diff --git a/test/nextcloud/1.3.6/templates/_nginx.tpl b/test/nextcloud/1.3.6/templates/_nginx.tpl index 3df19913a7..8adb9d9429 100644 --- a/test/nextcloud/1.3.6/templates/_nginx.tpl +++ b/test/nextcloud/1.3.6/templates/_nginx.tpl @@ -58,7 +58,7 @@ Formats volumeMount for tls keys and trusted certs {{- define "nginx.tlsKeysVolumeMount" -}} {{- if eq (include "nginx.certAvailable" .) "true" -}} - name: cert-secret-volume - mountPath: "/etc/nginx" + mountPath: "/etc/nginx-certs" {{- end -}} {{- end -}} diff --git a/test/nextcloud/1.3.6/templates/deployment.yaml b/test/nextcloud/1.3.6/templates/deployment.yaml index 42004b62c0..deacee17c7 100644 --- a/test/nextcloud/1.3.6/templates/deployment.yaml +++ b/test/nextcloud/1.3.6/templates/deployment.yaml @@ -16,14 +16,14 @@ spec: {{ include "common.deployment.common_spec" . | nindent 2 }} volumeMounts: - name: nginx-configuration mountPath: /etc/nginx/nginx.conf - subPath: config + subPath: nginx.conf {{ include "nginx.tlsKeysVolumeMount" . | nindent 10 }} ports: - name: nginx-http containerPort: 8000 protocol: TCP - name: nginx-https - containerPort: 8443 + containerPort: 443 protocol: TCP {{ end }} - name: {{ .Chart.Name }} @@ -34,6 +34,9 @@ spec: {{ include "common.deployment.common_spec" . | nindent 2 }} {{ $envList = mustAppend $envList (dict "name" "POSTGRES_HOST" "value" (printf "%s:5432" (include "common.names.fullname" $postgres_values))) }} {{ $envList = mustAppend $envList (dict "name" "POSTGRES_DB" "value" (include "postgres.DatabaseName" .)) }} {{ $envList = mustAppend $envList (dict "name" "NEXTCLOUD_DATA_DIR" "value" .Values.nextcloud.datadir) }} + {{ $envList = mustAppend $envList (dict "name" "APACHE_DISABLE_REWRITE_IP" "value" "1") }} + {{ $envList = mustAppend $envList (dict "name" "OVERWRITEHOST" "value" "ssh.sonicaj.com:39001") }} + {{ $envList = mustAppend $envList (dict "name" "OVERWRITEPROTOCOL" "value" "https") }} {{ $envList = mustAppend $envList (dict "name" "NEXTCLOUD_TRUSTED_DOMAINS" "value" .Values.nextcloud.host) }} {{ $envList = mustAppend $envList (dict "name" "NEXTCLOUD_ADMIN_USER" "valueFromSecret" true "secretName" $secretName "secretKey" "nextcloud-username") }} {{ $envList = mustAppend $envList (dict "name" "NEXTCLOUD_ADMIN_PASSWORD" "valueFromSecret" true "secretName" $secretName "secretKey" "nextcloud-password") }} @@ -74,6 +77,7 @@ spec: {{ include "common.deployment.common_spec" . | nindent 2 }} configMap: defaultMode: 0700 name: "nginx-configuration" +{{ include "nginx.tlsKeysVolume" . | nindent 8 }} {{ if .Values.appVolumeMounts }} {{ include "common.storage.configureAppVolumes" .Values | nindent 8 }} {{ end }} diff --git a/test/nextcloud/1.3.6/templates/nginx-configmap.yaml b/test/nextcloud/1.3.6/templates/nginx-configmap.yaml index adb71910c3..721c89c058 100644 --- a/test/nextcloud/1.3.6/templates/nginx-configmap.yaml +++ b/test/nextcloud/1.3.6/templates/nginx-configmap.yaml @@ -4,12 +4,13 @@ metadata: name: "nginx-configuration" data: protocol: {{ include "nginx.scheme" . }} - config: |- + nginx.conf: |- + events {} http { # redirects all http requests to https requests server { - listen 80 default_server; - listen [::]:80 default_server; + listen 8000 default_server; + listen [::]:8000 default_server; return 301 https://$host$request_uri; } @@ -19,35 +20,85 @@ data: listen 443 ssl http2; listen [::]:433 ssl http2; - ssl_certificate /etc/nginx/public.crt - ssl_certificate_key /etc/nginx/private.key + ssl_certificate '/etc/nginx-certs/public.crt'; + ssl_certificate_key '/etc/nginx-certs/private.key'; - ssl_session_timeout 120m; - ssl_session_cache shared:ssl:16m; + # ssl_session_timeout 120m; + # ssl_session_cache shared:ssl:16m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; + # ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + # ssl_prefer_server_ciphers on; + # ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; - add_header Strict-Transport-Security max-age=31536000; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1"; + # add_header Strict-Transport-Security max-age=31536000; + # add_header X-Content-Type-Options nosniff; + # add_header X-XSS-Protection "1"; # maximum 3GB Upload File; change to fit your needs client_max_body_size 3G; + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + location / { + proxy_pass http://localhost; + proxy_http_version 1.1; + proxy_cache_bypass $http_upgrade; + proxy_request_buffering off; + + # Proxy headers + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + # proxy_redirect http://localhost https://ssh.sonicaj.com:39001; + + # Proxy timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header Connection keep-alive; + # proxy_set_header X-Forwarded-Proto $scheme; + # proxy_set_header Host $http_host; + + # we don't want nginx trying to do something clever with + + # redirects, we set the Host: header above already. + # proxy_redirect off; + # proxy_pass http://localhost:80; + # We clear this as we will be adding it in our reverse proxy - more_clear_headers 'Strict-Transport-Security'; - proxy_pass http://localhost:80; + # more_clear_headers 'Strict-Transport-Security'; + # proxy_pass http://localhost:80; # set proper x-forwarded-headers # proxy_set_header 'X-Forwarded-Host' nextcloud.domain.tld; # proxy_set_header 'X-Forwarded-Proto' https; # -For and -IP: # see https://stackoverflow.com/questions/19366090/what-is-the-difference-between-x-forwarded-for-and-x-forwarded-ip - proxy_set_header 'X-Forwarded-For' $remote_addr; - proxy_set_header 'X-Forwarded-IP' $remote_addr; + # proxy_set_header 'X-Forwarded-For' $remote_addr; + # proxy_set_header 'X-Forwarded-IP' $remote_addr; + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } } diff --git a/test/nextcloud/1.3.6/templates/service.yaml b/test/nextcloud/1.3.6/templates/service.yaml index 6b1e42f273..14c751eada 100644 --- a/test/nextcloud/1.3.6/templates/service.yaml +++ b/test/nextcloud/1.3.6/templates/service.yaml @@ -1,7 +1,7 @@ {{ $svc := .Values.service }} {{ $ports := list }} {{ if eq (include "nginx.certAvailable" .) "true" }} -{{ $ports = mustAppend $ports (dict "name" "nginx-https" "port" 8443 "nodePort" $svc.nodePort) }} +{{ $ports = mustAppend $ports (dict "name" "nginx-https" "targetPort" 443 "port" 443 "nodePort" $svc.nodePort) }} {{ else }} {{ $ports = mustAppend $ports (dict "name" "http" "port" 80 "nodePort" $svc.nodePort) }} {{ end }}