Nextcloud

Launching the Stack ¶

Nextcloud - personal cloud with gallery, email checking, online document editing, audio and radio listening, etc. A demo can be seen here. A clone of OwnCloud, I tried initially and didn’t find any issues, but there are slightly more applications than what I saw.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
version: '3.7'

services:
  nextcloud:
    image: nextcloud:18.0.3-apache
    container_name: nextcloud
    restart: unless-stopped
    depends_on:
      - postgres
    ports:
      - '8080:80'
    volumes:
      - ./nextcloud:/var/www/html:rw
    logging:
      driver: json-file
      options:
        max-size: 100m

  postgres:
    image: postgres:11.7-alpine
    container_name: postgres
    restart: unless-stopped
    networks:
      - nextcloud
    volumes:
      - ./postgres:/var/lib/postgresql/data:rw
    environment:
      - POSTGRES_DB=nextcloud
      - POSTGRES_USER=nextcloud
      
      - POSTGRES_PASSWORD=94dbd6b2-bd9f-4867-99af-37f8e4444640 # gitleaks:allow
    logging:
      driver: json-file
      options:
        max-size: 100m

Notes ¶

Tried updating from 16.0.4.1 to 18.0.3 through 17.0.5 - everything failed. Reinstalled and restored files beforehand by downloading them myself from ./nextcloud/data/username/files. Went back using file synchronization via client application.
The Admin account cannot be deleted through the UI. I created my own account, then tried to delete the standard one as I believe all accounts should always be unique, no fuss. You can delete it like this:

1
sudo docker-compose exec -u www-data nextcloud php occ user:delete admin

For WebDAV and CalDAV to work properly, add the following configuration to your haproxy configuration file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
global
	log 127.0.0.1 local0
	stats socket /var/run/haproxy.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user root
	group root
	daemon
	maxconn	4096
	nbproc 1
	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private
	# general SSL config
	ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
	ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
	tune.ssl.default-dh-param 4096
	ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
	ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

defaults
	log	global
	mode	http
	option	http-buffer-request
	option	httplog
	option	dontlognull
	option forwardfor
	timeout connect 5s
	timeout client  25s
	timeout server  25s
	timeout tunnel        3600s
	timeout http-keep-alive  1s
	timeout http-request    15s
	timeout queue           30s
	timeout tarpit          60s
	compression algo gzip
	compression type text/plain text/css text/xml text/javascript application/javascript application/x-javascript application/xml application/json
	errorfile 400 /usr/local/etc/haproxy/errors/400.http
	errorfile 403 /usr/local/etc/haproxy/errors/403.http
	errorfile 408 /usr/local/etc/haproxy/errors/408.http
	errorfile 500 /usr/local/etc/haproxy/errors/500.http
	errorfile 502 /usr/local/etc/haproxy/errors/502.http
	errorfile 503 /usr/local/etc/haproxy/errors/503.http
	errorfile 504 /usr/local/etc/haproxy/errors/504.http

frontend http_https
	bind :80
	bind :443 ssl crt /certificates/cloudflare.haproxy alpn h2,http/1.1
	# acls
	acl dav path_reg -i ^/.well-known/(carddav|caldav).*$
	acl webfinger path_reg -i ^/.well-known/(carddav|caldav).*$
	# proxy headers
	http-request set-header X-Forwarded-Port %[dst_port] if forwarded_port
	# http-response set-header Access-Control-Allow-Credentials "true"
	http-request add-header X-Forwarded-Proto https if https forwarded_proto
	http-request replace-path (.*) /remote.php/dav if dav
	http-request replace-path (.*) /public.php?service=webfinger if webfinger
	default_backend cloud

backend nextcloud
	http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;"
	server default nextcloud:80 check

Authorization was rotating endlessly and only F5 allowed access. On the PC, the problem disappeared, but how about with a client for Android? Here, it turned out that you can simply add a magic word to your config and you’ll be able to log in forever.