Merge ec5ddfc310 into 1b0c1fb747

.github/workflows/build.yml

@@ -8,7 +8,7 @@ on:
       - version-*
   schedule:
     # Build the image regularly (each Friday)
-    - cron: "23 04 * * 5"
+    - cron: '23 04 * * 5'
 
 env:
   REGISTRY: ghcr.io
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v2
 
       - name: Extract version for tags
         run: |
@@ -37,14 +37,16 @@ jobs:
 
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@v4.1.1
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v2.2.2'
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@v1
 
       - name: Login to registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v4
+        uses: docker/login-action@v1
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}
@@ -52,7 +54,7 @@ jobs:
 
       - name: Set Docker metadata
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@v3
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
@@ -62,26 +64,26 @@ jobs:
 
       - name: Build and export Docker image to Docker
         id: build
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@v2
         with:
           load: true
-          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:testing
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:test
           context: .
 
       - name: Test Docker image
-        id: test
+        id: test-image
         run: |
-          docker run -d -p 8888:8888 --name nextcloud --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:testing && \
+          docker run -d -p 8888:8888 --name nextcloud --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:test && \
-          sleep 5 && docker exec nextcloud occ status && \
+          docker exec nextcloud occ status && \
           nc -z localhost 8888
 
       - name: Push Docker image
         id: push
         if: github.event_name != 'pull_request'
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@v2
         with:
           context: .
-          push: true
+          push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 

.github/workflows/scan.yml

@@ -3,27 +3,27 @@ name: scan
 on:
   schedule:
     # Scan the image regularly (once a day)
-    - cron: "45 03 * * *"
+    - cron: '45 03 * * *'
 
 jobs:
   build:
     name: Scan current image & report results
-    runs-on: "ubuntu-24.04"
+    runs-on: "ubuntu-20.04"
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@v0.36.0
+        uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "ghcr.io/${{ github.actor }}/nextcloud"
+          image-ref: 'ghcr.io/${{ github.actor }}/nextcloud'
-          format: "template"
+          format: 'template'
-          template: "@/contrib/sarif.tpl"
+          template: '@/contrib/sarif.tpl'
-          output: "trivy-results.sarif"
+          output: 'trivy-results.sarif'
-          severity: "CRITICAL,HIGH"
+          severity: 'CRITICAL,HIGH'
           vuln-type: "os"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v1
         with:
-          sarif_file: "trivy-results.sarif"
+          sarif_file: 'trivy-results.sarif'

Dockerfile

@@ -1,27 +1,29 @@
 # -------------- Build-time variables --------------
-ARG NEXTCLOUD_VERSION=33.0.3
+ARG NEXTCLOUD_VERSION=30.0.5
-ARG PHP_VERSION=8.4
+ARG PHP_VERSION=8.3
-ARG NGINX_VERSION=1.28
+ARG NGINX_VERSION=1.26
 
-ARG ALPINE_VERSION=3.23
+ARG ALPINE_VERSION=3.21
-ARG HARDENED_MALLOC_VERSION=14
+ARG HARDENED_MALLOC_VERSION=11
-ARG SNUFFLEUPAGUS_VERSION=0.13.0
+ARG SNUFFLEUPAGUS_VERSION=0.10.0
 
 ARG UID=1000
 ARG GID=1000
 
-# nextcloud-33.0.3.tar.bz2
+# nextcloud-30.0.5.tar.bz2
-ARG SHA256_SUM="5c1052f860b35aa56b24bc2613a6bea0c22313b9fbd02bb0247c1f0b9dbf77d2"
+ARG SHA256_SUM="248c6e6e612ceeeb170c4d25b8579b0af0e6613abdfa07f2fe6993426b781bea"
 
 # Nextcloud Security <security@nextcloud.com> (D75899B9A724937A)
 ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372  792E D758 99B9 A724 937A"
 # ---------------------------------------------------
 
 ### Build PHP base
-FROM docker.io/library/php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} AS base
+FROM docker.io/library/php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} as base
 
 ARG SNUFFLEUPAGUS_VERSION
 
+ENV IMAGICK_SHA 28f27044e435a2b203e32675e942eb8de620ee58
+
 RUN apk -U upgrade \
  && apk add -t build-deps \
         $PHPIZE_DEPS \
@@ -72,7 +74,8 @@ RUN apk -U upgrade \
  && pecl install smbclient \
  && pecl install APCu \
  && pecl install redis \
- && pecl install imagick \
+ && curl -L -o /tmp/imagick.tar.gz https://github.com/Imagick/imagick/archive/${IMAGICK_SHA}.tar.gz && tar --strip-components=1 -xf /tmp/imagick.tar.gz && phpize && ./configure && make && make install \
+ && apk add --no-cache --virtual .imagick-runtime-deps imagemagick \
  && docker-php-ext-enable \
         smbclient \
         redis \
@@ -85,26 +88,25 @@ RUN apk -U upgrade \
 
 ### Build Hardened Malloc
 ARG ALPINE_VERSION
-FROM docker.io/library/alpine:${ALPINE_VERSION} AS build-malloc
+FROM docker.io/library/alpine:${ALPINE_VERSION} as build-malloc
 
 ARG HARDENED_MALLOC_VERSION
 ARG CONFIG_NATIVE=false
 ARG VARIANT=light
 
-RUN apk --no-cache add build-base git openssh && cd /tmp \
+RUN apk --no-cache add build-base git gnupg && cd /tmp \
- && wget -q -O - https://github.com/thestinger.keys | while read -r key; do echo "thestinger@github.com $key"; done > allowed_signers \
+ && wget -q https://github.com/thestinger.gpg && gpg --import thestinger.gpg \
- && git config --global gpg.ssh.allowedSignersFile /tmp/allowed_signers && git init hardened_malloc && cd hardened_malloc \
+ && git clone --depth 1 --branch ${HARDENED_MALLOC_VERSION} https://github.com/GrapheneOS/hardened_malloc \
- && git fetch --depth 1 https://github.com/GrapheneOS/hardened_malloc tag ${HARDENED_MALLOC_VERSION} \
+ && cd hardened_malloc && git verify-tag $(git describe --tags) \
- && git checkout FETCH_HEAD && git verify-tag $(git describe --tags) \
  && make CONFIG_NATIVE=${CONFIG_NATIVE} VARIANT=${VARIANT}
 
 
 ### Fetch nginx
-FROM docker.io/library/nginx:${NGINX_VERSION}-alpine${ALPINE_VERSION} AS nginx
+FROM docker.io/library/nginx:${NGINX_VERSION}-alpine as nginx
 
 
 ### Build Nextcloud (production environemnt)
-FROM base AS nextcloud
+FROM base as nextcloud
 
 COPY --from=nginx /usr/sbin/nginx /usr/sbin/nginx
 COPY --from=nginx /etc/nginx /etc/nginx

README.md

@@ -35,7 +35,7 @@ ___
 - Includes **Snuffleupagus**, [a PHP security module](https://github.com/jvoisin/snuffleupagus).
 - Includes a simple **built-in cron** system.
 - Much easier to maintain thanks to multi-stages build.
-- Includes imagick and smbclient for extended file handling and SMB/CIFS support.
+- Does not include imagick, samba, etc. by default.
 
 You're free to make your own image based on this one if you want a specific feature. Uncommon features won't be included as they can increase attack surface: this image intends to stay **minimal**, but **functional enough** to cover basic needs.
 
@@ -58,8 +58,8 @@ Verifying the signature isn't a requirement, and might not be as seamless as usi
 ## Tags
 
 - `latest` : latest Nextcloud version
-- `x` : latest Nextcloud x.x (e.g. `33`)
+- `x` : latest Nextcloud x.x (e.g. `30`)
-- `x.x.x` : Nextcloud x.x.x (e.g. `33.0.0`)
+- `x.x.x` : Nextcloud x.x.x (e.g. `30.0.0`)
 
 You can always have a glance [here](https://github.com/users/hoellen/packages/container/package/nextcloud).
 Only the **latest stable version** will be maintained by myself.

SECURITY.md

@@ -6,13 +6,10 @@ All versions of the Nextcloud community version which still receive updates will
 and will receive the minor version updates and security patches.
 
 | Version | Supported          |
-| ------- | ----------------------------- |
+| ------- | ------------------ |
-| 33. x   | :white_check_mark:            |
+| 30. x   | :white_check_mark: |
-| 32. x   | :white_check_mark:            |
+| 29. x   | :white_check_mark: |
-| 31. x   | :negative_squared_cross_mark: |
+| 28. x   | :white_check_mark: |
-| 30. x   | :negative_squared_cross_mark: |
-| 29. x   | :negative_squared_cross_mark: |
-| 28. x   | :negative_squared_cross_mark: |
 | 27. x   | :negative_squared_cross_mark: |
 | 26. x   | :negative_squared_cross_mark: |
 | 25. x   | :negative_squared_cross_mark: |
@@ -29,10 +26,9 @@ Uploaded images are regularly scanned for [OS vulnerabilities](https://github.co
 
 ## Reporting a vulnerability
 
-_Upstream_ vulnerabilities should be reported to _upstream_ projects according to their own security policies.
+*Upstream* vulnerabilities should be reported to *upstream* projects according to their own security policies.
 
 Regarding vulnerabilities specific to this project:
-
 - Faulty configuration files
 - Unsafe defaults
 - Dependencies security updates

rootfs/etc/nginx/conf.d/default.conf

@@ -1,21 +1,27 @@
+map $http_x_forwarded_port $nc_port {
+  default "$http_x_forwarded_port";
+  ''      "$server_port";
+}
+
+map $http_x_forwarded_proto $nc_proto {
+  default "$http_x_forwarded_proto";
+  ''      "$scheme";
+}
+
 server {
         listen 8888;
-        listen [::]:8888;
         root /nextcloud;
 
-        # Emit relative redirects (protocol handled by reverse proxy)
-        absolute_redirect off;
-
         fastcgi_buffers 64 4K;
         fastcgi_hide_header X-Powered-By;
         large_client_header_buffers 4 16k;
-        client_body_timeout 300s;
 
         add_header Referrer-Policy "no-referrer" always;
         add_header X-Content-Type-Options "nosniff" always;
         add_header X-Frame-Options "SAMEORIGIN" always;
         add_header X-Permitted-Cross-Domain-Policies "none" always;
         add_header X-Robots-Tag "noindex, nofollow" always;
+        add_header X-XSS-Protection "0" always;
 
         location = /robots.txt {
             allow all;
@@ -24,18 +30,14 @@ server {
         }
 
         location ^~ /.well-known {
-            location = /.well-known/carddav { return 301 /remote.php/dav/; }
+            location = /.well-known/carddav   { return 301 $nc_proto://$host/remote.php/dav/; }
-            location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+            location = /.well-known/caldav    { return 301 $nc_proto://$host/remote.php/dav/; }
-
+            location ^~ /.well-known          { return 301 $nc_proto://$host/index.php$uri;  }
-            return 301 /index.php$request_uri;
+            try_files $uri $uri/ =404;
         }
 
         location / {
-            rewrite ^ /index.php$request_uri;
+            rewrite ^ /index.php$uri;
-        }
-
-        location /remote {
-            return 301 /remote.php$request_uri;
         }
 
         location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) {
@@ -46,9 +48,9 @@ server {
             return 404;
         }
 
-        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy)\.php(?:$|\/) {
+        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
             include /etc/nginx/fastcgi_params;
-            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+            fastcgi_split_path_info ^(.+\.php)(/.*)$;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
             fastcgi_param PATH_INFO $fastcgi_path_info;
             fastcgi_param modHeadersAvailable true;
@@ -59,20 +61,25 @@ server {
             fastcgi_read_timeout 1200;
         }
 
-        location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+        location ~ ^\/(?:updater|ocs-provider)(?:$|\/) {
             try_files $uri/ =404;
             index index.php;
         }
 
-        location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|jpeg|png|webp|wasm|tflite|map|ogg|flac|mp4|webm)$ {
+        location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
-            try_files $uri /index.php$request_uri;
+            try_files $uri /index.php$uri$is_args$args;
             expires 6M;
             access_log off;
         }
 
-        location ~ \.(otf|woff2?)$ {
+        location ~ \.(otf|woff2)?$ {
-            try_files $uri /index.php$request_uri;
+            try_files $uri /index.php$uri$is_args$args;
             expires 7d;
             access_log off;
         }
+
+        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+            try_files $uri /index.php$uri$is_args$args;
+            access_log off;
+        }
 }

rootfs/usr/local/etc/php/conf.d/docker-php-ext-opcache.ini

@@ -1,6 +1,7 @@
 zend_extension=opcache.so
 opcache.enable=1
 opcache.enable_cli=1
+opcache.fast_shutdown=1
 opcache.memory_consumption=<OPCACHE_MEM_SIZE>
 opcache.interned_strings_buffer=16
 opcache.max_accelerated_files=10000