Dockerised Caddy V2 + Nextcloud-FPM to create an unsecured Nextcloud instance

Help
1

1. Caddy version (caddy version):

2.1.1

2. How I run Caddy:

a. System environment:

Docker on Ubuntu Desktop 18.4.04

b. Command:

sudo docker-compose up -d

c. Service/unit/compose file:

version: '2'

volumes:
  nextcloud:
  db:
  caddy_data:

services:
  db:
    image: mariadb
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    restart: always
    volumes:
      - db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=ABC
      - MYSQL_PASSWORD=123
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud

  app:
    image: nextcloud:fpm
    links:
      - db
    volumes:
      - nextcloud:/var/www/html
    restart: always

  web:
    image: caddy
    ports:
      - 4444:80
    links:
      - app
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data   # Is this mandatory?
    volumes_from:
      - app
    restart: always

d. My complete Caddyfile or JSON config:

:80 {

        root    * /usr/local/www/nextcloud
        file_server
        log {
                output file     /var/log/mydomain.com.log
                format single_field common_log
        }

        php_fastcgi 127.0.0.1:9000

        header {
                # enable HSTS
                # Strict-Transport-Security max-age=31536000;
        }

        redir /.well-known/carddav /remote.php/dav 301
        redir /.well-known/caldav /remote.php/dav 301

        # .htaccess / data / config / ... shouldn't be accessible from outside
        @forbidden {
                path    /.htaccess
                path    /data/*
                path    /config/*
                path    /db_structure
                path    /.xml
                path    /README
                path    /3rdparty/*
                path    /lib/*
                path    /templates/*
                path    /occ
                path    /console.php
        }

        respond @forbidden 404

}

3. The problem I’m having:

This thread follows on from the thread Dockerised Nextcloud+Apache web server behind a Caddy reverse proxy - #3 by basil. In that thread, I used a Nextcloud Base version - apache image sourced from Docker Hub to build a Nextcloud instance.

The Quick Reference Guide for Nextcloud on Docker Hub also refers to a Nextcloud image Base version - FPM, which requires another container to act as a webserver. The compose file example (reproduced below) used nginx for the webserver.

version: '2'

volumes:
  nextcloud:
  db:

services:
  db:
    image: mariadb
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    restart: always
    volumes:
      - db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=
      - MYSQL_PASSWORD=
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud

  app:
    image: nextcloud:fpm
    links:
      - db
    volumes:
      - nextcloud:/var/www/html
    restart: always

  web:
    image: nginx
    ports:
      - 8080:80
    links:
      - app
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
    volumes_from:
      - app
    restart: always

The example uses a configuration file nginx.conf, which I’ve included a reference to in Section 6: Links to relevant resources. Anyway, I tried the example and managed to get an insecure Nextcloud instance up very quickly.

I then thought to myself that it would a useful exercise to see if I could replace nginx with Caddy as the webserver. This would require updating the web services section of the compose file. This is what led me to the compose file in Section 2c above.

I did search the forum to see if anyone has already gone down this path. I found this thread Caddy + Nextlcoud fpm, both in docker containers. However, that thread seemed to be for a secured Nextcloud instance and used Caddy V1.

I still needed a Caddyfile for the webserver (the equivalent of nginx.conf). I was already aware of this forum thread Help to migrate Caddyfile V1 to V2 for Nextcloud and based the Caddyfile at step 2d above on the solution for that thread.

4. Error messages and/or full log output:

Trying to access the unsecured Nextcloud instance throws up the error shown below.

screenshot.433
screenshot.433534×516 10.5 KB

Log output from the webserver below.

administrator@ubuntu-test-bhyve:~/ncfpm$ sudo docker logs -f ncfpm_web_1
{"level":"info","ts":1597079779.6737692,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1597079779.6994681,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["127.0.0.1:2019","localhost:2019","[::1]:2019"]}
{"level":"info","ts":1597079779.7013721,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
{"level":"info","ts":1597079779.7069006,"logger":"tls","msg":"cleaned up storage units"}
{"level":"info","ts":1597079779.707641,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1597079779.7077985,"msg":"serving initial configuration"}
2020/08/10 17:16:19 [INFO][cache:0xc00023fd40] Started certificate maintenance routine

5. What I already tried:

I tried with and without the volume - caddy_data:/data # Is this mandatory? in the compose file. It made no difference.

I wasn’t sure whether the address used in the Caddyfile was correct. I tried both :80 and :4444, but neither made any difference.

6. Links to relevant resources:

  1. Dockerised Nextcloud+Apache web server behind a Caddy reverse proxy - #3 by basil

  2. Quick Reference Guide for Nextcloud on Docker Hub

  3. nginx.conf

  4. Caddy + Nextlcoud fpm, both in docker containers

  5. Help to migrate Caddyfile V1 to V2 for Nextcloud

2

Yes, if you don’t want to lose your certificates and keys for your domains and potentially hit rate limits if the container restarts in a tight loop due to some error.

This assumes php-fpm is running in the same container as Caddy. 127.0.0.1 will only connect to things in the same container. In Docker, typically I name my container that runs php-fpmphp-fpm. So you would use php_fastcgi php-fpm:9000.

In your case, since nextcloud comes with fpm with that image flavor, you should be able to use app:9000 instead? Make sure that Caddy has access to the same /var/www/html volume, because it needs to be aware of which files exist on disk to properly handle the rewrites and fastcgi communication.

1 Like
3

Is this still true if the Nextcloud instance is unsecured (noSSL)?

Yes! Yes! Yes! I’ve learnt something new. The working V2 Caddyfile:

:80 {

        root    * /var/www/html
        file_server

        php_fastcgi app:9000
        header {
                # enable HSTS
                # Strict-Transport-Security max-age=31536000;
        }

        redir /.well-known/carddav /remote.php/dav 301
        redir /.well-known/caldav /remote.php/dav 301

        # .htaccess / data / config / ... shouldn't be accessible from outside
        @forbidden {
                path    /.htaccess
                path    /data/*
                path    /config/*
                path    /db_structure
                path    /.xml
                path    /README
                path    /3rdparty/*
                path    /lib/*
                path    /templates/*
                path    /occ
                path    /console.php
        }

        respond @forbidden 404

}
1 Like
4

There’s no harm in keeping the volume persisted anyways. Caddy may store other things than just TLS information.

1 Like
5

This topic was automatically closed after 30 days. New replies are no longer allowed.