hoellen/docker-nextcloud
1
0
Fork 0
mirror of https://github.com/hoellen/docker-nextcloud.git synced 2025-07-01 15:46:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: hoellen:acc0a76eba370501b0ef4ed6413c94d35c768515
Branches Tags
hoellen:master hoellen:version-30 hoellen:version-29 hoellen:version-28 hoellen:version-27 hoellen:version-26 hoellen:version-25 hoellen:version-24 hoellen:version-23 hoellen:version-22
..
compare: hoellen:version-25
Branches Tags
hoellen:master hoellen:version-30 hoellen:version-29 hoellen:version-28 hoellen:version-27 hoellen:version-26 hoellen:version-25 hoellen:version-24 hoellen:version-23 hoellen:version-22

11 Commits
acc0a76eba ... version-25

Author SHA1 Message Date
Jan Wagner
84c8433c6c chore: update Nextcloud to 25.0.13 2023-10-30 10:19:38 +01:00
Jan Wagner
e4ac6877ee chore: update Nextcloud to 25.0.12 2023-09-21 15:53:51 +02:00
hoellen
ba7356184b chore: update Nextcloud to 25.0.11 2023-09-14 13:03:47 +02:00
hoellen
2df5fa9674 chore: update Nextcloud to 25.0.10 2023-08-10 12:36:04 +02:00
hoellen
ad6682a594 fix: disable snuffleupagus xxe protection 
Nextcloud now prevents loading external entities by using libxml_set_external_entity_loader.

ref:
https://github.com/nextcloud/server/pull/39490
https://github.com/hoellen/docker-nextcloud/issues/42
 2023-07-26 08:11:23 +02:00
hoellen
4448daf29e chore: update Nextcloud to 25.0.9 2023-07-21 00:18:02 +03:00
hoellen
f628650c63 chore: update Nextcloud to 25.0.8 2023-06-22 18:19:20 +02:00
hoellen
7fdf687f23 Update Nextcloud to 25.0.7 2023-05-25 21:10:00 +02:00
hoellen
b5eda66c8c chore: update Nextcloud and Alpine Linux 2023-04-20 09:39:39 +02:00
hoellen
c181d509f5 chore: update Nextcloud to 25.0.5 2023-03-27 18:44:04 +02:00
hoellen
dc50eed61b chore: split version-25 to new branch 2023-03-21 21:37:25 +01:00
9 changed files with 30 additions and 56 deletions
Expand all files Collapse all files

15
.github/workflows/build.yml vendored
View File

@ -3,9 +3,7 @@ name: build
on: on:
workflow_dispatch: workflow_dispatch:
push: push:
branches: branches: [ version-25 ]
- master
- version-*
schedule: schedule:
# Build the image regularly (each Friday) # Build the image regularly (each Friday)
- cron: '23 04 * * 5' - cron: '23 04 * * 5'
@ -29,12 +27,6 @@ jobs:
- name: Extract version for tags - name: Extract version for tags
run: | run: |
if [[ "$GITHUB_REF" == refs/heads/* ]]; then
BRANCH="${GITHUB_REF#refs/heads/}"
if [ "$BRANCH" = "master" ]; then
echo "BRANCH_VERSION=latest" >> $GITHUB_ENV
fi
fi
echo "FULL_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c6)" >> $GITHUB_ENV echo "FULL_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c6)" >> $GITHUB_ENV
echo "MAJOR_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c2)" >> $GITHUB_ENV echo "MAJOR_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c2)" >> $GITHUB_ENV
@ -42,7 +34,7 @@ jobs:
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@main uses: sigstore/cosign-installer@main
with: with:
cosign-release: 'v2.2.2' cosign-release: 'v1.13.1'
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1 uses: docker/setup-buildx-action@v1
@ -61,7 +53,6 @@ jobs:
with: with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: | tags: |
${{ env.BRANCH_VERSION }}
${{ env.FULL_VERSION }} ${{ env.FULL_VERSION }}
${{ env.MAJOR_VERSION }} ${{ env.MAJOR_VERSION }}
@ -78,4 +69,4 @@ jobs:
if: ${{ github.event_name != 'pull_request' }} if: ${{ github.event_name != 'pull_request' }}
env: env:
COSIGN_EXPERIMENTAL: "true" COSIGN_EXPERIMENTAL: "true"
run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}

23
Dockerfile
View File

@ -1,24 +1,24 @@
# -------------- Build-time variables -------------- # -------------- Build-time variables --------------
ARG NEXTCLOUD_VERSION=28.0.4 ARG NEXTCLOUD_VERSION=25.0.13
ARG PHP_VERSION=8.2 ARG PHP_VERSION=8.1
ARG NGINX_VERSION=1.24 ARG NGINX_VERSION=1.22
ARG ALPINE_VERSION=3.19 ARG ALPINE_VERSION=3.17
ARG HARDENED_MALLOC_VERSION=11 ARG HARDENED_MALLOC_VERSION=11
ARG SNUFFLEUPAGUS_VERSION=0.10.0 ARG SNUFFLEUPAGUS_VERSION=0.8.3
ARG UID=1000 ARG UID=1000
ARG GID=1000 ARG GID=1000
# nextcloud-28.0.4.tar.bz2 # nextcloud-25.0.13.tar.bz2
ARG SHA256_SUM="9bfecee1e12fba48c49e9a71caa81c4ba10b2884787fab75d64ccfd122a13019" ARG SHA256_SUM="387bac148a696244f1ec02698a082d408283a875b3de85eb9719dd4493eebe33"
# Nextcloud Security <security@nextcloud.com> (D75899B9A724937A) # Nextcloud Security <security@nextcloud.com> (D75899B9A724937A)
ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A" ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A"
# --------------------------------------------------- # ---------------------------------------------------
### Build PHP base ### Build PHP base
FROM docker.io/library/php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} as base FROM php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} as base
ARG SNUFFLEUPAGUS_VERSION ARG SNUFFLEUPAGUS_VERSION
@ -43,7 +43,6 @@ RUN apk -U upgrade \
gmp \ gmp \
icu \ icu \
libjpeg-turbo \ libjpeg-turbo \
librsvg \
libpq \ libpq \
libpq \ libpq \
libwebp \ libwebp \
@ -59,14 +58,12 @@ RUN apk -U upgrade \
bcmath \ bcmath \
exif \ exif \
gd \ gd \
bz2 \
intl \ intl \
ldap \ ldap \
opcache \ opcache \
pcntl \ pcntl \
pdo_mysql \ pdo_mysql \
pdo_pgsql \ pdo_pgsql \
sysvsem \
zip \ zip \
gmp \ gmp \
&& pecl install smbclient \ && pecl install smbclient \
@ -85,7 +82,7 @@ RUN apk -U upgrade \
### Build Hardened Malloc ### Build Hardened Malloc
ARG ALPINE_VERSION ARG ALPINE_VERSION
FROM docker.io/library/alpine:${ALPINE_VERSION} as build-malloc FROM alpine:${ALPINE_VERSION} as build-malloc
ARG HARDENED_MALLOC_VERSION ARG HARDENED_MALLOC_VERSION
ARG CONFIG_NATIVE=false ARG CONFIG_NATIVE=false
@ -99,7 +96,7 @@ RUN apk --no-cache add build-base git gnupg && cd /tmp \
### Fetch nginx ### Fetch nginx
FROM docker.io/library/nginx:${NGINX_VERSION}-alpine as nginx FROM nginx:${NGINX_VERSION}-alpine as nginx
### Build Nextcloud (production environemnt) ### Build Nextcloud (production environemnt)

4
README.md
View File

@ -58,8 +58,8 @@ Verifying the signature isn't a requirement, and might not be as seamless as usi
## Tags ## Tags
- `latest` : latest Nextcloud version - `latest` : latest Nextcloud version
- `x` : latest Nextcloud x.x (e.g. `28`) - `x` : latest Nextcloud x.x (e.g. `25`)
- `x.x.x` : Nextcloud x.x.x (e.g. `28.0.0`) - `x.x.x` : Nextcloud x.x.x (e.g. `25.0.0`)
You can always have a glance [here](https://github.com/users/hoellen/packages/container/package/nextcloud). You can always have a glance [here](https://github.com/users/hoellen/packages/container/package/nextcloud).
Only the **latest stable version** will be maintained by myself. Only the **latest stable version** will be maintained by myself.

8
SECURITY.md
View File

@ -7,16 +7,12 @@ and will receive the minor version updates and security patches.
| Version | Supported | | Version | Supported |
| ------- | ------------------ | | ------- | ------------------ |
| 28. x | :white_check_mark: | | 25. x | :white_check_mark: |
| 27. x | :white_check_mark: | | 24. x | :white_check_mark: |
| 26. x | :negative_squared_cross_mark: |
| 25. x | :negative_squared_cross_mark: |
| 24. x | :negative_squared_cross_mark: |
| 23. x | :negative_squared_cross_mark: | | 23. x | :negative_squared_cross_mark: |
| 22. x | :negative_squared_cross_mark: | | 22. x | :negative_squared_cross_mark: |
Please update to the latest version available. Major migrations are always tested before being pushed. Please update to the latest version available. Major migrations are always tested before being pushed.
An up-to-date list of the currently maintained Nextcloud versions can also be found in the [Nextcloud Repository Wiki](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule).
## Automated vulnerability scanning ## Automated vulnerability scanning

9
rootfs/etc/nginx/conf.d/default.conf
View File

@ -18,9 +18,10 @@ server {
add_header Referrer-Policy "no-referrer" always; add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always; add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "0" always; add_header X-XSS-Protection "0" always;
location = /robots.txt { location = /robots.txt {
@ -48,7 +49,7 @@ server {
return 404; return 404;
} }
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) { location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
include /etc/nginx/fastcgi_params; include /etc/nginx/fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.*)$; fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
@ -61,12 +62,12 @@ server {
fastcgi_read_timeout 1200; fastcgi_read_timeout 1200;
} }
location ~ ^\/(?:updater|ocs-provider)(?:$|\/) { location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404; try_files $uri/ =404;
index index.php; index index.php;
} }
location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { location ~ \.(?:css|js|svg|gif|map)$ {
try_files $uri /index.php$uri$is_args$args; try_files $uri /index.php$uri$is_args$args;
expires 6M; expires 6M;
access_log off; access_log off;

5
rootfs/etc/nginx/nginx.conf
View File

@ -9,11 +9,6 @@ events {
http { http {
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
# Add .mjs as a file extension for javascript
# https://github.com/nextcloud/server/pull/36057
types {
application/javascript mjs;
}
default_type application/octet-stream; default_type application/octet-stream;
access_log /nginx/logs/access.log combined; access_log /nginx/logs/access.log combined;

10
rootfs/usr/local/bin/run.sh
View File

@ -15,16 +15,6 @@ if [ "$PHP_HARDENING" == "true" ] && [ ! -f /usr/local/etc/php/conf.d/snuffleupa
cp /usr/local/etc/php/snuffleupagus/* /usr/local/etc/php/conf.d cp /usr/local/etc/php/snuffleupagus/* /usr/local/etc/php/conf.d
fi fi
# Check if database is available
if [ -n "${DB_TYPE}" ] && [ "${DB_TYPE}" != "sqlite3" ]; then
DB_PORT=${DB_PORT:-$( [ "${DB_TYPE}" = "pgsql" ] && echo 5432 || echo 3306 )}
until nc -z "${DB_HOST:-nextcloud-db}" "${DB_PORT}"
do
echo "waiting for the database container..."
sleep 1
done
fi
# If new install, run setup # If new install, run setup
if [ ! -f /nextcloud/config/config.php ]; then if [ ! -f /nextcloud/config/config.php ]; then
touch /nextcloud/config/CAN_INSTALL touch /nextcloud/config/CAN_INSTALL

8
rootfs/usr/local/bin/setup.sh
View File

@ -55,6 +55,14 @@ cat >> /nextcloud/config/autoconfig.php <<EOF;
?> ?>
EOF EOF
if [ ${DB_TYPE} != "sqlite3" ]; then
until nc -z "${DB_HOST:-nextcloud-db}" "${DB_PORT:-3306}"
do
echo "waiting for the database container..."
sleep 1
done
fi
echo "Starting automatic configuration..." echo "Starting automatic configuration..."
# Execute setup # Execute setup
(cd /nextcloud; php index.php &>/dev/null) (cd /nextcloud; php index.php &>/dev/null)

4
rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules
View File

@ -47,10 +47,6 @@ sp.disable_function.function("ini_get").param("option").value("open_basedir").fi
sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").filename("/nextcloud/3rdparty/guzzlehttp/guzzle/src/Utils.php").allow(); sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").filename("/nextcloud/3rdparty/guzzlehttp/guzzle/src/Utils.php").allow();
sp.disable_function.function("exec").param("command").value("apachectl -M | grep mpm").filename("/nextcloud/apps2/spreed/lib/Settings/Admin/AdminSettings.php").allow(); sp.disable_function.function("exec").param("command").value("apachectl -M | grep mpm").filename("/nextcloud/apps2/spreed/lib/Settings/Admin/AdminSettings.php").allow();
# Nextcloud inherently enables XXE-Protection since 27.0.1, therefore, drop setting a new external entity loader
sp.disable_function.function("libxml_set_external_entity_loader").filename("/nextcloud/lib/base.php").allow();
sp.disable_function.function("libxml_set_external_entity_loader").drop();
# Harden the `chmod` function (0777 (oct = 511, 0666 = 438) # Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
sp.disable_function.function("chmod").param("permissions").value("438").drop(); sp.disable_function.function("chmod").param("permissions").value("438").drop();
sp.disable_function.function("chmod").param("permissions").value("511").drop(); sp.disable_function.function("chmod").param("permissions").value("511").drop();