyserver.com/docs/fastcgi#presets

One other question,

If you’re using Nextcloud’s FPM container, why are you starting an FPM process inside the Caddy container as well?

KopfKrieg · January 10, 2019, 3:37am

Thank you very much for your input, it’s working now. Since days I’m trying to figure out why it wouldn’t work, and in the end it was the php preset you mentioned what I forgot.

The irony is, I read the docs to fastcgi (not only once, but a few times), I know about the preset, but somehow managed to not include it into my Caddyfile.

One other question,

on startup php-fpm7

If you’re using Nextcloud’s FPM container, why are you starting an FPM process inside the Caddy container as well?

Because I was desperate and did not know anymore what’s necessary to make php work

Again, thank you very much. I literally stared at the config file for days and couldn’t figure out what’s wrong.

EDIT: Is there a way to mark this topic as solved?

Whitestrake · January 10, 2019, 4:18am

You’re welcome!

Sure is. Click the overflow menu (three dots) beneath the solution and click the checkbox

KopfKrieg · January 10, 2019, 2:25pm

Ah, great, thank you.

Before I close the thread, just one more question: Usually, I’d like to have URLs in the style of example.com/apps/files instead of example.com/index.php/apps/files (this is what’s currently shown in the URL bar). Is there an easy way to achieve this?

Whitestrake · January 10, 2019, 11:44pm

In my Nextcloud installation’s .htaccess file, near the end, is this line:

RewriteRule . index.php [PT,E=PATH_INFO:$1]

Which looks like it does two things:

Rewrites to index.php
Sets the PHP PATH_INFO variable manually for this request

You can try the Caddy equivalent of this fallback rewrite:

rewrite {
  to {path} {path}/ index.php
}

I am not sure if a setup with Caddy will require the PATH_INFO variable manipulation like Apache does.

KopfKrieg · January 11, 2019, 10:10am

Thanks, I haven’t figured out (yet) how exactly this works, but I’ll take a look at the docs later.

system · April 11, 2019, 10:10am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.