From 7611471834f85524171c98920963bf75db006d9f Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Fri, 4 Feb 2022 20:56:04 +0100 Subject: [PATCH 01/19] disable legacy X-XSS-Protection Obsolete, unsafe, and superseded by CSP --- rootfs/etc/nginx/conf.d/default.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rootfs/etc/nginx/conf.d/default.conf b/rootfs/etc/nginx/conf.d/default.conf index 0ce67f8..f5c6608 100644 --- a/rootfs/etc/nginx/conf.d/default.conf +++ b/rootfs/etc/nginx/conf.d/default.conf @@ -22,7 +22,7 @@ server { add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; + add_header X-XSS-Protection "0" always; location = /robots.txt { allow all; From df476c0dc42b807848ddbb3348ff45bd016afd3b Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Fri, 4 Mar 2022 01:10:43 +0100 Subject: [PATCH 02/19] remove unused build-time variables we always use the latest anyway --- Dockerfile | 3 --- 1 file changed, 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 88bbf9b..c0e29b9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,9 +13,6 @@ ARG GID=1000 ### Build PHP base FROM php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} as base -ARG APCU_VERSION -ARG REDIS_VERSION - RUN apk -U upgrade \ && apk add -t build-deps \ $PHPIZE_DEPS \ From 2ac3ec67f2a20e98807e7b22a195fdefeddfc194 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Fri, 4 Mar 2022 17:09:03 +0100 Subject: [PATCH 03/19] proper integrity check --- Dockerfile | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index c0e29b9..e30472f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,6 +8,10 @@ ARG HARDENED_MALLOC_VERSION=11 ARG UID=1000 ARG GID=1000 + +# nextcloud-23.0.2.tar.bz2 +ARG SHA256_SUM="9e02462d38eaab6457fca8077bd46fe78c3aaad442e91a6e12e32fa7d51bc4ee" +ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A" # --------------------------------------------------- ### Build PHP base @@ -95,7 +99,8 @@ COPY --from=nginx /etc/nginx /etc/nginx COPY --from=build-malloc /tmp/hardened_malloc/out-light/libhardened_malloc-light.so /usr/local/lib/ ARG NEXTCLOUD_VERSION -ARG GPG_nextcloud="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A" +ARG SHA256_SUM +ARG GPG_FINGERPRINT ARG UID ARG GID @@ -117,17 +122,16 @@ RUN apk --no-cache add \ s6 \ && NEXTCLOUD_TARBALL="nextcloud-${NEXTCLOUD_VERSION}.tar.bz2" && cd /tmp \ && wget -q https://download.nextcloud.com/server/releases/${NEXTCLOUD_TARBALL} \ - && wget -q https://download.nextcloud.com/server/releases/${NEXTCLOUD_TARBALL}.sha512 \ && wget -q https://download.nextcloud.com/server/releases/${NEXTCLOUD_TARBALL}.asc \ && wget -q https://nextcloud.com/nextcloud.asc \ && echo "Verifying both integrity and authenticity of ${NEXTCLOUD_TARBALL}..." \ - && CHECKSUM_STATE=$(echo -n $(sha512sum -c ${NEXTCLOUD_TARBALL}.sha512) | tail -c 2) \ + && CHECKSUM_STATE=$(echo -n $(echo "${SHA256_SUM} ${NEXTCLOUD_TARBALL}" | sha256sum -c) | tail -c 2) \ && if [ "${CHECKSUM_STATE}" != "OK" ]; then echo "Error: checksum does not match" && exit 1; fi \ && gpg --import nextcloud.asc \ && FINGERPRINT="$(LANG=C gpg --verify ${NEXTCLOUD_TARBALL}.asc ${NEXTCLOUD_TARBALL} 2>&1 \ | sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \ && if [ -z "${FINGERPRINT}" ]; then echo "Error: invalid GPG signature!" && exit 1; fi \ - && if [ "${FINGERPRINT}" != "${GPG_nextcloud}" ]; then echo "Error: wrong GPG fingerprint" && exit 1; fi \ + && if [ "${FINGERPRINT}" != "${GPG_FINGERPRINT}" ]; then echo "Error: wrong GPG fingerprint" && exit 1; fi \ && echo "All seems good, now unpacking ${NEXTCLOUD_TARBALL}..." \ && mkdir /nextcloud && tar xjf ${NEXTCLOUD_TARBALL} --strip 1 -C /nextcloud \ && apk del gnupg && rm -rf /tmp/* /root/.gnupg \ From d451bcf1ef2865c1f75bff3d40806ea362fc5b45 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Fri, 4 Mar 2022 18:49:36 +0100 Subject: [PATCH 04/19] mention gpg key user id --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index e30472f..2436cfd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,6 +11,8 @@ ARG GID=1000 # nextcloud-23.0.2.tar.bz2 ARG SHA256_SUM="9e02462d38eaab6457fca8077bd46fe78c3aaad442e91a6e12e32fa7d51bc4ee" + +# Nextcloud Security (D75899B9A724937A) ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A" # --------------------------------------------------- From bce0750e6e6a74b04d924cc199de2d626f9db281 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Sat, 5 Mar 2022 18:01:06 +0100 Subject: [PATCH 05/19] refactor build workflow, support signing --- .github/workflows/build.yml | 78 ++++++++++++++++++++++++------------- 1 file changed, 50 insertions(+), 28 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0afb3f9..76b3d15 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,44 +8,66 @@ on: # Build the image regularly (each Friday) - cron: '23 04 * * 5' +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository_owner }}/nextcloud + jobs: build: - name: Build, scan & push - runs-on: "ubuntu-20.04" + name: Build, push & sign + runs-on: "ubuntu-latest" + permissions: + contents: read + packages: write + id-token: write + steps: - name: Checkout code uses: actions/checkout@v2 - - name: Build an image from Dockerfile + - name: Extract version for tags run: | - docker build \ - -t ghcr.io/${{ github.actor }}/nextcloud \ - -t ghcr.io/${{ github.actor }}/nextcloud:$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c6) \ - -t ghcr.io/${{ github.actor }}/nextcloud:$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c2) \ - . + echo "FULL_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c6)" >> $GITHUB_ENV + echo "MAJOR_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c2)" >> $GITHUB_ENV - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@main with: - image-ref: 'ghcr.io/${{ github.actor }}/nextcloud' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - vuln-type: "os" + cosign-release: 'v1.6.0' - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Login to registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v1 with: - sarif_file: 'trivy-results.sarif' + registry: ${{ env.REGISTRY }} + username: ${{ github.repository_owner }} + password: ${{ secrets.GHCR_TOKEN }} - - name: Login to the registry - run: >- - echo "${{ secrets.GITHUB_TOKEN }}" - | docker login -u "${{ github.actor }}" --password-stdin ghcr.io + - name: Set Docker metadata + id: meta + uses: docker/metadata-action@v3 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + latest + ${{ env.FULL_VERSION }} + ${{ env.MAJOR_VERSION }} - - name: Push image to GitHub - run: | - docker push ghcr.io/${{ github.actor }}/nextcloud - docker push ghcr.io/${{ github.actor }}/nextcloud:$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c6) - docker push ghcr.io/${{ github.actor }}/nextcloud:$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c2) + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v2 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + COSIGN_EXPERIMENTAL: "true" + run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} From eceef9c4ac5677495f238d0eaf9d26b3e60e8bf6 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Sun, 6 Mar 2022 16:38:27 +0100 Subject: [PATCH 06/19] fix setup: do not wait for db if using sqlite3 --- rootfs/usr/local/bin/setup.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rootfs/usr/local/bin/setup.sh b/rootfs/usr/local/bin/setup.sh index fef6342..2d962a4 100755 --- a/rootfs/usr/local/bin/setup.sh +++ b/rootfs/usr/local/bin/setup.sh @@ -55,11 +55,13 @@ cat >> /nextcloud/config/autoconfig.php < EOF -until nc -z "${DB_HOST:-nextcloud-db}" "${DB_PORT:-3306}" -do +if [ ${DB_TYPE} != "sqlite3" ]; then + until nc -z "${DB_HOST:-nextcloud-db}" "${DB_PORT:-3306}" + do echo "waiting for the database container..." sleep 1 -done + done +fi echo "Starting automatic configuration..." # Execute setup From 6e8e9619ed8b0ab76438906a87fb8dd2d8e3882c Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Sat, 5 Mar 2022 19:24:30 +0100 Subject: [PATCH 07/19] add note about signed images --- README.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index dc65903..99b8ae7 100644 --- a/README.md +++ b/README.md @@ -9,9 +9,16 @@ This non-official image is intended as an **all-in-one** (as in monolithic) Next ## Security Don't run random images from random dudes on the Internet. Ideally, you want to maintain and build it yourself. -Images are scanned every day by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. Latest tag/version is automatically built weekly, so you should often update your images regardless if you're already using the latest Nextcloud version. +- **Images are scanned every day** by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. Known vulnerabilities will be automatically uploaded to [GitHub Security Lab](https://github.com/Wonderfall/docker-nextcloud/security/code-scanning) for full transparency. This also warns me if I have to take action to fix a vulnerability. +- **Latest tag/version is automatically built weekly**, so you should often update your images regardless if you're already using the latest Nextcloud version. +- **Build production images without cache** (use `docker build --no-cache` for instance) if you want to build your images manually. Latest dependencies will hence be used instead of outdated ones due to a cached layer. +- **Images are signed with the GitHub-provided OIDC token in Actions** using the experimental "keyless" signing feature provided by [cosign](https://github.com/sigstore/cosign). You can verify the image signature using `cosign` as well: -If you're building manually, you should always build production images without cache (use `docker build --no-cache` for instance). Latest dependencies will hence be used instead of outdated ones due to a cached layer. +``` +COSIGN_EXPERIMENTAL=true cosign verify ghcr.io/wonderfall/nextcloud +``` + +Verifying the signature isn't a requirement, and might not be as seamless as using *Docker Content Trust* (which is not supported by GitHub's OCI registry). However, it's strongly recommended to do so in a sensitive environment to ensure the authenticity of the images and further limit the risk of supply chain attacks. ## Features - Fetching PHP/nginx from their official images. From 7974e544911545a2b08b63f27acc141cf94a1490 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Sun, 6 Mar 2022 20:52:13 +0100 Subject: [PATCH 08/19] support and enable snuffleupagus --- Dockerfile | 9 +- README.md | 4 +- rootfs/usr/local/bin/run.sh | 6 + .../php/snuffleupagus/nextcloud-php8.rules | 126 ++++++++++++++++++ .../etc/php/snuffleupagus/snuffleupagus.ini | 2 + 5 files changed, 145 insertions(+), 2 deletions(-) create mode 100644 rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules create mode 100644 rootfs/usr/local/etc/php/snuffleupagus/snuffleupagus.ini diff --git a/Dockerfile b/Dockerfile index 2436cfd..e215e88 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,7 @@ ARG NGINX_VERSION=1.20 ARG ALPINE_VERSION=3.15 ARG HARDENED_MALLOC_VERSION=11 +ARG SNUFFLEUPAGUS_VERSION=0.7.1 ARG UID=1000 ARG GID=1000 @@ -19,10 +20,13 @@ ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A" ### Build PHP base FROM php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} as base +ARG SNUFFLEUPAGUS_VERSION + RUN apk -U upgrade \ && apk add -t build-deps \ $PHPIZE_DEPS \ freetype-dev \ + git \ gmp-dev \ icu-dev \ libjpeg-turbo-dev \ @@ -70,8 +74,10 @@ RUN apk -U upgrade \ smbclient \ redis \ imagick \ + && cd /tmp && git clone --depth 1 --branch v${SNUFFLEUPAGUS_VERSION} https://github.com/jvoisin/snuffleupagus \ + && cd snuffleupagus/src && phpize && ./configure --enable-snuffleupagus && make && make install \ && apk del build-deps \ - && rm -rf /var/cache/apk/* + && rm -rf /var/cache/apk/* /tmp/* ### Build Hardened Malloc @@ -115,6 +121,7 @@ ENV UPLOAD_MAX_SIZE=10G \ CRON_MEMORY_LIMIT=1g \ DB_TYPE=sqlite3 \ DOMAIN=localhost \ + PHP_HARDENING=true \ LD_PRELOAD="/usr/local/lib/libhardened_malloc-light.so /usr/lib/preloadable_libiconv.so" RUN apk --no-cache add \ diff --git a/README.md b/README.md index 99b8ae7..5676231 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ Don't run random images from random dudes on the Internet. Ideally, you want to - **Images are scanned every day** by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. Known vulnerabilities will be automatically uploaded to [GitHub Security Lab](https://github.com/Wonderfall/docker-nextcloud/security/code-scanning) for full transparency. This also warns me if I have to take action to fix a vulnerability. - **Latest tag/version is automatically built weekly**, so you should often update your images regardless if you're already using the latest Nextcloud version. - **Build production images without cache** (use `docker build --no-cache` for instance) if you want to build your images manually. Latest dependencies will hence be used instead of outdated ones due to a cached layer. +- **A security module for PHP called [Snuffleupagus](https://github.com/jvoisin/snuffleupagus) is used by default**. This module aims at killing entire bug and security exploit classes (including XXE, weak PRNG, file-upload based code execution), thus raising the cost of attacks. For now we're using a configuration file derived from [the default one](https://github.com/jvoisin/snuffleupagus/blob/master/config/default_php8.rules), with some explicit exceptions related to Nextcloud. This configuration file is tested and shouldn't break basic functionality, but it can cause issues in specific and untested use cases: it that happens to you, get logs from either `syslog` or `/nginx/logs/error.log` inside the container, and open an issue. You can also disable the security module altogether by changing the `PHP_HARDENING` environment variable to `false` before recreating the container. - **Images are signed with the GitHub-provided OIDC token in Actions** using the experimental "keyless" signing feature provided by [cosign](https://github.com/sigstore/cosign). You can verify the image signature using `cosign` as well: ``` @@ -54,7 +55,7 @@ Only the **latest stable version** will be maintained by myself. For convenience they were put at [the very top of the Dockerfile](https://github.com/hoellen/docker-nextcloud/blob/master/Dockerfile#L1-L13) and their usage should be quite explicit if you intend to build this image yourself. -## Environment variables (Dockerfile) +## Environment variables (Dockerfile defaults, used at runtime) | Variable | Description | Default | | ------------------------- | --------------------------- | ------------------ | @@ -65,6 +66,7 @@ For convenience they were put at [the very top of the Dockerfile](https://github | **CRON_MEMORY_LIMIT** | cron max memory usage | 1G | | **DB_TYPE** | sqlite3, mysql, pgsql | sqlite3 | | **DOMAIN** | host domain | localhost | +| **PHP_HARDENING** | enables snuffleupagus | true | Leave them at default if you're not sure what you're doing. diff --git a/rootfs/usr/local/bin/run.sh b/rootfs/usr/local/bin/run.sh index a5869a9..45a15ed 100644 --- a/rootfs/usr/local/bin/run.sh +++ b/rootfs/usr/local/bin/run.sh @@ -9,6 +9,12 @@ sed -i -e "s//$APC_SHM_SIZE/g" /usr/local/etc/php/conf.d/apcu.ini -e "s//$UPLOAD_MAX_SIZE/g" /etc/nginx/nginx.conf /usr/local/etc/php-fpm.conf \ -e "s//$MEMORY_LIMIT/g" /usr/local/etc/php-fpm.conf +# Enable Snuffleupagus +if [ "$PHP_HARDENING" == "true" ] && [ ! -f /usr/local/etc/php/conf.d/snuffleupagus.ini ]; then + echo "Enabling Snuffleupagus..." + cp /usr/local/etc/php/snuffleupagus/* /usr/local/etc/php/conf.d +fi + # If new install, run setup if [ ! -f /nextcloud/config/config.php ]; then touch /nextcloud/config/CAN_INSTALL diff --git a/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules b/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules new file mode 100644 index 0000000..6f3c2ca --- /dev/null +++ b/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules @@ -0,0 +1,126 @@ +# This is the default configuration file for Snuffleupagus (https://snuffleupagus.rtfd.io), +# for php8. +# It contains "reasonable" defaults that won't break your websites, +# and a lot of commented directives that you can enable if you want to +# have a better protection. + +# Harden the PRNG +sp.harden_random.enable(); + +# Disabled XXE +sp.disable_xxe.enable(); + +# Global configuration variables +# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS."); + +# Globally activate strict mode +# https://www.php.net/manual/en/language.types.declarations.php#language.types.declarations.strict +# sp.global_strict.enable(); + +# Prevent unserialize-related exploits +# sp.unserialize_hmac.enable(); + +# Only allow execution of read-only files. This is a low-hanging fruit that you should enable. +# sp.readonly_exec.enable(); + +# PHP has a lot of wrappers, most of them aren't usually useful, you should +# only enable the ones you're using. +# sp.wrappers_whitelist.list("file,php,phar"); + +# Prevent sloppy comparisons. +# sp.sloppy_comparison.enable(); + +# Use SameSite on session cookie +# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery +sp.cookie.name("PHPSESSID").samesite("lax"); + +# Nextcloud whitelist (tested with Nextcloud 23.0.2) +sp.disable_function.function("function_exists").param("function").value("proc_open").filename("/nextcloud/3rdparty/symfony/console/Terminal.php").allow(); +sp.disable_function.function("proc_open").filename("/nextcloud/3rdparty/symfony/console/Terminal.php").allow(); +sp.disable_function.function("ini_set").param("option").value_r("display_errors").filename("/nextcloud/lib/base.php").allow(); +sp.disable_function.function("ini_get").param("option").value("open_basedir").filename("/nextcloud/3rdparty/bantu/ini-get-wrapper/src/IniGetWrapper.php").allow(); + +# Harden the `chmod` function (0777 (oct = 511, 0666 = 438) +sp.disable_function.function("chmod").param("permissions").value("438").drop(); +sp.disable_function.function("chmod").param("permissions").value("511").drop(); + +# Prevent various `mail`-related vulnerabilities +sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop(); + +# Since it's now burned, me might as well mitigate it publicly +sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop() + +# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80 +sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop() + +# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector +sp.disable_function.function("extract").param("array").value_r("^_").drop() +sp.disable_function.function("extract").param("flags").value("0").drop() + +# This is also burned: +# ini_set('open_basedir','..');chdir('..');…;chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/etc/passwd')); +# Since we have no way of matching on two parameters at the same time, we're +# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway. +# Moreover, there are non-public bypasses that are also using this vector ;) +sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop() + +# Prevent various `include`-related vulnerabilities +sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow(); +sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow(); +sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow(); +sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow(); +sp.disable_function.function("require_once").drop() +sp.disable_function.function("include_once").drop() +sp.disable_function.function("require").drop() +sp.disable_function.function("include").drop() + +# Prevent `system`-related injections +sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); +sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); +sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); +sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop(); + +# Prevent runtime modification of interesting things +sp.disable_function.function("ini_set").param("option").value("assert.active").drop(); +sp.disable_function.function("ini_set").param("option").value("zend.assertions").drop(); +sp.disable_function.function("ini_set").param("option").value("memory_limit").drop(); +sp.disable_function.function("ini_set").param("option").value("include_path").drop(); +sp.disable_function.function("ini_set").param("option").value("open_basedir").drop(); + +# Detect some backdoors via environment recon +sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").drop(); +sp.disable_function.function("ini_get").param("option").value("open_basedir").drop(); +sp.disable_function.function("ini_get").param("option").value_r("suhosin").drop(); +sp.disable_function.function("function_exists").param("function").value("eval").drop(); +sp.disable_function.function("function_exists").param("function").value("exec").drop(); +sp.disable_function.function("function_exists").param("function").value("system").drop(); +sp.disable_function.function("function_exists").param("function").value("shell_exec").drop(); +sp.disable_function.function("function_exists").param("function").value("proc_open").drop(); +sp.disable_function.function("function_exists").param("function").value("passthru").drop(); +sp.disable_function.function("is_callable").param("value").value("eval").drop(); +sp.disable_function.function("is_callable").param("value").value("exec").drop(); +sp.disable_function.function("is_callable").param("value").value("system").drop(); +sp.disable_function.function("is_callable").param("value").value("shell_exec").drop(); +sp.disable_function.function("is_callable").param("value").value("proc_open").drop(); +sp.disable_function.function("is_callable").param("value").value("passthru").drop(); + +# Ghetto error-based sqli detection +# sp.disable_function.function("mysql_query").ret("FALSE").drop(); +# sp.disable_function.function("mysqli_query").ret("FALSE").drop(); +# sp.disable_function.function("PDO::query").ret("FALSE").drop(); + +# Ensure that certificates are properly verified +sp.disable_function.function("curl_setopt").param("value").value("1").allow(); +sp.disable_function.function("curl_setopt").param("value").value("2").allow(); +# `81` is SSL_VERIFYHOST and `64` SSL_VERIFYPEER +sp.disable_function.function("curl_setopt").param("option").value("64").drop().alias("Please don't turn CURLOPT_SSL_VERIFYCLIENT off."); +sp.disable_function.function("curl_setopt").param("option").value("81").drop().alias("Please don't turn CURLOPT_SSL_VERIFYHOST off."); + +# File upload +sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop(); +sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop(); + +# Logging lockdown +sp.disable_function.function("ini_set").param("option").value_r("error_log").drop() +sp.disable_function.function("ini_set").param("option").value_r("error_reporting").drop() +sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop() \ No newline at end of file diff --git a/rootfs/usr/local/etc/php/snuffleupagus/snuffleupagus.ini b/rootfs/usr/local/etc/php/snuffleupagus/snuffleupagus.ini new file mode 100644 index 0000000..27fe107 --- /dev/null +++ b/rootfs/usr/local/etc/php/snuffleupagus/snuffleupagus.ini @@ -0,0 +1,2 @@ +extension=snuffleupagus.so +sp.configuration_file=/usr/local/etc/php/conf.d/nextcloud-php8.rules \ No newline at end of file From 33dc46def219e60e7d56df20227114efa7e072f5 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Tue, 8 Mar 2022 00:22:22 +0100 Subject: [PATCH 09/19] snuffleupagus: enable global_strict --- rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules b/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules index 6f3c2ca..2a442f3 100644 --- a/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules +++ b/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules @@ -15,7 +15,7 @@ sp.disable_xxe.enable(); # Globally activate strict mode # https://www.php.net/manual/en/language.types.declarations.php#language.types.declarations.strict -# sp.global_strict.enable(); +sp.global_strict.enable(); # Prevent unserialize-related exploits # sp.unserialize_hmac.enable(); @@ -123,4 +123,4 @@ sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht"). # Logging lockdown sp.disable_function.function("ini_set").param("option").value_r("error_log").drop() sp.disable_function.function("ini_set").param("option").value_r("error_reporting").drop() -sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop() \ No newline at end of file +sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop() From 9a30d0ff02affb86e1180fcc7aa5cd4b3f469f58 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Tue, 8 Mar 2022 00:23:09 +0100 Subject: [PATCH 10/19] snuffleupagus: enable sloppy_comparison --- rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules b/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules index 2a442f3..8d4c413 100644 --- a/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules +++ b/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules @@ -28,7 +28,7 @@ sp.global_strict.enable(); # sp.wrappers_whitelist.list("file,php,phar"); # Prevent sloppy comparisons. -# sp.sloppy_comparison.enable(); +sp.sloppy_comparison.enable(); # Use SameSite on session cookie # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery From f7aded2aebd6ad7580eb1a4c81e9c402eec091fe Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Tue, 8 Mar 2022 00:41:37 +0100 Subject: [PATCH 11/19] chown not necessary here --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index e215e88..08eb206 100644 --- a/Dockerfile +++ b/Dockerfile @@ -145,7 +145,7 @@ RUN apk --no-cache add \ && mkdir /nextcloud && tar xjf ${NEXTCLOUD_TARBALL} --strip 1 -C /nextcloud \ && apk del gnupg && rm -rf /tmp/* /root/.gnupg \ && adduser -g ${GID} -u ${UID} --disabled-password --gecos "" nextcloud \ - && chown -R nextcloud:nextcloud /nextcloud + && chown -R nextcloud:nextcloud /nextcloud/config COPY --chown=nextcloud:nextcloud rootfs / From 2c662e7862d1644d2f73c3c916ff2cd376dd7f15 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Tue, 8 Mar 2022 01:21:14 +0100 Subject: [PATCH 12/19] snuffleupagus: fix broken "Basic settings" access --- rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules b/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules index 8d4c413..dfb972f 100644 --- a/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules +++ b/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules @@ -39,6 +39,9 @@ sp.disable_function.function("function_exists").param("function").value("proc_op sp.disable_function.function("proc_open").filename("/nextcloud/3rdparty/symfony/console/Terminal.php").allow(); sp.disable_function.function("ini_set").param("option").value_r("display_errors").filename("/nextcloud/lib/base.php").allow(); sp.disable_function.function("ini_get").param("option").value("open_basedir").filename("/nextcloud/3rdparty/bantu/ini-get-wrapper/src/IniGetWrapper.php").allow(); +sp.disable_function.function("function_exists").param("function").value("exec").filename("/nextcloud/lib/private/legacy/OC_Helper.php").allow(); +sp.disable_function.function("ini_get").param("option").value_r("suhosin").filename("/nextcloud/3rdparty/bantu/ini-get-wrapper/src/IniGetWrapper.php").allow(); +sp.disable_function.function("ini_get").param("option").value("open_basedir").filename("/nextcloud/apps2/twofactor_webauthn/vendor/symfony/process/ExecutableFinder.php").allow(); # Harden the `chmod` function (0777 (oct = 511, 0666 = 438) sp.disable_function.function("chmod").param("permissions").value("438").drop(); From 8c11184ba1dd3dbcc3e3fe2c4c506409b7b6cc9b Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Tue, 8 Mar 2022 18:23:38 +0100 Subject: [PATCH 13/19] follow OCI spec for labels --- Dockerfile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 08eb206..e7ebf7b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -159,8 +159,9 @@ VOLUME /data /nextcloud/config /nextcloud/apps2 /nextcloud/themes EXPOSE 8888 -LABEL description="A server software for creating file hosting services" \ - nextcloud="Nextcloud v${NEXTCLOUD_VERSION}" \ - maintainer="Hoellen " +LABEL org.opencontainers.image.description="All-in-one Nextcloud image, based on Alpine Linux" \ + org.opencontainers.image.version="${NEXTCLOUD_VERSION}" \ + org.opencontainers.image.authors="Hoellen " \ + org.opencontainers.image.source="https://github.com/hoellen/docker-nextcloud" CMD ["run.sh"] From 1ffd4462141e6a79c8a353b653985efeb57a2b33 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Tue, 15 Mar 2022 17:04:53 +0100 Subject: [PATCH 14/19] ensure JIT is disabled It was disabled by default (jit_buffer_size=0 by default), but this setting makes sure JIT is unavailable at runtime. While JIT may bring minor performance improvements, this is not worth the risk of being exposed to tons of bugs due to JIT code complexity. --- rootfs/usr/local/etc/php/conf.d/docker-php-ext-opcache.ini | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rootfs/usr/local/etc/php/conf.d/docker-php-ext-opcache.ini b/rootfs/usr/local/etc/php/conf.d/docker-php-ext-opcache.ini index d77112b..c855e11 100644 --- a/rootfs/usr/local/etc/php/conf.d/docker-php-ext-opcache.ini +++ b/rootfs/usr/local/etc/php/conf.d/docker-php-ext-opcache.ini @@ -6,3 +6,5 @@ opcache.memory_consumption= opcache.interned_strings_buffer=16 opcache.max_accelerated_files=10000 opcache.revalidate_freq=60 +opcache.jit=disable +opcache.jit_buffer_size=0 From a906f113b5cfa8c63cee594507e52a508183014b Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Tue, 15 Mar 2022 18:38:36 +0100 Subject: [PATCH 15/19] Update SECURITY.md --- SECURITY.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 9889485..3ed6460 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,14 +1,22 @@ # Security Policy -## Supported Versions +## Supported versions -As of now, only the latest stable version will be supported. +As of now, only the latest stable version is supported. | Version | Supported | | ------- | ------------------ | -| 21. x | :white_check_mark: | +| 23. x | :white_check_mark: | +| 22. x | :x: | +| 21. x | :x: | -## Reporting a Vulnerability +Please update to the latest version available. Major migrations are always tested before being pushed. + +## Automated vulnerability scanning + +Uploaded images are regularly scanned for [OS vulnerabilities](https://github.com/Wonderfall/docker-nextcloud/security/code-scanning). + +## Reporting a vulnerability *Upstream* vulnerabilities should be reported to *upstream* projects according to their own security policies. From 0b3b86dfffd612b3f2631ab82ef5f86d59050250 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Sat, 19 Mar 2022 07:08:10 +0100 Subject: [PATCH 16/19] snuffleupagus: fix basic settings on new installs --- rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules | 1 + 1 file changed, 1 insertion(+) diff --git a/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules b/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules index dfb972f..4f7a602 100644 --- a/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules +++ b/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules @@ -42,6 +42,7 @@ sp.disable_function.function("ini_get").param("option").value("open_basedir").fi sp.disable_function.function("function_exists").param("function").value("exec").filename("/nextcloud/lib/private/legacy/OC_Helper.php").allow(); sp.disable_function.function("ini_get").param("option").value_r("suhosin").filename("/nextcloud/3rdparty/bantu/ini-get-wrapper/src/IniGetWrapper.php").allow(); sp.disable_function.function("ini_get").param("option").value("open_basedir").filename("/nextcloud/apps2/twofactor_webauthn/vendor/symfony/process/ExecutableFinder.php").allow(); +sp.disable_function.function("ini_get").param("option").value("open_basedir").filename("/nextcloud/3rdparty/symfony/process/ExecutableFinder.php").allow(); # Harden the `chmod` function (0777 (oct = 511, 0666 = 438) sp.disable_function.function("chmod").param("permissions").value("438").drop(); From 79d99eb02f387ed9a21e1eeaab7df77549d433dc Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Mon, 21 Mar 2022 20:23:29 +0100 Subject: [PATCH 17/19] iconv workaround no longer needed Official PHP image now includes it by default for Alpine --- Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index e7ebf7b..f24aee9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -122,11 +122,10 @@ ENV UPLOAD_MAX_SIZE=10G \ DB_TYPE=sqlite3 \ DOMAIN=localhost \ PHP_HARDENING=true \ - LD_PRELOAD="/usr/local/lib/libhardened_malloc-light.so /usr/lib/preloadable_libiconv.so" + LD_PRELOAD="/usr/local/lib/libhardened_malloc-light.so" RUN apk --no-cache add \ gnupg \ - gnu-libiconv \ pcre \ s6 \ && NEXTCLOUD_TARBALL="nextcloud-${NEXTCLOUD_VERSION}.tar.bz2" && cd /tmp \ From 425b04ad03a3557d0d04aeb961f32056536e205e Mon Sep 17 00:00:00 2001 From: hoellen Date: Thu, 5 May 2022 21:56:17 +0200 Subject: [PATCH 18/19] Update README.md and SECURITY.md --- README.md | 115 +++++++++++++++++++++++++++++++++++----------------- SECURITY.md | 9 ++-- 2 files changed, 83 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 5676231..c9a75ae 100644 --- a/README.md +++ b/README.md @@ -3,80 +3,115 @@ Nextcloud [official website](https://nextcloud.com/) and [source code](https://github.com/nextcloud). -## Why this image? -This non-official image is intended as an **all-in-one** (as in monolithic) Nextcloud **production** image. It is based on the [Wondefall/docker-nextcloud](https://github.com/Wonderfall/docker-nextcloud) image. If you're not sure you want this image, you should probably use [the official image](https://hub.docker.com/r/nextcloud). +## About +This non-official image is intended as an **all-in-one** (as in monolithic) Nextcloud **production** image. If you're not sure you want this image, you should probably use [the official image](https://hub.docker.com/r/nextcloud). The main goal is to provide an easy-to-use image with decent security standards. This repository is mainly based on [Wondefall/docker-nextcloud](https://github.com/Wonderfall/docker-nextcloud). -## Security -Don't run random images from random dudes on the Internet. Ideally, you want to maintain and build it yourself. +Check out Nextcloud [official website](https://nextcloud.com/) and [source code](https://github.com/nextcloud). -- **Images are scanned every day** by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. Known vulnerabilities will be automatically uploaded to [GitHub Security Lab](https://github.com/Wonderfall/docker-nextcloud/security/code-scanning) for full transparency. This also warns me if I have to take action to fix a vulnerability. -- **Latest tag/version is automatically built weekly**, so you should often update your images regardless if you're already using the latest Nextcloud version. -- **Build production images without cache** (use `docker build --no-cache` for instance) if you want to build your images manually. Latest dependencies will hence be used instead of outdated ones due to a cached layer. -- **A security module for PHP called [Snuffleupagus](https://github.com/jvoisin/snuffleupagus) is used by default**. This module aims at killing entire bug and security exploit classes (including XXE, weak PRNG, file-upload based code execution), thus raising the cost of attacks. For now we're using a configuration file derived from [the default one](https://github.com/jvoisin/snuffleupagus/blob/master/config/default_php8.rules), with some explicit exceptions related to Nextcloud. This configuration file is tested and shouldn't break basic functionality, but it can cause issues in specific and untested use cases: it that happens to you, get logs from either `syslog` or `/nginx/logs/error.log` inside the container, and open an issue. You can also disable the security module altogether by changing the `PHP_HARDENING` environment variable to `false` before recreating the container. -- **Images are signed with the GitHub-provided OIDC token in Actions** using the experimental "keyless" signing feature provided by [cosign](https://github.com/sigstore/cosign). You can verify the image signature using `cosign` as well: +___ -``` -COSIGN_EXPERIMENTAL=true cosign verify ghcr.io/wonderfall/nextcloud -``` - -Verifying the signature isn't a requirement, and might not be as seamless as using *Docker Content Trust* (which is not supported by GitHub's OCI registry). However, it's strongly recommended to do so in a sensitive environment to ensure the authenticity of the images and further limit the risk of supply chain attacks. +* [Features](#features) +* [Security](#security) +* [Tags](#tags) +* [Build-time variables](#build-time-variables) +* [Environment variables](#environment-variables) + * [Runtime](#runtime) + * [Startup](#startup) +* [Volumes](#volumes) +* [Ports](#ports) +* [Migration](#migration) +* [Usage](#usage) ## Features + +- Based on [Alpine Linux](https://alpinelinux.org/). - Fetching PHP/nginx from their official images. - **Rootless**: no privilege at any time, even at startup. -- Includes **hardened_malloc**, a hardened memory allocator. +- Uses [s6](https://skarnet.org/software/s6/) as a lightweight process supervisor. +- Supports MySQL/MariaDB, PostgresQL and SQLite3 database backends. +- Includes OPcache and APCu for improved caching & performance, also supports redis. +- Tarball integrity & authenticity checked during build process. +- Includes **hardened_malloc**, [a hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc). +- Includes **Snuffleupagus**, [a PHP security module](https://github.com/jvoisin/snuffleupagus). - Includes a simple **built-in cron** system. - Much easier to maintain thanks to multi-stages build. - Does not include imagick, samba, etc. by default. You're free to make your own image based on this one if you want a specific feature. Uncommon features won't be included as they can increase attack surface: this image intends to stay **minimal**, but **functional enough** to cover basic needs. +## Security + +Don't run random images from random dudes on the Internet. Ideally, you want to maintain and build it yourself. + +- **Images are scanned every day** by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. Known vulnerabilities will be automatically uploaded to [GitHub Security Lab](https://github.com/Wonderfall/docker-nextcloud/security/code-scanning) for full transparency. This also warns me if I have to take action to fix a vulnerability. +- **Latest tag/version is automatically built weekly**, so you should often update your images regardless if you're already using the latest Nextcloud version. +- **Build production images without cache** (use `docker build --no-cache` for instance) if you want to build your images manually. Latest dependencies will hence be used instead of outdated ones due to a cached layer. +- **A security module for PHP called [Snuffleupagus](https://github.com/jvoisin/snuffleupagus) is used by default**. This module aims at killing entire bug and security exploit classes (including XXE, weak PRNG, file-upload based code execution), thus raising the cost of attacks. For now we're using a configuration file derived from [the default one](https://github.com/jvoisin/snuffleupagus/blob/master/config/default_php8.rules), with some explicit exceptions related to Nextcloud. This configuration file is tested and shouldn't break basic functionality, but it can cause issues in specific and untested use cases: if that happens to you, get logs from either `syslog` or `/nginx/logs/error.log` inside the container, and [open an issue](https://github.com/hoellen/docker-nextcloud/issues). You can also disable the security module altogether by changing the `PHP_HARDENING` environment variable to `false` before recreating the container. +- **Images are signed with the GitHub-provided OIDC token in Actions** using the experimental "keyless" signing feature provided by [cosign](https://github.com/sigstore/cosign). You can verify the image signature using `cosign` as well: + +``` +COSIGN_EXPERIMENTAL=true cosign verify ghcr.io/hoellen/nextcloud +``` + +Verifying the signature isn't a requirement, and might not be as seamless as using *Docker Content Trust* (which is not supported by GitHub's OCI registry). However, it's strongly recommended to do so in a sensitive environment to ensure the authenticity of the images and further limit the risk of supply chain attacks. + ## Tags + - `latest` : latest Nextcloud version -- `x` : latest Nextcloud x.x (e.g. `21`) -- `x.x.x` : Nextcloud x.x.x (e.g. `21.0.2`) +- `x` : latest Nextcloud x.x (e.g. `24`) +- `x.x.x` : Nextcloud x.x.x (e.g. `24.0.0`) You can always have a glance [here](https://github.com/users/hoellen/packages/container/package/nextcloud). Only the **latest stable version** will be maintained by myself. +*Note: automated builds only target `linux/amd64` (x86_64). There is no technical reason preventing the image to be built for `arm64` (in fact you can build it yourself), but GitHub Actions runners are limited in memory, and this limit makes it currently impossible to target both platforms.* + ## Build-time variables -| Variable | Description | -| --------------------------- | -------------------------- | -| **NEXTCLOUD_VERSION** | version of Nextcloud | -| **ALPINE_VERSION** | version of Alpine Linux | -| **PHP_VERSION** | version of PHP | -| **NGINX_VERSION** | version of nginx | -| **APCU_VERSION** | version of APCu (php ext) | -| **REDIS_VERSION** | version of redis (php ext) | -| **HARDENED_MALLOC_VERSION** | version of hardened_malloc | -| **CONFIG_NATIVE** | native code for hmalloc | -| **UID** | user id (default: 1000) | -| **GID** | group id (default: 1000) | -For convenience they were put at [the very top of the Dockerfile](https://github.com/hoellen/docker-nextcloud/blob/master/Dockerfile#L1-L13) and their usage should be quite explicit if you intend to build this image yourself. +| Variable | Description | Default | +| --------------------------- | -------------------------------------- | ------------------ | +| **NEXTCLOUD_VERSION** | version of Nextcloud | * | +| **ALPINE_VERSION** | version of Alpine Linux | * | +| **PHP_VERSION** | version of PHP | * | +| **NGINX_VERSION** | version of nginx | * | +| **HARDENED_MALLOC_VERSION** | version of hardened_malloc | * | +| **SNUFFLEUPAGUS_VERSION** | version of Snuffleupagus (php ext) | * | +| **SHA256_SUM** | checksum of Nextcloud tarball (sha256) | * | +| **GPG_FINGERPRINT** | fingerprint of Nextcloud GPG key | * | +| **UID** | user id | 1000 | +| **GID** | group id | 1000 | +| **CONFIG_NATIVE** | native code for hardened_malloc | false | +| **VARIANT** | variant of hardened_malloc (see repo) | light | -## Environment variables (Dockerfile defaults, used at runtime) +*\* latest known available, likely to change regularly* + +For convenience they were put at [the very top of the Dockerfile](https://github.com/Wonderfall/docker-nextcloud/blob/main/Dockerfile#L1-L13) and their usage should be quite explicit if you intend to build this image yourself. If you intend to change `NEXTCLOUD_VERSION`, change `SHA256_SUM` accordingly. + +## Environment variables + +### Runtime | Variable | Description | Default | | ------------------------- | --------------------------- | ------------------ | | **UPLOAD_MAX_SIZE** | file upload maximum size | 10G | | **APC_SHM_SIZE** | apc shared memory size | 128M | +| **OPCACHE_MEM_SIZE** | opcache available memory | 128M | | **MEMORY_LIMIT** | max php command mem usage | 512M | | **CRON_PERIOD** | cron time interval (min.) | 5m | | **CRON_MEMORY_LIMIT** | cron max memory usage | 1G | | **DB_TYPE** | sqlite3, mysql, pgsql | sqlite3 | -| **DOMAIN** | host domain | localhost | +| **DOMAIN** | host domain | localhost | | **PHP_HARDENING** | enables snuffleupagus | true | Leave them at default if you're not sure what you're doing. -## Environment variables (used by setup.sh) +### Startup | Variable | Description | | ------------------------- | --------------------------- | | **ADMIN_USER** | admin username | | **ADMIN_PASSWORD** | admin password | -| **DB_TYPE** | sqlit3, mysql, pgsql | +| **DB_TYPE** | sqlite3, mysql, pgsql | | **DB_NAME** | name of the database | | **DB_USER** | name of the database user | | **DB_PASSWORD** | password of the db user | @@ -87,24 +122,29 @@ Leave them at default if you're not sure what you're doing. The usage of [Docker secrets](https://docs.docker.com/engine/swarm/secrets/) will be considered in the future, but `config.php` already covers quite a lot. ## Volumes + | Variable | Description | | ------------------------- | -------------------------- | | **/data** | data files | | **/nextcloud/config** | config files | | **/nextcloud/apps2** | 3rd-party apps | | **/nextcloud/themes** | custom themes | +| **/php/session** | PHP session files | + +*Note: mounting `/php/session` isn't required but could be desirable in some circumstances.* ## Ports + | Port | Use | | ------------------------- | -------------------------- | | **8888** (tcp) | Nextcloud web | - A reverse proxy like [Traefik](https://doc.traefik.io/traefik/) or [Caddy](https://caddyserver.com/) can be used, and you should consider: - Redirecting all HTTP traffic to HTTPS - Setting the [HSTS header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) correctly -## Migration from the legacy image +## Migration + From now on you'll need to make sure all volumes have proper permissions. The default UID/GID is now 1000, so you'll need to build the image yourself if you want to change that, or you can just change the actual permissions of the volumes using `chown -R 1000:1000`. The flexibility provided by the legacy image came at some cost (performance & security), therefore this feature won't be provided anymore. Other changes that should be reflected in your configuration files: @@ -114,5 +154,6 @@ Other changes that should be reflected in your configuration files: You should edit your `docker-compose.yml` and `config.php` accordingly. -## Get started +## Usage + *To do.* diff --git a/SECURITY.md b/SECURITY.md index 3ed6460..e4e1e8e 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,13 +2,14 @@ ## Supported versions -As of now, only the latest stable version is supported. +All versions of the Nextcloud community version which still receive updates will be supported +and will receive the minor version updates and security patches. | Version | Supported | | ------- | ------------------ | +| 24. x | :white_check_mark: | | 23. x | :white_check_mark: | -| 22. x | :x: | -| 21. x | :x: | +| 22. x | :white_check_mark: | Please update to the latest version available. Major migrations are always tested before being pushed. @@ -25,4 +26,4 @@ Regarding vulnerabilities specific to this project: - Unsafe defaults - Dependencies security updates -Those can be disclosed in private to `wonderfall@pm.me` or `wonderfall:targaryen.house` on Matrix (preferred). +Those can be disclosed in private to `dev@hoellen.eu`. From 7905e3a7c420d344b43a97dabe3097ea759944a0 Mon Sep 17 00:00:00 2001 From: hoellen Date: Thu, 5 May 2022 21:57:09 +0200 Subject: [PATCH 19/19] Update to Nextcloud 24.0.0 --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index f24aee9..d9f0d89 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # -------------- Build-time variables -------------- -ARG NEXTCLOUD_VERSION=23.0.3 +ARG NEXTCLOUD_VERSION=24.0.0 ARG PHP_VERSION=8.0 ARG NGINX_VERSION=1.20 @@ -10,8 +10,8 @@ ARG SNUFFLEUPAGUS_VERSION=0.7.1 ARG UID=1000 ARG GID=1000 -# nextcloud-23.0.2.tar.bz2 -ARG SHA256_SUM="9e02462d38eaab6457fca8077bd46fe78c3aaad442e91a6e12e32fa7d51bc4ee" +# nextcloud-24.0.0.tar.bz2 +ARG SHA256_SUM="176cb5620f20465fb4759bdf3caaebeb7acff39d6c8630351af9f8738c173780" # Nextcloud Security (D75899B9A724937A) ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A"