-
Notifications
You must be signed in to change notification settings - Fork 598
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement internal mode #4912
Implement internal mode #4912
Conversation
Signed-off-by: Jean-Yves <7360784+docjyJ@users.noreply.github.com>
Hi, thanks for the PR!
I fear this is only going to work if you skip the domain validation. Also I think this is currently going to break here: all-in-one/Containers/mastercontainer/start.sh Lines 182 to 186 in 3c8cb2b
|
Signed-off-by: Jean-Yves <7360784+docjyJ@users.noreply.github.com>
Fix |
According :
If reverse proxy points correctly to But, Caddy Community Container is set up after validation, so it will not work. Reverse proxy must be configured before validation. |
No, it will not because it would need to point at
Yes, the caddy community works differently... |
What is the purpose of the domaine validations ? |
Hi all, On my Arch Linux server, I am running several docker compose stacks and one of them is NC AiO and another one is for HAProxy to serve as reverse proxy in front of all web services, including TLS termination. My HAProxy config has the following lines in the HTTPS frontend
and the following backend
With this setup, I got AiO installed, including the domain verification, using HAProxy as a reverse proxy running on the same host in a different container. I would say that things work, the only issue that I still encounter is the login rate limit, which I do not know if it is legitimate (I am under brute force attack) or if it is due to my setup.
Can my setup inspire a solution for this topic? Thanks, |
I dont know how resolve this issue. Disable https://apps.nextcloud.com/apps/bruteforcesettings fix the warning message. I don't know if you've read it yet, but it might help: Static IP for docker containers : https://www.baeldung.com/ops/docker-assign-static-ip-container |
Sample (Not tested): services:
nextcloud-aio-mastercontainer:
image: nextcloud/all-in-one:latest
init: true
restart: always
container_name: nextcloud-aio-mastercontainer
volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config
- /var/run/docker.sock:/var/run/docker.sock:ro
ports:
- 127.0.0.1:8080:8080
environment:
- APACHE_IP_BINDING=@INTERNAL
- APACHE_PORT=80
networks:
- nextcloud-aio
caddy:
image: caddy:alpine
restart: always
container_name: my-caddy
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
ports:
- 80:80
- 433:433
networks:
nextcloud-aio:
ipv4_address: 10.9.8.7
volumes:
nextcloud_aio_mastercontainer:
name: nextcloud_aio_mastercontainer
networks:
nextcloud-aio:
name: nextcloud-aio
driver: bridge
ipam:
config:
- subnet: 10.9.8.0/24
gateway: 10.9.8.1 https://mycloud.com:443 {
reverse_proxy {
to http://nextcloud-aio-apache:80 http://nextcloud-aio-domaincheck:80
lb_policy first
health_uri /
health_port 80
health_interval 60s
}
} $CONFIG = array (
'trusted_proxies' => ['10.9.8.7'],
'overwritehost' => 'my-caddy',
'overwriteprotocol' => 'http'
); |
@matteoipri I have a similar setup (swag instead of HAProxy) including an additional network just for frontends. client -1-> swag -2-> caddy -3-> nextcloud 1 LAN/WAN While caddy is automatically marked as a trusted proxy, this ain't the case for your HAProxy. |
add sample for @internal Signed-off-by: Jean-Yves <7360784+docjyJ@users.noreply.github.com>
So my problem with this in general is that the reverse proxy documentation is already very complicated because it offers many options. Adding yet another method will not make it easier to understand... We can add this but lets not document this for now. |
…emove legacy code Signed-off-by: Simon L. <szaimen@e.mail.de>
Signed-off-by: Simon L. <szaimen@e.mail.de>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks a lot @docjyJ!
This is now released with v9.2.0 Beta. Testing and feedback is welcome! See https://github.com/nextcloud/all-in-one#how-to-switch-the-channel |
Work without domain validation |
It allows you not to expose AIO servers when you use reverse proxy attach in the docker aio network.
It is useful for filtered all AIO services access (with Forward Auth and Community Container).
And it prevents the proxy from bypass.
Sample compose.yaml:
I do not think that services exposed on the host is a real issue, but in terms of security and isolation it is an appropriate improvement.