Hello,
I am currently running nextcloud, homeassistant and nginx in an docker container in Docker Rootless.
The nextcloud is located at /nextcloud and home assistant at /
My problem is that I canât get it to work to forward the real remote IP adress from outside. The brute force protection slows down or fully blocks the login because the logins are all from the 172.16.0.1 gateway IP.
The network adapter is configured in âbridgeâ mode.
I attached my âdocker-compose.ymlâ and my sites-available file.
I believe I need like a specific network adapter or something like that?
Also I had the idea to install nginx on the host and forward the traffic to the container.
Thank you for your help. I am also open for security improvements.
Docker-Compose
services:
homeassistant:
container_name: homeassistant
image: "ghcr.io/home-assistant/home-assistant:stable"
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
- /home/max/docker/homeassistant/config:/config:rw
- /etc/localtime:/etc/localtime:ro
- /run/dbus:/run/dbus:ro
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- internal_network
nginx:
image: nginx:latest
container_name: nginx
restart: unless-stopped
security_opt:
- no-new-privileges:true
#cap_drop:
# - ALL
ports:
- "8443:8443"
volumes:
- /home/max/docker/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- /home/max/docker/nginx/html:/usr/share/nginx/html:ro
- /home/max/docker/nginx/conf.d:/etc/nginx/conf.d:ro
- /home/max/docker/nginx/certs:/etc/nginx/certs:ro
- /home/max/docker/nginx/sites-available:/etc/nginx/sites-available:ro
- /home/max/docker/nginx/sites-available:/etc/nginx/sites-enabled:ro
- /home/max/docker/nginx/logs:/tmp/logs:rw
networks:
- internal_network
nextclouddb:
image: mariadb:latest
container_name: nextclouddb
restart: always
volumes:
- /home/max/docker/mariadb/nextcloud:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=
- MYSQL_DATABASE=
- MYSQL_USER=
- MYSQL_PASSWORD=
- MYSQL_HOST=
networks:
- internal_network
nextcloud:
image: nextcloud:latest
container_name: nextcloud
restart: always
depends_on:
- nextclouddb
volumes:
- /home/max/docker/nextcloud:/var/www/html:rw
environment:
- TRUSTED_DOMAINS=
- OVERWRITEWEBROOT=/nextcloud
- DB_HOST=
- MYSQL_HOST=
- MYSQL_DATABASE=
- MYSQL_USER=
- MYSQL_PASSWORD=
- ADMIN_USER=Admin
- ADMIN_PASSWORD=
- TRUSTED_PROXIES=172.18.0.0/16
- TRUSTED_DOMAINS=
networks:
- internal_network
networks:
internal_network:
driver: bridge
Sites-available file
server {
listen 8443 ssl;
http2 on;
server_name example;
# Proxy configuration Docker-Rootless
set_real_ip_from 172.18.0.0/16;
real_ip_header proxy_protocol;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
# SSL configuration
ssl_certificate /etc/nginx/certs/fullchain.pem;
ssl_certificate_key /etc/nginx/certs/privkey.pem;
ssl_dhparam /etc/nginx/certs/dhparams.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# Cache settings
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_max_temp_file_size 0;
# error page request limit
error_page 503 /rate_limit_error.html;
location /rate_limit_error.html {
root /usr/share/nginx/html;
internal;
}
# Security settings
# General Content-Security-Policy
add_header Content-Security-Policy "default-src 'self'; img-src 'self' http://192.168.178.57; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: 192.168.178.57; font-src 'self'; connect-src 'self' wss ws: https: 192.168.178.57; frame-ancestors 'self' https://example.net; form-action 'self'; manifest-src 'self';" always;
# HTTP header for Cache-Control
add_header Cache-Control "public, max-age=31536000, immutable" always;
# X-Frame Options
add_header X-Frame-Options "SAMEORIGIN" always;
# HTTP Only
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Other headers
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
# Homeassistant configs
# Config Frontend
location / {
limit_req zone=req_limit_per_ip burst=40 nodelay;
add_header Cache-Control "no-store, no-cache, must-revalidate" always;
proxy_pass http://homeassistant:8123;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-Proto $scheme;
# Deactivate cache for homeassistant
proxy_cache off;
proxy_no_cache 1;
proxy_cache_bypass 1;
}
# Config API
location /api/ {
limit_req zone=req_limit_per_ip burst=80 nodelay;
add_header Cache-Control "no-store, no-cache, must-revalidate" always;
add_header X-Frame-Options "SAMEORIGIN";
proxy_pass http://homeassistant:8123;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
# Deactivate cache for homeassistant api
proxy_cache off;
proxy_no_cache 1;
proxy_cache_bypass 1;
}
# Nextcloud configs
# Redirect /nextcloud to /nextcloud/
location = /nextcloud {
return 301 $scheme://$host/nextcloud/;
}
# Nextcloud Frontend
location /nextcloud/ {
limit_req zone=req_limit_per_ip burst=200;
proxy_pass http://nextcloud:80/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
# Deactivate cache for Nextcloud
proxy_cache off;
proxy_no_cache 1;
proxy_cache_bypass 1;
client_max_body_size 100M;
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate" always;
}
# Redirects for CalDAV and CardDAV
location /.well-known/carddav {
return 301 $scheme://$host/nextcloud/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/nextcloud/remote.php/dav;
}
}