Trusted proxy in docker-compose?

dimanne · April 8, 2024, 11:10pm

Let’s say I have a SSL termination proxy (pingora) in front of “standard” nextcloud installation (docker-compose).

Do I need to add trusted-proxy in config/config.php?

If yes, how can I do it “properly”?

The way I manged to do this is:

replace nextcloud_aio_nextcloud:/var/www/html:rw with - ${NEXTCLOUD_VOLUME}:/var/www/html:rw
then define NEXTCLOUD_VOLUME in .env to be a regular path on FS
then start docker-compose and stop it, it populate the directory with files
finally, edit config/config.php

It works, but it does not feel like a “good/proper” way.

UPDATE

Forgot to mention that I removed Caddy (it changes the setup a little bit, as without Caddy, apache tells nextcloud that the request came from an IP that is different from localhost/127.0.0.1)

Why I removed Caddy:

It is just “another” proxy (which wastes RAM/CPU). I hope that 2 proxies (my own and apache) should be enough for Nextcloud. I would like to avoid having 3 proxies.
It sets up TLS in the non-desirable way:
- it only gets certificates for server, but not for clients (mTLS is not supported)
- overall, I am not sure how much I can trust Let’sEncrypt

wwe · April 9, 2024, 11:05am

please follow AiO reverse proxy docs

dimanne · April 9, 2024, 11:25am

Sorry, forgot to mention: I do not need Caddy (this seems to be useless/harmful: wastes CPU, RAM and generates some ACME requests that I do not need anyway, and more importantly, the SSL certificates it acquires does not assume/support mTLS)

I think the official way works only because apache tells nextcloud that request came from 127.0.0.1 (caddy inside apache container), which nextcloud trusts.

wwe · April 9, 2024, 7:12pm

many people a happy with Caddy but this is not the point. did you read and understand the resource I shared?

dimanne · April 9, 2024, 7:35pm

Yeah, I have read it.

I think the main issue comes from the fact that I do not need Caddy (but the guide assumes that I have it).

I understand that most (all?) people are happy with Caddy. But I have an impression that it is until one starts to think about resources and utility/usefulness of Caddy (especially in the context of another proxy).

What is the purpose/usefulness of Caddy in the following scenario:

SSL termination proxy (like nginx)
Caddy
Apache
?

^^^ these are 3 (!) proxies. In an ideal world there should be just one.

wwe · April 9, 2024, 7:47pm

I’m not really into aio but from my understanding Apache is a webserver and not a reverse proxy. I’m not sure how Caddy is involved (it looks it is used for mastercontainer providing AiO management interface) but the idea of AIO is to have a one-stop shop for NC installation (helping rookie users to setup the system). If you are not happy with this approach use AiO manual install or Community Docker image… Look at this guide I published shortly

dimanne · April 9, 2024, 7:52pm

Community docker image looks much better (feels much more flexible and less indoctrinating). Thank you!

(I am wondering why Community docker images is NOT the official way of doing it)

system · April 17, 2024, 7:53pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.