sv1sjp

Nextcloud under docker with caddy webserver mariadb and mtls auth

Nextcloud under docker with caddy webserver mariadb and mtls auth

Install nextcloud-fpm with caddy2 docker container and caddy2 as reverse proxy on host

For starters i would like to thank Dimitris Vagiakakos @sv1sjp for his additions and corrections to the original post. Together with his additions for drive mountings,https redirect,file sharing and rescanning i also added the database selection section. So, read and enjoy

The official docker images of nextcloud comes in 2 versions.

One with a built-in apache web server and an fpm one for use with any web server we want and which is based on the php-fpm docker image and runs fastCGI-Process which serve the pages of Nextcloud.

In their examples they provide an example using nginx docker image.

Here we will see how to use it with a caddy2 webserver docker container which will return the http requests to the FastCGI-port of the container.


Creating docker-compose.yml

1
2
3
mkdir ncfpm
cd ncfpm
nano docker-compose.yml

paste

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
 version: '2'
  
 volumes:
   nextcloud:
   db:
   caddy_data:
 
 services:
   db:
     image: mariadb
     command: --transaction-isolation = READ-COMMITTED --binlog-format = ROW
     restart: unless-stopped
     volumes:
       - db: /var/lib/mysql
     environment:
       - MYSQL_ROOT_PASSWORD = root-pw
       - MYSQL_PASSWORD = pw
       - MYSQL_DATABASE = db
       - MYSQL_USER = user
 
   app:
      image: nextcloud: fpm
      links:
       - db
     volumes:
       - nextcloud: /var/www/html
     restart: unless-stopped
 
   web:
     image: caddy
     ports:
       - 8080: 80
     links:
       - app
      volumes:
        - ./Caddyfile:/etc/caddy/Caddyfile
        - caddy_data:/data
      volumes_from:
        - app
      restart: unless-stopped

save

1
2
3
ctrl + x
y
enter

Create a Caddyfile under current dir (ncfpm in our example)

nano Caddyfile

paste

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
: 80 {
 
         root * / var / www / html
         file_server
 
         php_fastcgi app: 9000
         header {
                 # enable HSTS
                 # Strict-Transport-Security max-age = 31536000;
         }
 
         redir /.well-known/carddav /remote.php/dav 301
         redir /.well-known/caldav /remote.php/dav 301
 
         # .htaccess / data / config / ... should not be accessible from outside
         @forbidden {
                 path /.htaccess
                 path / data / *
                 path / config / *
                 path / db_structure
                 path /.xml
                 path / README
                 path / 3rdparty / *
                 path / lib / *
                 path / templates / *
                 path / occ
                 path /console.php
         }
 
         respond @forbidden 404
 
 }

save

1
2
3
ctrl + x
y
enter

create the containers

docker-compose up -d

go to localhost:8080 create an admin account note down user name / password you’ll have to I had to rebuild you you forget this

allowed domains

The container supports all php occ commands but we must first declare user and container name.

docker ps

copy nextcloud:fpm container id

docker exec --user www-data container_id php occ config: system: set trusted_domains 2 --value = your_domain_name_here

docker stop container_id

docker start container_id

reverse proxy

if you have caddy2 on host

nano /etc/caddy/Caddyfile

add

1
2
3
your_domain_name: an_open_port {
    reverse_proxy localhost: 8080
}

rebuild

In case you need to rebuild the containers, you must delete what they have created

docker ps -a

copy cotnainer id

docker kill container_id

docker rm container_id

docker volume ls

copy volume id

docker volume inspect volume_id

copy mount point

ls mount_point

check what is inside if it is what you want to delete

docker volume rm volume_id

repeat for ncfpm_web_1, ncfpm_app_1, ncfpm_db_1

alternatevly

docker system prune

docker volume prune

docker image prune -a

rebuild with

docker-compose up -d

mount external storage on nextcloud: fpm docker container

You can mount your external drives, mapping their mount path to /var/www/html/data in the container.

1
2
3
volumes:
      - nextcloud:/var/www/html 
      - /media/TuxDriveA/nextcloud:/var/www/html/data

Redirect to https and trusted domains

Edit tye config/config.php file in the mapped nextcloud volume

1
2
3
4
5
6
7
8
9
'trusted_domains' => 
  array (
    0 => '192.168.1.210:8080',
    2 => 'cloud.v.flix',
  ),
'overwriteprotocol' => 'https',
'overwritewebroot' => '/',
overwrite.cli.url' => 'https://cloud.v.flix',
'trusted_proxies' => ['192.168.1.210'], #your ip

Select datatbase

The nextcloud default is sqlite.

For better performance we can choose mysql or postgres during the initial setup.

We have added the directive of mariadb which is a mysql database in docker-compose.

We need to tell nextcloud how to use it.

From storage & database in initial setup, select mysql and fill in the:

MYSQL_PASSWORD MYSQL_DATABASE MYSQL_USER

As you filled them in in compose file.

In the database url we need to fill the container name of the database and the port that runs internally in the container, we don’t need to expose the mariadb port to the host.

We can see this specific information with:

docker ps

In my case it is:

440d29c62efc mariadb "docker-entrypoint.s..." About an hour ago Up About an hour 3306/tcp nextcloud-nc-db-1

So in the database url field of the initial setup of nextcloud I will enter:

nextcloud-nc-db-1:3306

If you have chosen admin user and complete the setup without having selectimg another database you can delete the data folder and the config/config.php file and add the config/CAN_INSTALL file instead and run compose again to restart the initial setup from scratch.

You can also convert the db from the nextcloud cli

docs.nextcloud.com/server/latest/admin_manual/configuration_database/db_conversion.html

source

Android app

There was an open pull request for mutual TLS support Jere. Nextcloud team rejected it. There is a fork that merges that pull request in to a GH repo and creates apk releases here

Serverside, you can follow my Tut here to set up caddy reverse proxy to use mtls auth.

comments powered by Disqus