Parce qu'il y a toujours une solution...

Objectif de l'article : obtenir un serveur Nextcloud derrière Nginx et le reverse-proxy Traefik. La configuration HTTPS effectuée par le fichier "traefik_dynamic.toml" et les labels correspondants.

Logiciels exploités :

  • Ubuntu 18.04 LTS
  • Docker CE = 19.03.8
  • Docker-compose = 1.25.4
  • Traefik = 2.2 "chevrotin"
  • Nginx = 1.17.x "alpine"
  • MariaDB = 10.14.12
  • Nextcloud =  18.0.4
  • PHP = 7.3.16-fpm "alpine"
  • Redis = 5.0.8 "alpine"

Fichier "traefik.toml" (/srv/docker/conf/traefik.toml)

[global]
  sendAnonymousUsage = false
  checkNewVersion = false

[api]
  insecure = true
  dashboard = true
  #debug = true

[log]
  level = "WARNING"

[providers]
  [providers.docker]
    endpoint = "unix:///var/run/docker.sock"
    exposedByDefault = false
    watch = true
    swarmMode = false

  [providers.file]
    filename = "/etc/traefik/traefik_dynamic.toml"
    watch = true

[entryPoints]
  [entryPoints.web]
    address = ":80"

  [entryPoints.websecure]
    address = ":443"

[certificatesResolvers]
  [certificatesResolvers.letsencrypt]
    [certificatesResolvers.letsencrypt.acme]
      email = "contact@czs.local"
      caServer = "https://acme-v02.api.letsencrypt.org/directory"
      storage = "acme.json"
      keyType = "EC384"
        [certificatesResolvers.letsencrypt.acme.httpChallenge]
          entryPoint = "web"

Fichier "traefik_dynamic.toml" (/srv/docker/conf/traefik_dynamic.toml)

[tls]
  [tls.options]
    [tls.options.default]
      minVersion = "VersionTLS12"
      sniStrict = true
      cipherSuites = [
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
        "TLS_AES_128_GCM_SHA256",
        "TLS_AES_256_GCM_SHA384",
        "TLS_CHACHA20_POLY1305_SHA256"
      ]
      curvePreferences = ["CurveP521","CurveP384"]
    [tls.options.mintls13]
      minVersion = "VersionTLS13"


[http]
  [http.middlewares.compression.compress]
    excludedContentTypes = ["text/event-stream"]

  [http.middlewares.https-redirect.redirectScheme]
    scheme = "https"
    permanent = true

  [http.middlewares.security.headers]
    accessControlAllowMethods = ["GET", "OPTIONS", "PUT"]
    #accessControlAllowOriginList = "*"
    accessControlMaxAge = 100
    addVaryHeader = true
    browserXssFilter = true
    contentTypeNosniff = true
    forceSTSHeader = true
    frameDeny = true
    sslRedirect = true
    #sslForceHost = true
    stsIncludeSubdomains = true
    stsPreload = true
    #ContentSecurityPolicy = "default-src 'self' 'unsafe-inline'"
    customFrameOptionsValue = "SAMEORIGIN"
    referrerPolicy = "same-origin"
    featurePolicy = "vibrate 'self'"
    stsSeconds = 315360000

Fichier "nextcloud.conf" (/srv/docker/conf/nginx-nextcloud/nextcloud.conf)

server {
    listen 80;
    server_name nextcloud.czs.local;

    root /var/www/html;
    index index.php;

    access_log /var/log/nginx/nextcloud-access.log;
    error_log /var/log/nginx/nextcloud-error.log;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass nextcloud:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }
}

Ci-dessous le fichier docker-compose :

---
version: '3.7'
services:
  traefik:
    image: traefik:chevrotin
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
      - ./conf/traefik.toml:/etc/traefik/traefik.toml:ro
      - ./conf/traefik_dynamic.toml:/etc/traefik/traefik_dynamic.toml:ro
      - ./acme.json:/acme.json

  nginxnextcloud:
    image: nginx:1.17-alpine
    restart: unless-stopped
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
      - datanextcloud:/var/www/html
      - datanginxnextcloudlogs:/var/log/nginx/
      - ./conf/nginx-nextcloud:/etc/nginx/conf.d
    links:
      - nextcloud
    labels:
      traefik.enable: true
      traefik.http.routers.nginxnextcloud-http.rule: Host(`nextcloud.czs.local`)
      traefik.http.routers.nginxnextcloud-http.entrypoints: web
      traefik.http.routers.nginxnextcloud-https.rule: "Host(`nextcloud.czs.local`)"
      traefik.http.routers.nginxnextcloud-http.middlewares: https-redirect@file
      traefik.http.routers.nginxnextcloud-https.entrypoints: "websecure"
      traefik.http.routers.nginxnextcloud-https.middlewares: "security@file, compression@file"
      traefik.http.routers.nginxnextcloud-https.service: "nginxnextcloud"
      traefik.http.routers.nginxnextcloud-https.tls: "true"
      traefik.http.routers.nginxnextcloud-https.tls.certresolver: "letsencrypt"

  nextcloud:
    image: nextcloud:18-fpm-alpine
    restart: unless-stopped
    links:
      - dbnginx
    volumes:
      - datanextcloud:/var/www/html
    environment:
      MYSQL_HOST: dbnginx
      MYSQL_USER: nextcloudsqluser
      MYSQL_PASSWORD: nextcloudsqlpassword
      MYSQL_DATABASE: nextclouddb
      REDIS_HOST: redisnextcloud
    labels:
      traefik.enable: false

  dbnginx:
    image: mariadb:bionic
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    restart: unless-stopped
    volumes:
      - dbnextcloud:/var/lib/mysql
    environment:
      MYSQL_ROOT_PASSWORD: '1'
      MYSQL_PASSWORD: nextcloudsqlpassword
      MYSQL_DATABASE: nextclouddb
      MYSQL_USER: nextcloudsqluser
    labels:
      traefik.enable: false

  redisnextcloud:
    image: redis:5-alpine
    restart: unless-stopped
    volumes:
      - dataredisnextcloud:/data
    labels:
      traefik.enable: false

volumes:
  datanextcloud:
  datadbnextcloud:
  datanginxnextcloudlogs:
  dataredisnextcloud:

Vous pouvez retrouver l'intégralité des scripts sur le GitHub à cette adresse.

Mettmett/docker-compose
Some examples used on ComputerZ Solutions... Contribute to Mettmett/docker-compose development by creating an account on GitHub.