Update nginx configuration for https nextcloud access

a19715fb · sonicaj · bcab69f0 · a19715fb · a19715fb · a19715fb
Commit a19715fb authored Oct 12, 2021 by sonicaj
4 changed files
--- a/test/nextcloud/1.3.6/templates/_nginx.tpl
+++ b/test/nextcloud/1.3.6/templates/_nginx.tpl
@@ -58,7 +58,7 @@ Formats volumeMount for tls keys and trusted certs
 {{- define "nginx.tlsKeysVolumeMount" -}}
 {{- if eq (include "nginx.certAvailable" .) "true" -}}
 - name: cert-secret-volume
-  mountPath: "/etc/nginx"
+  mountPath: "/etc/nginx-certs"
 {{- end -}}
 {{- end -}}


--- a/test/nextcloud/1.3.6/templates/deployment.yaml
+++ b/test/nextcloud/1.3.6/templates/deployment.yaml
@@ -16,14 +16,14 @@ spec: {{ include "common.deployment.common_spec" . | nindent 2 }}
        volumeMounts:
          - name: nginx-configuration
            mountPath: /etc/nginx/nginx.conf
-            subPath: config
+            subPath: nginx.conf
          {{ include "nginx.tlsKeysVolumeMount" . | nindent 10 }}
        ports:
          - name: nginx-http
            containerPort: 8000
            protocol: TCP
          - name: nginx-https
-            containerPort: 8443
+            containerPort: 443
            protocol: TCP
      {{ end }}
      - name: {{ .Chart.Name }}
@@ -34,6 +34,9 @@ spec: {{ include "common.deployment.common_spec" . | nindent 2 }}
        {{ $envList = mustAppend $envList (dict "name" "POSTGRES_HOST" "value" (printf "%s:5432" (include "common.names.fullname" $postgres_values))) }}
        {{ $envList = mustAppend $envList (dict "name" "POSTGRES_DB" "value" (include "postgres.DatabaseName" .)) }}
        {{ $envList = mustAppend $envList (dict "name" "NEXTCLOUD_DATA_DIR" "value" .Values.nextcloud.datadir) }}
+        {{ $envList = mustAppend $envList (dict "name" "APACHE_DISABLE_REWRITE_IP" "value" "1") }}
+        {{ $envList = mustAppend $envList (dict "name" "OVERWRITEHOST" "value" "ssh.sonicaj.com:39001") }}
+        {{ $envList = mustAppend $envList (dict "name" "OVERWRITEPROTOCOL" "value" "https") }}
        {{ $envList = mustAppend $envList (dict "name" "NEXTCLOUD_TRUSTED_DOMAINS" "value" .Values.nextcloud.host) }}
        {{ $envList = mustAppend $envList (dict "name" "NEXTCLOUD_ADMIN_USER" "valueFromSecret" true "secretName" $secretName "secretKey" "nextcloud-username") }}
        {{ $envList = mustAppend $envList (dict "name" "NEXTCLOUD_ADMIN_PASSWORD" "valueFromSecret" true "secretName" $secretName "secretKey" "nextcloud-password") }}
@@ -74,6 +77,7 @@ spec: {{ include "common.deployment.common_spec" . | nindent 2 }}
          configMap:
            defaultMode: 0700
            name: "nginx-configuration"
+{{ include "nginx.tlsKeysVolume" . | nindent 8 }}
 {{ if .Values.appVolumeMounts }}
 {{ include "common.storage.configureAppVolumes" .Values | nindent 8 }}
 {{ end }}

--- a/test/nextcloud/1.3.6/templates/nginx-configmap.yaml
+++ b/test/nextcloud/1.3.6/templates/nginx-configmap.yaml
@@ -4,12 +4,13 @@ metadata:
  name: "nginx-configuration"
 data:
  protocol: {{ include "nginx.scheme" . }}
-  config: |-
+  nginx.conf: |-
+    events {}
    http {
      # redirects all http requests to https requests
      server {
-        listen 80 default_server;
-        listen [::]:80 default_server;
+        listen 8000 default_server;
+        listen [::]:8000 default_server;
        return 301 https://$host$request_uri;
      }

@@ -19,35 +20,85 @@ data:
        listen 443 ssl http2;
        listen [::]:433 ssl http2;

-        ssl_certificate /etc/nginx/public.crt
-        ssl_certificate_key /etc/nginx/private.key
+        ssl_certificate '/etc/nginx-certs/public.crt';
+        ssl_certificate_key '/etc/nginx-certs/private.key';

-        ssl_session_timeout 120m;
-        ssl_session_cache   shared:ssl:16m;
+        # ssl_session_timeout 120m;
+        # ssl_session_cache   shared:ssl:16m;

-        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-        ssl_prefer_server_ciphers on;
-        ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
+        # ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+        # ssl_prefer_server_ciphers on;
+        # ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;

-        add_header Strict-Transport-Security max-age=31536000;
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1";
+        # add_header Strict-Transport-Security max-age=31536000;
+        # add_header X-Content-Type-Options nosniff;
+        # add_header X-XSS-Protection "1";


        # maximum 3GB Upload File; change to fit your needs
        client_max_body_size 3G;

+        location = /robots.txt {
+          allow all;
+          log_not_found off;
+          access_log off;
+        }
+
+        location = /.well-known/carddav {
+          return 301 $scheme://$host/remote.php/dav;
+        }
+
+        location = /.well-known/caldav {
+          return 301 $scheme://$host/remote.php/dav;
+        }
+
        location / {
+          proxy_pass http://localhost;
+          proxy_http_version                 1.1;
+          proxy_cache_bypass                 $http_upgrade;
+          proxy_request_buffering            off;
+
+          # Proxy headers
+          proxy_set_header Upgrade           $http_upgrade;
+          proxy_set_header Connection        "upgrade";
+          proxy_set_header Host              $http_host;
+          proxy_set_header X-Real-IP         $remote_addr;
+          proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto https;
+          proxy_set_header X-Forwarded-Host  $host;
+          proxy_set_header X-Forwarded-Port  $server_port;
+          # proxy_redirect http://localhost https://ssh.sonicaj.com:39001;
+
+          # Proxy timeouts
+          proxy_connect_timeout              60s;
+          proxy_send_timeout                 60s;
+          proxy_read_timeout                 60s;
+
+
+          # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          # proxy_set_header Connection keep-alive;
+          # proxy_set_header X-Forwarded-Proto $scheme;
+          # proxy_set_header Host $http_host;
+
+          # we don't want nginx trying to do something clever with
+
+          # redirects, we set the Host: header above already.
+          # proxy_redirect off;
+          # proxy_pass http://localhost:80;
+
          # We clear this as we will be adding it in our reverse proxy
-          more_clear_headers 'Strict-Transport-Security';
-          proxy_pass http://localhost:80;
+          # more_clear_headers 'Strict-Transport-Security';
+          # proxy_pass http://localhost:80;
          # set proper x-forwarded-headers
          # proxy_set_header 'X-Forwarded-Host' nextcloud.domain.tld;
          # proxy_set_header 'X-Forwarded-Proto' https;
          # -For and -IP:
          # see https://stackoverflow.com/questions/19366090/what-is-the-difference-between-x-forwarded-for-and-x-forwarded-ip
-          proxy_set_header 'X-Forwarded-For' $remote_addr;
-          proxy_set_header 'X-Forwarded-IP' $remote_addr;
+          # proxy_set_header 'X-Forwarded-For' $remote_addr;
+          # proxy_set_header 'X-Forwarded-IP' $remote_addr;
+          # proxy_set_header Host $host;
+          # proxy_set_header X-Real-IP $remote_addr;
+          # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
      }
    }
--- a/test/nextcloud/1.3.6/templates/service.yaml
+++ b/test/nextcloud/1.3.6/templates/service.yaml
 {{ $svc := .Values.service }}
 {{ $ports := list }}
 {{ if eq (include "nginx.certAvailable" .) "true" }}
-{{ $ports = mustAppend $ports (dict "name" "nginx-https" "port" 8443 "nodePort" $svc.nodePort) }}
+{{ $ports = mustAppend $ports (dict "name" "nginx-https" "targetPort" 443 "port" 443 "nodePort" $svc.nodePort) }}
 {{ else }}
 {{ $ports = mustAppend $ports (dict "name" "http" "port" 80 "nodePort" $svc.nodePort) }}
 {{ end }}