Nextcloud docker nginx lots of incoming IP

ℹ️ Support
1

Hi.
I’ve set up a Nextcloud instance with Docker, official image + jwilder/nginx-proxy + jrcs/docker-letsencrypt-nginx-proxy-companion.

I have an issue i can’t resolve for the moment.
The access_log is increasing a lot due to multiples incoming TCP connections.
It can get 1G per hour ! And i’ve got a full disk in a few days.
At the beggining, it was the volume docker impacted. I’ve managed to resolve it with my docker-compose in proxy service :
logging:
options:
max-size: 100m

Indeed, i’ve tried everything to limit the size of access_log, without success.
I have set a my_proxy.conf in /etc/nginx/conf.d (mounted on the host, unbuntyu server 18.04).
I’ve set inside :
client_max_body_size 10G;
client_body_buffer_size 16k;
client_header_buffer_size 1k;
access_log off;
worker_processes 4;
worker_connections 50;
client_body_timeout 12;
client_header_timeout 12;
send_timeout 10;
keepalive_requests 10;
keepalive_timeout 15s;

Results :
access_log is still here even with access_log off;

And i didn’t find the solution to block incoming IP with the other parameters.
The problem is that it’s completely eating my upload bandwith and Nectloud is slow, very slow. I can see TCP traffic with tcptrack on the host.

Before Docker, i just had an apache reverse proxy on one VM and Nextcloud behind on another VM and i had not that issue. My instance was on the same domain.

I want to keep Docker and docker-compose solution.

Two questions :

  • How can I limit access_log file ? It will resolve disk space
  • How can I regul traffic to block multiple incoming IP per seconds ? It will resolve performance and bandwith issue.
    The best would be to add conf in my_proxy.conf, not to have to modify files within container (not modify the image itself or manage it automatically with docker-compose at least).

Here is my docker-compose file :
version: ‘3’

services:

proxy:
image: jwilder/nginx-proxy:alpine
labels:
- “com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true”
container_name: nextcloud-proxy
networks:
- nextcloud_network
ports:
- 80:80
- 443:443
volumes:
- /mnt/nginx/conf.d:/etc/nginx/conf.d:rw
- /mnt/nginx/log:/var/log/nginx:rw
- /mnt/nginx/vhost.d:/etc/nginx/vhost.d:rw
- /mnt/nginx/html:/usr/share/nginx/html:rw
- /mnt/nginx/certs:/etc/nginx/certs:ro
- /etc/localtime:/etc/localtime:ro
- /docker/my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
logging:
options:
max-size: 100m
restart: unless-stopped

letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: nextcloud-letsencrypt
depends_on:
- proxy
networks:
- nextcloud_network
volumes:
- /mnt/nginx/certs:/etc/nginx/certs:rw
- /mnt/nginx/vhost.d:/etc/nginx/vhost.d:rw
- /mnt/nginx/html:/usr/share/nginx/html:rw
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: unless-stopped

db:
image: mariadb
container_name: nextcloud-mariadb
networks:
- nextcloud_network
volumes:
- /mnt/nextcloud_db:/var/lib/mysql
- /etc/localtime:/etc/localtime:ro
environment:
- MYSQL_ROOT_PASSWORD=XXXXXXXXX
- MYSQL_PASSWORD=XXXXXXXX
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
restart: unless-stopped

redis:
image: redis:alpine
container_name: redis
networks:
- nextcloud_network

app:
image: nextcloud
container_name: nextcloud-app
networks:
- nextcloud_network
links:
- db
expose:
- “80”
depends_on:
- letsencrypt
- proxy
- db
- redis
volumes:
- /mnt/nextcloud_app/app:/var/www/html
- /mnt/nextcloud_app/config:/var/www/html/config
- /mnt/nextcloud_app/custom_apps:/var/www/html/custom_apps
- /mnt/nextcloud_data_users:/var/www/html/data
- /mnt/nextcloud_app/themes:/var/www/html/themes
- /mnt/Fichiers:/mnt/Fichiers
- /mnt/Musique:/mnt/Musique
- /mnt/Films:/mnt/Films
- /mnt/Freebox:/mnt/Freebox
- /etc/localtime:/etc/localtime:ro
environment:
- NEXTCLOUD_DATA_DIR=/var/www/html/data
- NEXTCLOUD_ADMIN_USER=XXXXXXX
- NEXTCLOUD_ADMIN_PASSWORD=XXXXXXXX
- MYSQL_ROOT_PASSWORD=XXXXXXXXX
- MYSQL_PASSWORD=XXXXXXXX
- MYSQL_DATABASE=nextcloud
- MYSQL_HOST=db
- MYSQL_USER=XXXXXXXXX
- NEXTCLOUD_TABLE_PREFIX=oc_
- NEXTCLOUD_TRUSTED_DOMAINS=XXXXXX.XXXXXX.XX
- REDIS_HOST=redis
- VIRTUAL_HOST=XXXXXX.XXXXXXX.XX
- LETSENCRYPT_HOST=XXXXXXX.XXXXXXX.XX
- LETSENCRYPT_EMAIL=
- SMTP_HOST=smtp.gmail.com
- SMTP_SECURE=tls
- SMTP_PORT=587
- SMTP_AUTHTYPE=LOGIN
- SMTP_NAME=
- SMTP_PASSWORD=
- MAIL_FROM_ADDRESS=
- MAIL_DOMAIN=gmail.com
restart: unless-stopped

cron:
image: nextcloud
restart: unless-stopped
volumes:
- nextcloud:/var/www/html
entrypoint: /cron.sh
depends_on:
- db
- redis

collabora:
image: collabora/code
expose:
- 9980
environment:
- domain=XXXXXX\.XXXXXX\.XX
- VIRTUAL_HOST=XXXX.XXXXX.XX
- VIRTUAL_NETWORK=nginx-proxy
- VIRTUAL_PORT=9980
- VIRTUAL_PROTO=https
- LETSENCRYPT_HOST=XXXXX.XXXXXX.XX
- LETSENCRYPT_EMAIL=
cap_add:
- MKNOD
networks:
- nextcloud_network

volumes:
nginx-proxy:
letsencrypt:
db:
nextcloud:

networks:
nextcloud_network:
external:
name: nginx-proxy

Thanks for you’re help, i’m a little deseperate because erything works fine (collabora, external storage, etc…) and very fast…at the beginning. After, 2 or 5 minutes, after docker-compose up -d, all those incomings IP eat my bandwith and make access_log file very big.

2

if you only have regional clients and your unwanted ip packages are from abroad.

[URL REMOVED - Spam-protection [JK]]

did you grep for access_log through your nginx configs? there might more then appearance. remember to grep throuhg /etc/nginx in the proxy container. and not /mnt/nginx/conf.d on your host.

and if you set access_log to /tmp/access.log and still the other log is there you know it’s not correct line in your config.

3

Thanks for you answer.

I’m going to grep inside my containers and study geoip. I will post here a feedback as soon as possible.

4

Hi.
I’ve found a solution to control nginx access_log file size.
First, - /mnt/nginx/log:/var/log/nginx:rw is correct.

On the host (Ubuntu server), edit etc/logrotate.conf and add :
/mnt/nginx/log/*log {
daily
size 800k
rotate 3
missingok
notifempty
sharedscripts
compress
create 0664 root utmp
postrotate
/usr/bin/docker restart nextcloud-proxy # nginx container name
endscript
}

Then, edit etc/crontab and add :
0 */6 * * * root logrotate -f /etc/logrotate.conf

Every 6 hours, nginx access.log and error.log are compressed, and as container is restarted, it creates new access.log and error.log.

Advantages : do not modify container. No impact if container or image are removed. Disk sapce is safe.
Inconvenient : nginx is restarted. I didn’t notice impact while using Nextcloud, the container restart fast (thanks docker). But if a file is uploading / or downloading at that moment, the connection is lost and it fails. Not too bad, only every 6 hours, a few seconds, and at worst, user can upload or download again the lost file. Moreover, that problem will be gone when the first issue i’m facing will be resolve, i could modifiy the task only one time per week for example.

So, according to the main problem, i took a look with geoip.
Indeed, i’m very interested in.

But, the link is to install geoip in a “classic”, on a host with nginx.
In my case, all is dockerized with containers.
I’ve just followed the procedure here : https://github.com/nextcloud/docker with
nginx-proxy and docker-letsencrypt-nginx-proxy-companion containers.

How could i manage geoip with my docker-compose ?

I’ve found this : https://hub.docker.com/r/extremeshok/geoip with a docker-compose example.

xshokgeoip

xshokgeoip:
image: extremeshok/geoip
environment:
- TZ=${TZ}
volumes:
- vol-geoip-maxmind:/geoip/maxmind
- vol-geoip-country-cidr:/geoip/country-cidr
restart: always
sysctls:
- net.ipv6.conf.all.disable_ipv6=${SYSCTL_IPV6_DISABLED:-0}
networks:
network:
ipv4_address: ${IPV4_NETWORK:-172.22.1}.207
aliases:
- xshokgeoip

How to make it works with my docker-compose file ? Which parameters ?

Or maybe is there an another way to control traffic with that config ?
I’m sure I’m not the only one in that case (How to control incomings IP on nextcloud instance).

Thanks for time you’re according to me.