[Support] Linuxserver.io - Nextcloud


Recommended Posts

On 1/26/2024 at 8:41 AM, juleztb said:

Hi!
Anyone else experiencing the problem that nextcloud stays in maintenance mode after an automatic update?

I use it mine mainly as a central hub for backups from phone and PC. But sometimes I recognize after several days, that my backups didn't run and that my secondary backups to a cloud drive haven't seen any changes in days.

It's only then I see, that nextcloud stayed in maintenance mode again.

As this destroys my backup strategy it's quite annoying.

 

Someone got an idea how to stop that from happening? Afaik since a few versions ago, updates are automatically run when unraid recognizes a new version and the container get's restarted. Before that it was a manual process and therefore no problem. But now...

 

Thanks in advance!


Yes, I have the same issue.  It is particularly annoying as the ls.io team doesn't seem to be demonstrating ANY consistency in how they push the updates.  Sometimes they build the container after maintenance mode has been disabled, sometimes before.  Manually updating may not have been as smooth, but it was far more predictable and I wish we could go back.

As it stands now, it is a complete shit-show, for lack of a better term.  It is completely unpredictable and the only way around it is to verify you are out of maintenance mode after every update and run the following if not.
 

docker exec -it nextcloud occ maintenance:mode --off


I would also suggest disabling the automatic container updates, you'll break something at some point at an inconvenient time by allowing updates to just blow through at random times.

Link to comment

Hi guys,

I'm trying to move 

/mnt/user/somewhere_on_your_array/nextcloud_data/files_external/rootcerts.crt

to

/mnt/user/appdata/nextcloud/data/files_external/rootcerts.crt

but i'm kind of a noob about unraid and docker containers.

 

This is what I came across while searching for this topic:

  • stop the nextcloud container
  • copy /mnt/user/somewhere_on_your_array/nextcloud_data/files_external/rootcerts.crt to /mnt/user/appdata/nextcloud/data/files_external/rootcerts.crt (you would need to create the folders first)
  • Add a volume to your nextcloud container to map /data/files_external/rootcerts.crt to /mnt/user/appdata/nextcloud/data/files_external/rootcerts.crt
  • start the container and see if it works as desired

but honestly I don't know how the third step works.

 

Can you please tell me how to do that?

Thanks you :D

Link to comment

I have the same error with the missing SVG support.
@blaine07 do I understand the github page correct, that it will be added later? I'm a bit confused how to fix or if I need to fix the issue?
Edit:
I've found the answer in the IO Discord by Driz- you could install the needed package via Docker Mods:

Quote

with that said, we do not include imagemagick-svg (and never have) you can install it using https://github.com/linuxserver/docker-mods/tree/universal-package-install

package name looks like imagemagick-svg

 

Edited by gilladur
Link to comment
On 3/13/2024 at 12:13 PM, gilladur said:

I have the same error with the missing SVG support.
@blaine07 do I understand the github page correct, that it will be added later? I'm a bit confused how to fix or if I need to fix the issue?
Edit:
I've found the answer in the IO Discord by Driz- you could install the needed package via Docker Mods:

 

So is Linuxserver.io NEVER going to include it either? I hate to do a bunch myself only for them to do it later?

Edit: so, are you going to do this? Can you show screen shot of how you add it to your nextcloud container? Kind of confused with instructions...

Edited by blaine07
Link to comment

I've actually done it already and the warning is gone 🙂 but I agree the documentation is quite hard to overlook.


Basically, you just need to set up these two variables in the container in two steps...
grafik.thumb.png.dc3d3178712e10a0c1c2ff8bf8bcf50b.png

1. add the universal-package-installl Mod by adding a new variable to the container (2. screenshot)

linuxserver/mods:universal-package-install

grafik.png.36722c83714e23b36941b33b95be0c01.png
2. save -> apply which restarts the Docker

 

3. Add a new variable "Install Packages" which lists the stuff for the mod to be installed on the next restart, in our case:  imagemagick-svg
grafik.png.a507114f20cef908ceaf7b328dc55a4f.png

After save and apply, the packet should be installed during restart of the container and the warning should be gone
This should be also shown in the logs of container

 

There is a good video on how use these Mods particular useful for the SWAG container - but the approach is the same:


hope that helps 🙂

Edited by gilladur
Edit due to the fact, that the "universal-docker" mod is not necessary (checked by blaine07) as included in the first version. In general, you can add several mods to the "Value" string to any linuxserver.IO Container - for a deeper example, check the vid
  • Thanks 2
Link to comment
14 hours ago, gilladur said:

I've actually done it already and the warning is gone 🙂 but I agree the documentation is quite hard to overlook.

In general, you just need to set up these two variables in the container in three steps...
grafik.thumb.png.b674a3c420a94c5bbddb448b59041adc.png

1. add the general Mod by adding a new variable to the container (2. screenshot)

linuxserver/mods:universal-docker

(maybe this is not necessary but, as I far as I understood, you need to add this universal mod first, to get the other running)
grafik.png.55179c0edb34fb58e14dd49ca90e5a74.png
2. save -> apply which restarts the Docker

 

3. edit the container and variable again, and add to the variable the linuxserver/mods:universal-package-install Mod.
Important is the "|" separator between the two mods - simply change it to this line and restart the docker container by doing the usual save -> apply:

linuxserver/mods:universal-docker|linuxserver/mods:universal-package-install

grafik.png.de9c739a7f3a82f98edd817f55a28057.png


4. Add a new variable "Install Packages" which lists the stuff for the mod to be installed on the next restart, in our case:  imagemagick-svg
grafik.png.a507114f20cef908ceaf7b328dc55a4f.png

After save and apply, the packet should be installed during restart of the container and the warning should be gone
This should be also shown in the logs of container

 

There is a good video on how use these Mods particular useful for the SWAG container - but the approach is the same:


hope that helps 🙂

Thank you, SO MUCH! It definitely does work. I wonder if it has to install these other "extra" 13 packages though?

I wonder what happens if you just did "linuxserver/mods:universal-package-install" and NOT "linuxserver/mods:universal-docker|linuxserver/mods:universal-package-install"?

image.thumb.png.f59beaf0c74f6d978abe0bcd89e2f3d3.png

Link to comment
2 hours ago, blaine07 said:

Thank you, SO MUCH! It definitely does work. I wonder if it has to install these other "extra" 13 packages though?

I wonder what happens if you just did "linuxserver/mods:universal-package-install" and NOT "linuxserver/mods:universal-docker|linuxserver/mods:universal-package-install"?

image.thumb.png.f59beaf0c74f6d978abe0bcd89e2f3d3.png

Did it like this: linuxserver/mods:universal-package-install

Seemed to work WITHOUT doing : linuxserver/mods:universal-docker

 

I think? 

  • Like 1
Link to comment

Any tips to make Nextcloud faster?
It really hard to use webui in my case, when I enter a folder with images page freeze, something server die and I need to restart the container.
My setup is:

*mariadb in separate container (appdata on cache drive)

*linuxserver container conected to maria db (appdata on cache drive)

 

I think the problem with my setup is that user data (Nextcloud files) are store on the array. I am thinking to move it to the cache to speed things up but in that scenario I will lose parity protection

Link to comment
On 3/16/2024 at 2:31 PM, maTTi said:

Any tips to make Nextcloud faster?
It really hard to use webui in my case, when I enter a folder with images page freeze, something server die and I need to restart the container.
My setup is:

*mariadb in separate container (appdata on cache drive)

*linuxserver container conected to maria db (appdata on cache drive)

 

I think the problem with my setup is that user data (Nextcloud files) are store on the array. I am thinking to move it to the cache to speed things up but in that scenario I will lose parity protection

Try to use redis. It is not that much work and helped at least with my setup a lot.

 

1. Install a redis docker and follow the configuration instructions for it (or watch a youtube video).

2. Amend your nextcloud config.php as shown here: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/caching_configuration.html

 

Try other things, here a random reddit thread:

 

 

  • Thanks 1
Link to comment

I'm using the nextcloud and swag container from linuxserver.io for years now. But with the update to nextcloud 28.0.3 I get two annoying security warnings I just can't get rid of:

 

The "X-Robots-Tag" HTTP header is not set to "noindex, nofollow". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

 

According to the different *.conf files I can't see that there are no headers for that or are misconfigured.

Do I check the right *.conf-files? I deleted the default ones and get new ones with the restart of the container...

 

Here are the *.conf-files I checked:

 

appdata -> nextcloud -> nginx -> site-confs -> default.conf

## Version 2024/01/03 - Changelog: https://github.com/linuxserver/docker-nextcloud/commits/master/root/defaults/nginx/site-confs/default.conf.sample

# Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable {
    "" "";
    default "immutable";
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    server_name _;

    include /config/nginx/ssl.conf;

    root /app/www/public;

    # display real ip in nginx logs when connected through reverse proxy via docker network
    set_real_ip_from 172.16.0.0/12;
    real_ip_header X-Forwarded-For;

    # https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx

    # set max upload size and increase upload timeout:
    client_max_body_size 512M;
    client_body_timeout 300s;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml text/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Pagespeed is not supported by Nextcloud, so if your server is built
    # with the `ngx_pagespeed` module, uncomment this line to disable it.
    #pagespeed off;

    # The settings allows you to optimize the HTTP2 bandwidth.
    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
    # for tuning hints
    client_body_buffer_size 512k;

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                   "no-referrer"       always;
    add_header X-Content-Type-Options            "nosniff"           always;
    add_header X-Frame-Options                   "SAMEORIGIN"        always;
    add_header X-Permitted-Cross-Domain-Policies "none"              always;
    add_header X-Robots-Tag                      "noindex, nofollow" always;
    add_header X-XSS-Protection                  "1; mode=block"     always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Specify how to handle directories -- specifying `/index.php$request_uri`
    # here as the fallback means that Nginx always exhibits the desired behaviour
    # when a client requests a path that corresponds to a directory that exists
    # on the server. In particular, if that directory contains an index.php file,
    # that file is correctly served; if it doesn't, then the request is passed to
    # the front-end controller. This consistent behaviour means that we don't need
    # to specify custom rules for certain paths (e.g. images and other assets,
    # `/updater`, `/ocs-provider`), and thus
    # `try_files $uri $uri/ /index.php$request_uri`
    # always provides the desired behaviour.
    index index.php index.html /index.php$request_uri;

    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Make a regex exception for `/.well-known` so that clients can still
    # access it despite the existence of the regex rule
    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
    # for `/.well-known`.
    location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;
    }

    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
    # which handle static assets (as seen below). If this block is not declared first,
    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
    # to the URI, resulting in a HTTP 500 error response.
    location ~ \.php(?:$|/) {
        # Required for legacy support
        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass 127.0.0.1:9000;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;

        fastcgi_max_temp_file_size 0;
    }

    # Serve static files
    location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
        access_log off;     # Optional: Don't log access to assets

        location ~ \.wasm$ {
            default_type application/wasm;
        }

    }

    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    # Rule borrowed from `.htaccess`
    location /remote {
        return 301 /remote.php$request_uri;
    }

    location / {
        # enable for basic auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        try_files $uri $uri/ /index.php$request_uri;
    }

    # deny access to .htaccess/.htpasswd files
    location ~ /\.ht {
        deny all;
    }
}

 

appdata -> nextcloud -> nginx -> ssl.conf

## Version 2023/08/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample

### Mozilla Recommendations
# generated 2023-06-25, Mozilla Guideline v5.7, nginx 1.24.0, OpenSSL 3.1.1, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.24.0&config=intermediate&openssl=3.1.1&guideline=5.7

ssl_certificate /config/keys/cert.crt;
ssl_certificate_key /config/keys/cert.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /config/nginx/dhparams.pem;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
#add_header Strict-Transport-Security "max-age=63072000" always;

# OCSP stapling
#ssl_stapling on;
#ssl_stapling_verify on;

# verify chain of trust of OCSP response using Root CA and Intermediate certs
#ssl_trusted_certificate /config/keys/cert.crt;

# Optional additional headers
add_header Cache-Control "no-transform" always;
add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Referrer-Policy "same-origin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-UA-Compatible "IE=Edge" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;

 

appdata -> nextcloud -> nginx -> nginx.conf

## Version 2023/04/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/nginx.conf.sample

### Based on alpine defaults
# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.15-stable

user abc;

# Set number of worker processes automatically based on number of CPU cores.
include /config/nginx/worker_processes.conf;

# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;

# Configures default error logger.
error_log /config/log/nginx/error.log;

# Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf;

# Include files with config snippets into the root context.
include /etc/nginx/conf.d/*.conf;

events {
    # The maximum number of simultaneous connections that can be opened by
    # a worker process.
    worker_connections 1024;
}

http {
    # Includes mapping of file name extensions to MIME types of responses
    # and defines the default type.
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # Name servers used to resolve names of upstream servers into addresses.
    # It's also needed when using tcpsocket and udpsocket in Lua modules.
    #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
    include /config/nginx/resolver.conf;

    # Don't tell nginx version to the clients. Default is 'on'.
    server_tokens off;

    # Specifies the maximum accepted body size of a client request, as
    # indicated by the request header Content-Length. If the stated content
    # length is greater than this size, then the client receives the HTTP
    # error code 413. Set to 0 to disable. Default is '1m'.
    client_max_body_size 0;

    # Sendfile copies data between one FD and other from within the kernel,
    # which is more efficient than read() + write(). Default is off.
    sendfile on;

    # Causes nginx to attempt to send its HTTP response head in one packet,
    # instead of using partial frames. Default is 'off'.
    tcp_nopush on;

    # all ssl related config moved to ssl.conf
    # included in server blocks where listen 443 is defined

    # Enable gzipping of responses.
    #gzip on;

    # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
    gzip_vary on;

    # Helper variable for proxying websockets.
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

    # Sets the path, format, and configuration for a buffered log write.
    access_log /config/log/nginx/access.log;

    # Includes virtual hosts configs.
    include /etc/nginx/http.d/*.conf;
    include /config/nginx/site-confs/*.conf;
}

daemon off;
pid /run/nginx.pid;

 

Und im swag-Container appdata -> swag -> nginx -> proxy-confs -> nextcloud.subdomain.conf

## Version 2023/06/24
# make sure that your nextcloud container is named nextcloud
# make sure that your dns has a cname set for nextcloud
# assuming this container is called "swag", edit your nextcloud container's config
# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
#  'trusted_proxies' => ['swag'],
#  'overwrite.cli.url' => 'https://nextcloud.example.com/',
#  'overwritehost' => 'nextcloud.example.com',
#  'overwriteprotocol' => 'https',
#
# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
#  array (
#    0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
#    1 => 'nextcloud.example.com',
#  ),

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name xxxxxxxx.*;

    include /config/nginx/ssl.conf;
    add_header Cache-Control "no-transform" always;
    add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always;
    add_header Permissions-Policy "interest-cohort=()" always;
    add_header Referrer-Policy "same-origin" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-UA-Compatible "IE=Edge" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "noindex, nofollow" always;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app nextcloud;
        set $upstream_port 443;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        # Hide proxy response headers from Nextcloud that conflict with ssl.conf
        # Uncomment the Optional additional headers in SWAG's ssl.conf to pass Nextcloud's security scan
        proxy_hide_header Referrer-Policy;
        proxy_hide_header X-Content-Type-Options;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header X-XSS-Protection;

        # Disable proxy buffering
        proxy_buffering off;
    }
}

 

appdata -> swag -> nginx -> site-confs -> default.conf

## Version 2024/03/06 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample

# redirect all traffic to https
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    location / {
        return 301 https://$host$request_uri;
    }
}

# main server block
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    server_name _;

    include /config/nginx/ssl.conf;

    root /config/www;
    index index.html index.htm index.php;

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;

    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;

    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;

    location / {
        # enable for basic auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;

        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;

        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;

        try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
    }

    location ~ ^(.+\.php)(.*)$ {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;

        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;

        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;

        fastcgi_split_path_info ^(.+\.php)(.*)$;
        if (!-f $document_root$fastcgi_script_name) { return 404; }
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }

    # deny access to .htaccess/.htpasswd files
    location ~ /\.ht {
        deny all;
    }
}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

 

appdata -> swag -> nginx -> ssl.conf

## Version 2023/08/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample

### Mozilla Recommendations
# generated 2023-06-25, Mozilla Guideline v5.7, nginx 1.24.0, OpenSSL 3.1.1, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.24.0&config=intermediate&openssl=3.1.1&guideline=5.7

ssl_certificate /config/keys/cert.crt;
ssl_certificate_key /config/keys/cert.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /config/nginx/dhparams.pem;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /config/keys/cert.crt;

# Optional additional headers
#add_header Cache-Control "no-transform" always;
#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always;
#add_header Permissions-Policy "interest-cohort=()" always;
#add_header Referrer-Policy "same-origin" always;
#add_header X-Content-Type-Options "nosniff" always;
#add_header X-Frame-Options "SAMEORIGIN" always;
#add_header X-UA-Compatible "IE=Edge" always;
#add_header X-XSS-Protection "1; mode=block" always;
#add_header X-Permitted-Cross-Domain-Policies "none" always;
#add_header X-Robots-Tag "noindex, nofollow" always;

 

appdata -> swag -> nginx -> nginx.conf

## Version 2023/04/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/nginx.conf.sample

### Based on alpine defaults
# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.15-stable

user abc;

# Set number of worker processes automatically based on number of CPU cores.
include /config/nginx/worker_processes.conf;

# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;

# Configures default error logger.
error_log /config/log/nginx/error.log;

# Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf;

# Include files with config snippets into the root context.
include /etc/nginx/conf.d/*.conf;

events {
    # The maximum number of simultaneous connections that can be opened by
    # a worker process.
    worker_connections 1024;
}

http {
    # Includes mapping of file name extensions to MIME types of responses
    # and defines the default type.
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # Name servers used to resolve names of upstream servers into addresses.
    # It's also needed when using tcpsocket and udpsocket in Lua modules.
    #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
    include /config/nginx/resolver.conf;

    # Don't tell nginx version to the clients. Default is 'on'.
    server_tokens off;

    # Specifies the maximum accepted body size of a client request, as
    # indicated by the request header Content-Length. If the stated content
    # length is greater than this size, then the client receives the HTTP
    # error code 413. Set to 0 to disable. Default is '1m'.
    client_max_body_size 0;

    # Sendfile copies data between one FD and other from within the kernel,
    # which is more efficient than read() + write(). Default is off.
    sendfile on;

    # Causes nginx to attempt to send its HTTP response head in one packet,
    # instead of using partial frames. Default is 'off'.
    tcp_nopush on;

    # all ssl related config moved to ssl.conf
    # included in server blocks where listen 443 is defined

    # Enable gzipping of responses.
    #gzip on;

    # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
    gzip_vary on;

    # Helper variable for proxying websockets.
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

    # Sets the path, format, and configuration for a buffered log write.
    access_log /config/log/nginx/access.log;

    # Includes virtual hosts configs.
    include /etc/nginx/http.d/*.conf;
    include /config/nginx/site-confs/*.conf;
}

daemon off;
pid /run/nginx.pid;

 

appdata -> swag -> nginx -> proxy.conf

## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample

# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Proxy Connection Settings
proxy_buffers 32 4k;
proxy_connect_timeout 240;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect http:// $scheme://;
proxy_send_timeout 240;

# Proxy Cache and Cookie Settings
proxy_cache_bypass $cookie_session;
#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
proxy_no_cache $cookie_session;

# Proxy Header Settings
proxy_set_header Connection $connection_upgrade;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Host $host;
proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.