Nextcloud under docker with caddy webserver mariadb and mtls auth
Install nextcloud-fpm with caddy2 docker container and caddy2 as reverse proxy on host
For starters i would like to thank Dimitris Vagiakakos @sv1sjp for his additions and corrections to the original post. Together with his additions for drive mountings,https redirect,file sharing and rescanning i also added the database selection section. So, read and enjoy
The official docker images of nextcloud comes in 2 versions.
One with a built-in apache web server and an fpm one for use with any web server we want and which is based on the php-fpm docker image and runs fastCGI-Process which serve the pages of Nextcloud.
In their examples they provide an example using nginx docker image.
Here we will see how to use it with a caddy2 webserver docker container which will return the http requests to the FastCGI-port of the container.
Creating docker-compose.yml
1
2
3
mkdir ncfpm
cd ncfpm
nano docker-compose.yml
paste
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
version: '2'
volumes:
nextcloud:
db:
caddy_data:
services:
db:
image: mariadb
command: --transaction-isolation = READ-COMMITTED --binlog-format = ROW
restart: unless-stopped
volumes:
- db: /var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD = root-pw
- MYSQL_PASSWORD = pw
- MYSQL_DATABASE = db
- MYSQL_USER = user
app:
image: nextcloud: fpm
links:
- db
volumes:
- nextcloud: /var/www/html
restart: unless-stopped
web:
image: caddy
ports:
- 8080: 80
links:
- app
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- caddy_data:/data
volumes_from:
- app
restart: unless-stopped
save
1
2
3
ctrl + x
y
enter
Create a Caddyfile under current dir (ncfpm in our example)
nano Caddyfile
paste
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
: 80 {
root * / var / www / html
file_server
php_fastcgi app: 9000
header {
# enable HSTS
# Strict-Transport-Security max-age = 31536000;
}
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
# .htaccess / data / config / ... should not be accessible from outside
@forbidden {
path /.htaccess
path / data / *
path / config / *
path / db_structure
path /.xml
path / README
path / 3rdparty / *
path / lib / *
path / templates / *
path / occ
path /console.php
}
respond @forbidden 404
}
save
1
2
3
ctrl + x
y
enter
create the containers
docker-compose up -d
go to localhost:8080 create an admin account note down user name / password you’ll have to I had to rebuild you you forget this
allowed domains
The container supports all php occ commands but we must first declare user and container name.
docker ps
copy nextcloud:fpm container id
docker exec --user www-data container_id php occ config: system: set trusted_domains 2 --value = your_domain_name_here
docker stop container_id
docker start container_id
reverse proxy
if you have caddy2 on host
nano /etc/caddy/Caddyfile
add
1
2
3
your_domain_name: an_open_port {
reverse_proxy localhost: 8080
}
rebuild
In case you need to rebuild the containers, you must delete what they have created
docker ps -a
copy cotnainer id
docker kill container_id
docker rm container_id
docker volume ls
copy volume id
docker volume inspect volume_id
copy mount point
ls mount_point
check what is inside if it is what you want to delete
docker volume rm volume_id
repeat for ncfpm_web_1, ncfpm_app_1, ncfpm_db_1
alternatevly
docker system prune
docker volume prune
docker image prune -a
rebuild with
docker-compose up -d
mount external storage on nextcloud: fpm docker container
You can mount your external drives, mapping their mount path to /var/www/html/data in the container.
1
2
3
volumes:
- nextcloud:/var/www/html
- /media/TuxDriveA/nextcloud:/var/www/html/data
Redirect to https and trusted domains
Edit tye config/config.php file in the mapped nextcloud volume
1
2
3
4
5
6
7
8
9
'trusted_domains' =>
array (
0 => '192.168.1.210:8080',
2 => 'cloud.v.flix',
),
'overwriteprotocol' => 'https',
'overwritewebroot' => '/',
overwrite.cli.url' => 'https://cloud.v.flix',
'trusted_proxies' => ['192.168.1.210'], #your ip
Select datatbase
The nextcloud default is sqlite.
For better performance we can choose mysql or postgres during the initial setup.
We have added the directive of mariadb which is a mysql database in docker-compose.
We need to tell nextcloud how to use it.
From storage & database in initial setup, select mysql and fill in the:
MYSQL_PASSWORD MYSQL_DATABASE MYSQL_USER
As you filled them in in compose file.
In the database url we need to fill the container name of the database and the port that runs internally in the container, we don’t need to expose the mariadb port to the host.
We can see this specific information with:
docker ps
In my case it is:
440d29c62efc mariadb "docker-entrypoint.s..." About an hour ago Up About an hour 3306/tcp nextcloud-nc-db-1
So in the database url field of the initial setup of nextcloud I will enter:
nextcloud-nc-db-1:3306
If you have chosen admin user and complete the setup without having selectimg another database you can delete the data folder and the config/config.php file and add the config/CAN_INSTALL file instead and run compose again to restart the initial setup from scratch.
You can also convert the db from the nextcloud cli
docs.nextcloud.com/server/latest/admin_manual/configuration_database/db_conversion.html
Android app
There was an open pull request for mutual TLS support Jere. Nextcloud team rejected it. There is a fork that merges that pull request in to a GH repo and creates apk releases here
Serverside, you can follow my Tut here to set up caddy reverse proxy to use mtls auth.