mirror of
https://github.com/hoellen/docker-nextcloud.git
synced 2025-07-04 17:16:11 +00:00
Compare commits
13 Commits
version-25
...
0ee4012ae6
| Author | SHA1 | Date | |
|---|---|---|---|
| 0ee4012ae6 | |||
| 18da631215 | |||
| e627d1fd4c | |||
| 86012886af | |||
| de096e78a4 | |||
| 2d3fd8f5c3 | |||
| 9070495ad0 | |||
| 4ba3589149 | |||
| a7ba180598 | |||
| 4ea95f826a | |||
| 8451b3d94d | |||
| 9c24fd91b2 | |||
| 0bb5b1fa73 |
15
Dockerfile
15
Dockerfile
@ -1,17 +1,17 @@
|
||||
# -------------- Build-time variables --------------
|
||||
ARG NEXTCLOUD_VERSION=25.0.4
|
||||
ARG PHP_VERSION=8.1
|
||||
ARG NGINX_VERSION=1.22
|
||||
ARG NEXTCLOUD_VERSION=27.1.1
|
||||
ARG PHP_VERSION=8.2
|
||||
ARG NGINX_VERSION=1.24
|
||||
|
||||
ARG ALPINE_VERSION=3.16
|
||||
ARG ALPINE_VERSION=3.18
|
||||
ARG HARDENED_MALLOC_VERSION=11
|
||||
ARG SNUFFLEUPAGUS_VERSION=0.8.3
|
||||
ARG SNUFFLEUPAGUS_VERSION=0.10.0
|
||||
|
||||
ARG UID=1000
|
||||
ARG GID=1000
|
||||
|
||||
# nextcloud-25.0.4.tar.bz2
|
||||
ARG SHA256_SUM="c3251e0083a94303e2d6988b352f3b33082a79a726b30ff746709b0fe869a1a6"
|
||||
# nextcloud-27.1.1.tar.bz2
|
||||
ARG SHA256_SUM="3a91500566874675676fa3b5bfae2587a839cde41dfac5318043b162c1311fab"
|
||||
|
||||
# Nextcloud Security <security@nextcloud.com> (D75899B9A724937A)
|
||||
ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A"
|
||||
@ -64,6 +64,7 @@ RUN apk -U upgrade \
|
||||
pcntl \
|
||||
pdo_mysql \
|
||||
pdo_pgsql \
|
||||
sysvsem \
|
||||
zip \
|
||||
gmp \
|
||||
&& pecl install smbclient \
|
||||
|
||||
@ -46,7 +46,7 @@ Don't run random images from random dudes on the Internet. Ideally, you want to
|
||||
- **Images are scanned every day** by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. Known vulnerabilities will be automatically uploaded to [GitHub Security Lab](https://github.com/Wonderfall/docker-nextcloud/security/code-scanning) for full transparency. This also warns me if I have to take action to fix a vulnerability.
|
||||
- **Latest tag/version is automatically built weekly**, so you should often update your images regardless if you're already using the latest Nextcloud version.
|
||||
- **Build production images without cache** (use `docker build --no-cache` for instance) if you want to build your images manually. Latest dependencies will hence be used instead of outdated ones due to a cached layer.
|
||||
- **A security module for PHP called [Snuffleupagus](https://github.com/jvoisin/snuffleupagus) is used by default**. This module aims at killing entire bug and security exploit classes (including XXE, weak PRNG, file-upload based code execution), thus raising the cost of attacks. For now we're using a configuration file derived from [the default one](https://github.com/jvoisin/snuffleupagus/blob/master/config/default_php8.rules), with some explicit exceptions related to Nextcloud. This configuration file is tested and shouldn't break basic functionality, but it can cause issues in specific and untested use cases: if that happens to you, get logs from either `syslog` or `/nginx/logs/error.log` inside the container, and [open an issue](https://github.com/hoellen/docker-nextcloud/issues). You can also disable the security module altogether by changing the `PHP_HARDENING` environment variable to `false` before recreating the container.
|
||||
- **A security module for PHP called [Snuffleupagus](https://github.com/jvoisin/snuffleupagus) is used by default**. This module aims at killing entire bug and security exploit classes (including weak PRNG, file-upload based code execution), thus raising the cost of attacks. For now we're using a configuration file derived from [the default one](https://github.com/jvoisin/snuffleupagus/blob/master/config/default_php8.rules), with some explicit exceptions related to Nextcloud. This configuration file is tested and shouldn't break basic functionality, but it can cause issues in specific and untested use cases: if that happens to you, get logs from either `syslog` or `/nginx/logs/error.log` inside the container, and [open an issue](https://github.com/hoellen/docker-nextcloud/issues). You can also disable the security module altogether by changing the `PHP_HARDENING` environment variable to `false` before recreating the container.
|
||||
- **Images are signed with the GitHub-provided OIDC token in Actions** using the experimental "keyless" signing feature provided by [cosign](https://github.com/sigstore/cosign). You can verify the image signature using `cosign` as well:
|
||||
|
||||
```
|
||||
|
||||
@ -21,7 +21,7 @@ server {
|
||||
add_header X-Download-Options "noopen" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
add_header X-Robots-Tag "none" always;
|
||||
add_header X-Robots-Tag "noindex, nofollow" always;
|
||||
add_header X-XSS-Protection "0" always;
|
||||
|
||||
location = /robots.txt {
|
||||
|
||||
@ -8,7 +8,7 @@
|
||||
sp.harden_random.enable();
|
||||
|
||||
# Disabled XXE
|
||||
sp.xxe_protection.enable();
|
||||
#sp.xxe_protection.enable();
|
||||
|
||||
# Global configuration variables
|
||||
# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
|
||||
@ -34,7 +34,7 @@ sp.sloppy_comparison.enable();
|
||||
# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
|
||||
sp.cookie.name("PHPSESSID").samesite("lax");
|
||||
|
||||
# Nextcloud whitelist (tested with Nextcloud 25.0.0)
|
||||
# Nextcloud whitelist (tested with Nextcloud 27.0.1)
|
||||
sp.disable_function.function("function_exists").param("function").value("proc_open").filename("/nextcloud/3rdparty/symfony/console/Terminal.php").allow();
|
||||
sp.disable_function.function("function_exists").param("function").value("exec").filename("/nextcloud/lib/private/legacy/OC_Helper.php").allow();
|
||||
sp.disable_function.function("function_exists").param("function").value("exec").filename("/nextcloud/lib/public/Util.php").allow();
|
||||
@ -47,6 +47,10 @@ sp.disable_function.function("ini_get").param("option").value("open_basedir").fi
|
||||
sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").filename("/nextcloud/3rdparty/guzzlehttp/guzzle/src/Utils.php").allow();
|
||||
sp.disable_function.function("exec").param("command").value("apachectl -M | grep mpm").filename("/nextcloud/apps2/spreed/lib/Settings/Admin/AdminSettings.php").allow();
|
||||
|
||||
# Nextcloud inherently enables XXE-Protection since 27.0.1, therefore, drop setting a new external entity loader
|
||||
sp.disable_function.function("libxml_set_external_entity_loader").filename("/nextcloud/lib/base.php").allow();
|
||||
sp.disable_function.function("libxml_set_external_entity_loader").drop();
|
||||
|
||||
# Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
|
||||
sp.disable_function.function("chmod").param("permissions").value("438").drop();
|
||||
sp.disable_function.function("chmod").param("permissions").value("511").drop();
|
||||
|
||||
Reference in New Issue
Block a user