You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
hello. in my setup i have 3 containers:
wg-easy, nginx-proxy+acme-companion and owncloud infinite scale
i want every request to come through the wireguard tunnel and then get reversed proxied.
for this i have set network_mode of nginx-proxy to container:wg-easy so that they share the same network.
however for owncloud i also need to set network_mode to container:wg-easy because otherwise owncloud container doesnt have access to wg0 interface and cant resolve mydomain.com(which points to 10.8.0.1, thus making it only resolvable when connected to the vpn)
the problem is that the upstream for mydomain is set to 127.0.0.1 down. i need it to be set to 127.0.0.1:{VIRTUAL_PORT}. i've tested this and it works, but i dont know to make this the default or if there is a workaround avaliable. any ideas?
name: owncloudservices:
ocis:
image: owncloud/ocis:latestuser: 1001:1001container_name: owncloud-infinite-scalerestart: alwaysenvironment:
- OCIS_INSECURE=false # required if you use a reverse proxy with SSL support in front
- PROXY_HTTP_ADDR=0.0.0.0:${PORT}
- OCIS_URL=https://${OWNCLOUD_DOMAIN} # adjust to your FQDN domain; https required
- PROXY_TLS=false
- OCIS_LOG_LEVEL=warn,error
- OCIS_LOG_PRETTY=true#nginx proxy
- VIRTUAL_HOST=${OWNCLOUD_DOMAIN}
- VIRTUAL_PORT=${PORT}
- LETSENCRYPT_HOST=${OWNCLOUD_DOMAIN}#storage
- STORAGE_USERS_DRIVER=posix
- STORAGE_USERS_POSIX_ROOT=./fs # will redirect to data/fs
- STORAGE_USERS_POSIX_WATCH_TYPE=inotifywait
- STORAGE_USERS_ID_CACHE_STORE=nats-js-kv
- STORAGE_USERS_ID_CACHE_STORE_NODES=localhost:9233
- STORAGE_USERS_POSIX_USE_SPACE_GROUPS=truevolumes:
- "/home/cloud/owncloud/config:/etc/ocis:rw"
- "/home/cloud/owncloud/data:/var/lib/ocis:rw"network_mode: container:wg-easy
/etc/nginx/conf.d/default.conf
# nginx-proxy version : 1.7.0# Networks available to the container running docker-gen (which are assumed to# match the networks available to the container running nginx):# proxy# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the# scheme used to connect to this servermap$http_x_forwarded_proto$proxy_x_forwarded_proto {
default$http_x_forwarded_proto;
''$scheme;
}
map$http_x_forwarded_host$proxy_x_forwarded_host {
default$http_x_forwarded_host;
''$host;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the# server port the client connected tomap$http_x_forwarded_port$proxy_x_forwarded_port {
default$http_x_forwarded_port;
''$server_port;
}
# Include the port in the Host header sent to the container if it is non-standardmap$server_port$host_port {
default :$server_port;
80'';
443'';
}
# If the request from the downstream client has an "Upgrade:" header (set to any# non-empty value), pass "Connection: upgrade" to the upstream (backend) server.# Otherwise, the value for the "Connection" header depends on whether the user# has enabled keepalive to the upstream server.map$http_upgrade$proxy_connection {
default upgrade;
''$proxy_connection_noupgrade;
}
map$upstream_keepalive$proxy_connection_noupgrade {
# Preserve nginx's default behavior (send "Connection: close"). default close;
# Use an empty string to cancel nginx's default behavior. true'';
}
# Abuse the map directive (see <https://stackoverflow.com/q/14433309>) to ensure# that $upstream_keepalive is always defined. This is necessary because:# - The $proxy_connection variable is indirectly derived from# $upstream_keepalive, so $upstream_keepalive must be defined whenever# $proxy_connection is resolved.# - The $proxy_connection variable is used in a proxy_set_header directive in# the http block, so it is always fully resolved for every request -- even# those where proxy_pass is not used (e.g., unknown virtual host).map""$upstream_keepalive {
# The value here should not matter because it should always be overridden in# a location block (see the "location" template) for all requests where the# value actually matters.default false;
}
# Apply fix for very long server namesserver_names_hash_bucket_size128;
# Default dhparamssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_protomap$proxy_x_forwarded_proto$proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost escape=default '$host$remote_addr - $remote_user [$time_local] "$request" $status$body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_addr"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305';
ssl_prefer_server_ciphers off;
error_log /dev/stderr;
resolver127.0.0.11;
# HTTP 1.1 supportproxy_http_version1.1;
proxy_set_header Host $host$host_port;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details)proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.server_tokens off;
access_log /var/log/nginx/access.log vhost;
http2 on;
listen80;
listen443 ssl;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# No default certificate found, so reject SSL handshake;ssl_reject_handshake on;
location ^~ / {
return503;
}
}
# owncloud.domain.com/upstreamowncloud.domain.com{
# Container: owncloud-infinite-scale# networks:# (none)# IPv4 address: (none usable)# IPv6 address: (none usable)# exposed ports (first ten): 9200/tcp# default port: 9200# using port: 9200# Fallback entryserver 127.0.0.1:9200; # by default this is 127.0.0.1 down, however i need it to be 127.0.0.1:{OWNCLOUD_VIRTUAL_PORT}keepalive 2; # required otherwise owncloud wont work..?
}
server {
server_name owncloud.domain.com;
access_log /var/log/nginx/access.log vhost;
listen80 ;
# Do not HTTPS redirect Let's Encrypt ACME challengelocation ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files$uri=404;
break;
}
location/ {
if ($request_method~ (OPTIONS|POST|PUT|PATCH|DELETE)) {
return301 https://$host$request_uri;
}
return301 https://$host$request_uri;
}
}
server {
server_name owncloud.domain.com;
access_log /var/log/nginx/access.log vhost;
http2 on;
listen443 ssl ;
ssl_session_timeout5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/owncloud.domain.com.crt;
ssl_certificate_key /etc/nginx/certs/owncloud.domain.com.key;
ssl_dhparam /etc/nginx/certs/owncloud.domain.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/owncloud.domain.com.chain.pem;
set$sts_header"";
if ($https) {
set$sts_header"max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location/ {
proxy_pass http://owncloud.domain.com;
set$upstream_keepalive true;
}
}
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
hello. in my setup i have 3 containers:
wg-easy, nginx-proxy+acme-companion and owncloud infinite scale
i want every request to come through the wireguard tunnel and then get reversed proxied.
for this i have set network_mode of nginx-proxy to container:wg-easy so that they share the same network.
however for owncloud i also need to set network_mode to container:wg-easy because otherwise owncloud container doesnt have access to wg0 interface and cant resolve mydomain.com(which points to 10.8.0.1, thus making it only resolvable when connected to the vpn)
the problem is that the upstream for mydomain is set to 127.0.0.1 down. i need it to be set to 127.0.0.1:{VIRTUAL_PORT}. i've tested this and it works, but i dont know to make this the default or if there is a workaround avaliable. any ideas?
wireguard.yml
nginx-proxy.yml
owncloud.yml
/etc/nginx/conf.d/default.conf
Beta Was this translation helpful? Give feedback.
All reactions