From fc824f30fb1c03eb635d61015ac51fcb521af2b9 Mon Sep 17 00:00:00 2001
From: Timothee Gosselin <timothee@indie.host>
Date: Wed, 6 Nov 2019 13:23:53 +0100
Subject: [PATCH] update web container

---
 web/Dockerfile                 | 10 +++----
 web/docker-entrypoint.sh       |  6 ++++
 web/{nginx.conf => nginx.tmpl} | 51 +++++++++++++++++++---------------
 3 files changed, 38 insertions(+), 29 deletions(-)
 create mode 100755 web/docker-entrypoint.sh
 rename web/{nginx.conf => nginx.tmpl} (64%)

diff --git a/web/Dockerfile b/web/Dockerfile
index 9cf7abe..467a655 100644
--- a/web/Dockerfile
+++ b/web/Dockerfile
@@ -1,6 +1,4 @@
-ARG VERSION=latest
-FROM unteem/nextcloud:$VERSION as builder
-FROM nginx:latest
-COPY --from=builder /usr/src/nextcloud /usr/src/nextcloud
-RUN chown -R 33:33 /usr/src/nextcloud
-COPY nginx.conf /etc/nginx.conf
+FROM indiehosters/nextcloud:16.0.5 as builder
+FROM nginx 
+COPY --from=builder /var/www/html /var/www/html 
+CMD ["nginx", "-g", "daemon off;"]
diff --git a/web/docker-entrypoint.sh b/web/docker-entrypoint.sh
new file mode 100755
index 0000000..8ed3130
--- /dev/null
+++ b/web/docker-entrypoint.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env sh
+set -eu
+
+envsubst '${SERVER_HOST} ${SERVER_PORT}' < /etc/nginx/nginx.tmpl > /etc/nginx/nginx.conf
+
+exec "$@"
diff --git a/web/nginx.conf b/web/nginx.tmpl
similarity index 64%
rename from web/nginx.conf
rename to web/nginx.tmpl
index 560a14f..b75fd13 100644
--- a/web/nginx.conf
+++ b/web/nginx.tmpl
@@ -6,22 +6,27 @@ events {
 
 http {
   upstream backend {
-      server app:9000;
+    server ${SERVER_HOST}:${SERVER_PORT};
   }
   include /etc/nginx/mime.types;
   default_type application/octet-stream;
 
-  server {
+    server {
+    set_real_ip_from  10.0.0.0/8;
+    set_real_ip_from  172.16.0.0/12;
+    set_real_ip_from  192.168.0.0/16;
+    real_ip_header  X-Forwarded-For;
     listen 80;
-    
+
     # Add headers to serve security related headers
     add_header X-Content-Type-Options nosniff;
     add_header X-XSS-Protection "1; mode=block";
     add_header X-Robots-Tag none;
     add_header X-Download-Options noopen;
     add_header X-Permitted-Cross-Domain-Policies none;
+    add_header Referrer-Policy no-referrer;
 
-    root /usr/src/nextcloud;
+    root /var/www/html;
 
     location = /robots.txt {
       allow all;
@@ -30,37 +35,36 @@ http {
     }
 
     location = /.well-known/carddav {
-      return 301 $scheme://$host/remote.php/dav;
+      return 301 https://$host/remote.php/dav;
     }
     location = /.well-known/caldav {
-      return 301 $scheme://$host/remote.php/dav;
+      return 301 https://$host/remote.php/dav;
     }
 
     client_max_body_size 1G;
     fastcgi_buffers 64 4K;
 
-    gzip off;
+    gzip off; # handled at haproxy level
 
-    index index.php;
-    error_page 403 /core/templates/403.php;
-    error_page 404 /core/templates/404.php;
- 
     location / {
-        rewrite ^ /index.php$uri;
+        rewrite ^ /index.php;
     }
 
-    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
         deny all;
     }
-    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+
+    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
         deny all;
     }
 
-    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
-        include fastcgi_params;
+    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
         fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        try_files $fastcgi_script_name =404;
+        set $path_info $fastcgi_path_info;
+        include fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_param PATH_INFO $path_info;
         fastcgi_param HTTPS on;
         #Avoid sending the security headers twice
         fastcgi_param modHeadersAvailable true;
@@ -70,16 +74,16 @@ http {
         fastcgi_request_buffering off;
     }
 
-    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
         try_files $uri/ =404;
         index index.php;
     }
 
     # Adding the cache control header for js and css files
     # Make sure it is BELOW the PHP block
-    location ~* \.(?:css|js)$ {
-        try_files $uri /index.php$uri$is_args$args;
-        add_header Cache-Control "public, max-age=7200";
+    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+        try_files $uri /index.php$request_uri;
+        add_header Cache-Control "public, max-age=15778463";
         # Add headers to serve security related headers (It is intended to
         # have those duplicated to the ones above)
         # Before enabling Strict-Transport-Security headers please read into
@@ -92,12 +96,13 @@ http {
         add_header X-Robots-Tag none;
         add_header X-Download-Options noopen;
         add_header X-Permitted-Cross-Domain-Policies none;
+        add_header Referrer-Policy no-referrer;
         # Optional: Don't log access to assets
         access_log off;
     }
 
-    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
-        try_files $uri /index.php$uri$is_args$args;
+    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+        try_files $uri /index.php$request_uri;
         # Optional: Don't log access to other assets
         access_log off;
     }
-- 
GitLab