Nextcloud with Letsencrypt using OMV and docker-compose - Q&A

Zitat von Zoki

Starbuck1973

As far as I understand, you are half way through:

1. When opening the https://nexclould.xxx.yyy.zzz url from the outside, you get an encrypted page, only with a self signed cert. (click on the lock in the browser to verify)

What do you get when you open the url http://nextcloud.xxx.yyy.zzz from outside your network in a browser? Are you redirected to an https url?

Try executing curl -v -H "nextcloud.xxx.yyy.yyy" http://<the_ip_of_my_omv>:81 from inside your network and past the results.

Alles anzeigen

I don't think that's the case... (post 921).. he can't get secured access from on or off network. I've never heard of this loopback issue he's referring to (It's no issue for me on any container I have routed through swag)

Zitat

Tested again. In the step 11 I open the url https://www.YOUR-SUBDOMAIN.duckdns.org using my phone (I cannot do it from my local network due to my ISP has issues with NAT Loopback). The swag screen (Welcome to your SWAG instance) shows without SSL ("The connection with the website is not safe"). I followed the steps, and I stucked again in the same step as before

Zitat von Agricola

On networks, you can just create the network in the command line. For instance: docker network create swag-net and then in every container yml you want on that one network include network_mode: swag-net

https://docs.docker.com/network/bridge/

Correct.. but that didn't really strike me as newb friendly. Easier to just deploy swag on it's own and let swag create it. Then it's just as easy to attach a container to that network (I was also trying to keep it fairly in line w/ maccom's guide as well).

Zitat von Zoki

Portainer has anice menu to easily create networks.

Networks created this way or by docker network create ... way are considered external to all stacks. I do not know how docker treats the docker_swag network creatd as a local network in a stack if the stack is taken down and rebuilt. May work today, but might change as the behaviour is not specified.

Pretty sure they are treated the same... as I've deleted containers lots of times, and their networks were still listed in my docker networks.

I'm a huge fan of stacks.. but the original written by maccom used docker-compose, and I tried to stay in line with that. I tried to avoid suggesting anything that would only work with portainer or that would complicate the matter any further.

LOL.. You guys are gonna love Starbucks problem... we are finishing it up now... I don't think we'd have ever figured htis out (or I wouldn't have.. he wasn't getting a key)

Starbucks is fixed.

He ran into a problem I'd never seen before. He was using github to sign in to duckdns. The duckdns validation on swag, apparently only works with a gmail login (or it doesn't work with github, as best I can tell). Once we switched to using a gmail account, he got a cert no problem, then it was just a matter of getting everything else set up.

Zitat von Nefertiti

Well now I got this working and for the fun of it I want to do the same with the other one the Base version - apache https://hub.docker.com/_/nextcloud

but the original stack mount the volumes in var lib and honestly I prefer have them outside of the system in case they become to big and for backup purpose

Not completely sure how to do that to have them in

/srv/dev-disk-by-uuid-37d059e6-8189-404a-967b-53afec96bf4f/AppData/nextcloud2

here my stack for nextcloud2?

Code

version: '2'

volumes:
  nextcloud:
  db:

services:
  db:
    image: mariadb
    restart: always
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb-file-per-table=1 --skip-innodb-read-only-compressed
    volumes:
      - db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=xxxxxxxxxxxxxxxxxxx
      - MYSQL_PASSWORD=xxxxxxxxxxxxxxxxxxxxx
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud

  app:
    image: nextcloud
    restart: always
    ports:
      - 8088:80
    links:
      - db
    volumes:
      - nextcloud:/var/www/html
    environment:
      - MYSQL_PASSWORD=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=db

Alles anzeigen

I've messed w/ that one a bit.. but I' ve only tried briefly to forward it through swag... the issue I ran into, I think is because the default image is based on apache, vs nginx, which is what swag is based on.

No time like the present though, hang on

Nefertiti I'm not really sure what the difference is... but here's your answer.

First, we set up swag.

version: "2.2"
services:
  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=100
      - URL=kens-test.duckdns.org
      - DUCKDNSTOKEN=your-token
      - SUBDOMAINS=wildcard
      - VALIDATION=duckdns
      - EMAIL=youremail@gmail.com
      #- CERTPROVIDER=zerossl ##use if needed
    volumes:
      - /NAS/AppData/s1:/config
      - /etc/localtime:/etc/localtime:ro
    ports:
      - 444:443
      - 81:80
    restart: unless-stopped

Obviously make sure you've forwarded ports Internal Ports 444 and 81 to External Ports 443 and 80, respectively.

Once you get your key... verify the swag park page is secured with SSL by navigating to https://www.your-subdomain.duckdns.org . If it's not secured, something went wrong and proceeding is kinda pointless if remote access your goal.

Now we need to build nextcloud...

version: '2'

volumes:
  nextcloud:
  db:

services:
  db:
    image: mariadb
    restart: always
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb-file-per-table=1 --skip-innodb-read-only-compressed
    volumes:
      - /NAS/AppData/ndb:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=testing1234
      - MYSQL_PASSWORD=testing
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud

  app:
    image: nextcloud
    restart: always
    ports:
      - 8088:80
    links:
      - db
    volumes:
      - /NAS/AppData/nc:/var/www/html
    environment:
      - MYSQL_PASSWORD=testing
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=db

go to 192.168.1.166:8088 and create an admin/password, then log in. Note.. this container seems to take about 5 or so minutes to setup.. so give it a minute. In case your curious, my passwords really aren't testing and testing1234.. so no need for alarm..

Once you can log in w/ your nextcloud admin account..

cd /to your swag config folder, then go nginx/proxy-confs . Here, I'm going to borrow the template Soma gave to forward the OMV webUI through swag. Once in proxy-confs, create a nextcloud.subdomain.conf file.

touch nextcloud.subdomain.conf

Then open it in nano

nano nextcloud.subdomain.conf

copy/paste the below... Pay attention only to the lines 2 ## signs. You need to edit those and then remove the 2 ## signs. Nothing else needs edited

The first one.. that will be the service name for nextcloud answers to (nctest in my case)

The second... is your OMV server IP

The third.. is the port you have Nextcloud running on.

# Conf Sample to be used by SWAG Reverse Proxy for access via HTTPS to OpenMediaVault.yourdomain.url
# Example: 'h**ps://omv.yoursubdomain.duckdns.org/'
# If 2 or more instances of OMV are running on the same network, it is necessary to create a .conf
# to each one, with different names and pointing to the proper IPs.

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    ##server_name nctest.*; 

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

#
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        ##set $upstream_app 192.168.1.166;
        ##set $upstream_port 8088;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        access_log off;
    }

}

Control X, then Y, then Enter to save

Restart swag (assuming swag is your swag container name)

docker restart swag

Watch the swag log and when it finishes, go to

https://servicename.yoursubdomain.duckdns.org . You're going to get an error about needing to be a trusted proxy and to contact the adminstrator.

Navigate to the folder you mapped under the nextcloud app in the nextcloud stack (In my example, /NAS/AppData/nc).. then you'll need to cd to config.

Open config.php

nano config.php

Your file should look similar to below... Note the line I added under Trusted domains ( 1 => ). Do this for your subdomain

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => 'oc4n7expof6t',
  'passwordsalt' => '/PCzDzzR3OtUh/PWkMIXfMcKE1C680',
  'secret' => 'TppjyQG+56BMrAPGqQu9uiZ5pGNH+Ve23B3Qh7y4YCWrqwZe',
  'trusted_domains' => 
  array (
    0 => '192.168.1.166:8088',
    1 => 'nctest.kens-test.duckdns.org',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '23.0.0.10',
  'overwrite.cli.url' => 'http://192.168.1.166:8088',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'testing',
  'installed' => true,
);

Once done, Cntrl X, then Y, then Enter to save

Restart the nextcloud container

Give it a couple minutes, then navigate to

https://servicename.subdomain.duckdns.org

And you should be presented with the nextcloud log in screen secured by SSL.

Log in as Admin, Click Settings.

You'll see a couple of "warnings" there.. none are really serious.. but I'll post hoow to fix those next.

A few solutions to some common "issues"..

Log in as Admin, Go to Settings/Overview. You'll likely notice that there are some "warnings" regarding your setup...

There are some warnings regarding your setup.

The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.

Your installation has no default phone region set. This is required to validate phone numbers in the profile settings without a country code. To allow numbers without a country code, please add "default_phone_region" with the respective ISO 3166-1 code ↗ of the region to your config file.

These two are very simple fixes...

1.) Navigate to /config/swag/nginx/

2.) nano ssl.conf

3.) Remove hashtag from from the front following line.

#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

4.) Cntrl + x to save

5.) Restart swag container

Country codes are defined in following norm:

ISO 3166-1 alpha-2 - Wikipedia

1.) Navigate to /nextcloud/www/nextcloud/config

2.) nano config.php

3.) Add the following to the end, before the );

'default_phone_region' => 'COUNTRY_CODE',  

##(note: do not miss the comma on the end of this line)

4.) Restart nextcloud container

Refresh your nextcloud admin page, and those two errors should be gone.

Some users may also get this error.

There are some warnings regarding your setup.

The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation.

If you read it, this isn't an error at all and simply confirms you're accessing nextcloud from a trusted proxy. However, to clear this, is very simple.

1. navigate to /config/nextcloud/www/nextcloud/config

2. nano config.php

3. Add the following at the end, before the );

  'trusted_proxies' =>  array (    
0 => 'your.ip:8088',    
1 => 'servicename.your-subdomain.duckdns.org',  ),

4. docker restart nextcloud

5. When done, refresh your nextcloud settings page and all errors should be clear.

One final thing for you guys running duckdns. IF YOU DO NOT HAVE A STATIC PUBLIC IP ADDRESS... (or even if you do, this won't hurt)... use this compose file in a stack and adjust as needed. This will basically allow your duckdns profile to be automatically updated if your public IP ever changes... thus keeping your services online. Just adjust the lines with the # and then remove that #

version: "2.1"
services:
  duckdns:
    image: ghcr.io/linuxserver/duckdns
    container_name: duckdns
    environment:
      #- PUID=1000
      #- PGID=1000
      #- SUBDOMAINS=your_subdomain
      #- TOKEN=your_token
      - LOG_FILE=false
    volumes:
       - /etc/localtime:/etc/localtime:ro
      #- /NAS/AppData/duckdns:/config
    restart: unless-stopped

Zitat von Nefertiti

Thank you very much for those long explanation at this point what I need

since this PHP version produce

nextcloud2_app_1 instead of nexcloud

nextcloud2_db_1 instead of nextcloudb

how to modify nextcloud.conf ( changing names according nextcloud2_app_1) since I want also to keep the other nextcloud.conf and avoid conflict

also how to have the volumes at

/srv/dev-disk-by-uuid-37d059e6-8189-404a-967b-53afec96bf4f/AppData/nextcloud2?

Alles anzeigen

Gimme a second.

Nefertiti

The container names are easy. In each app, note the "container_name:" variable i put. That should change the container name (but I think you'll have to delete the old containers to make this work properly, if you've already deployed it)

version: '2'

volumes:
  nextcloud:
  db:

services:
  db:
    image: mariadb
    restart: always
    container_name: nextcloudb
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb-file-per-table=1 --skip-innodb-read-only-compressed
    volumes:
      - /NAS/AppData/ndb:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=testing1234
      - MYSQL_PASSWORD=testing
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud

  app:
    image: nextcloud
    restart: always
    container_name: nextcloud
    ports:
      - 8088:80
    links:
      - db
    volumes:
      - /NAS/AppData/nc:/var/www/html
    environment:
      - MYSQL_PASSWORD=testing
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=db

The Volumes.. I'm confused by your question... where are your containers mapping to other than where you've mapped them?

Zitat von Nefertiti

#1 cool

#2 yes i try to have the volumes not in var/lib

- /srv/dev-disk-by-uuid-37d059e6-8189-404a-967b-53afec96bf4f/AppData/nextcloud2/nextcloud:/var/www/html

but this is not working since the mount point is still

/var/lib/docker/volumes/nextcloud2_nextcloud/_data

Alles anzeigen

What is the output of

docker info | grep Root