diff --git a/caddy/Caddyfile b/caddy/Caddyfile index 30f6e35..6cc296f 100644 --- a/caddy/Caddyfile +++ b/caddy/Caddyfile @@ -9,14 +9,10 @@ } nextcloud.t-gstone.de { - encode zstd gzip - reverse_proxy nextcloud:80 + reverse_proxy nextcloud-nginx:80 header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - redir /.well-known/carddav /remote.php/dav/ 301 - redir /.well-known/caldav /remote.php/dav/ 301 - request_body { max_size 10G } diff --git a/nextcloud/docker-compose.yml b/nextcloud/docker-compose.yml index 530e814..e501a71 100644 --- a/nextcloud/docker-compose.yml +++ b/nextcloud/docker-compose.yml @@ -1,6 +1,6 @@ services: nextcloud: - image: nextcloud:33-apache + image: nextcloud:33-fpm container_name: nextcloud restart: unless-stopped depends_on: @@ -19,6 +19,29 @@ services: - ${DATA_ROOT}/nextcloud/data:/var/www/html/data - ./hooks/post-installation.sh:/docker-entrypoint-hooks.d/post-installation/post-installation.sh:ro - ./hooks/post-upgrade.sh:/docker-entrypoint-hooks.d/post-upgrade/post-upgrade.sh:ro + networks: + - nextcloud-internal + logging: + driver: json-file + options: + max-size: "10m" + max-file: "3" + + nginx: + image: nginx:alpine + container_name: nextcloud-nginx + restart: unless-stopped + depends_on: + - nextcloud + volumes: + - ${DATA_ROOT}/nextcloud/html:/var/www/html:ro + - ${DATA_ROOT}/nextcloud/data:/var/www/html/data:ro + - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro + healthcheck: + test: ["CMD-SHELL", "wget -q --spider http://localhost/status.php || exit 1"] + interval: 30s + timeout: 10s + retries: 3 networks: - proxy - nextcloud-internal @@ -27,11 +50,6 @@ services: options: max-size: "10m" max-file: "3" - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost/status.php"] - interval: 30s - timeout: 10s - retries: 3 postgres: image: postgres:17-alpine @@ -68,7 +86,7 @@ services: max-file: "3" cron: - image: nextcloud:33-apache + image: nextcloud:33-fpm container_name: nextcloud-cron restart: unless-stopped depends_on: diff --git a/nextcloud/nginx.conf b/nextcloud/nginx.conf new file mode 100644 index 0000000..2f91907 --- /dev/null +++ b/nextcloud/nginx.conf @@ -0,0 +1,68 @@ +upstream php-handler { + server nextcloud:9000; +} + +server { + listen 80; + server_name _; + + client_max_body_size 10G; + client_body_timeout 300s; + fastcgi_buffers 64 4K; + + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_types application/javascript application/json text/css text/plain text/xml application/xml image/svg+xml; + + root /var/www/html; + index index.php index.html /index.php$request_uri; + + # Redirect well-known URLs + location ^~ /.well-known { + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + location ^~ /.well-known { return 301 /index.php$uri; } + } + + # Deny access to internal paths + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + # Serve static files directly + location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { + try_files $uri /index.php$request_uri; + expires 6M; + access_log off; + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; + access_log off; + } + + # PHP handling + location ~ \.php(?:$|/) { + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + fastcgi_max_temp_file_size 0; + } + + # Default handler + location / { + try_files $uri $uri/ /index.php$request_uri; + } +}