Disable rewriteip for apache image (#1010)

* Disable rewrite ip for apache image Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de> * Run update.sh Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2020-04-06 22:44:58 +02:00 · 2020-04-06 22:44:58 +02:00 · 63438ef792
parent efe3caebdc
commit 63438ef792
21 changed files with 178 additions and 0 deletions
--- a/.config/reverse_proxy.config.php
+++ b/.config/reverse_proxy.config.php
@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
--- a/16.0/apache/config/reverse_proxy.config.php
+++ b/16.0/apache/config/reverse_proxy.config.php
@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
--- a/16.0/apache/entrypoint.sh
+++ b/16.0/apache/entrypoint.sh
@ -43,6 +43,12 @@ file_env() {
    unset "$fileVar"
 }

+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
    if [ -n "${REDIS_HOST+x}" ]; then

--- a/16.0/fpm-alpine/config/reverse_proxy.config.php
+++ b/16.0/fpm-alpine/config/reverse_proxy.config.php
@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
--- a/16.0/fpm-alpine/entrypoint.sh
+++ b/16.0/fpm-alpine/entrypoint.sh
@ -43,6 +43,12 @@ file_env() {
    unset "$fileVar"
 }

+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
    if [ -n "${REDIS_HOST+x}" ]; then

--- a/16.0/fpm/config/reverse_proxy.config.php
+++ b/16.0/fpm/config/reverse_proxy.config.php
@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
--- a/16.0/fpm/entrypoint.sh
+++ b/16.0/fpm/entrypoint.sh
@ -43,6 +43,12 @@ file_env() {
    unset "$fileVar"
 }

+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
    if [ -n "${REDIS_HOST+x}" ]; then

--- a/17.0/apache/config/reverse_proxy.config.php
+++ b/17.0/apache/config/reverse_proxy.config.php
@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
--- a/17.0/apache/entrypoint.sh
+++ b/17.0/apache/entrypoint.sh
@ -43,6 +43,12 @@ file_env() {
    unset "$fileVar"
 }

+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
    if [ -n "${REDIS_HOST+x}" ]; then

--- a/17.0/fpm-alpine/config/reverse_proxy.config.php
+++ b/17.0/fpm-alpine/config/reverse_proxy.config.php
@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
--- a/17.0/fpm-alpine/entrypoint.sh
+++ b/17.0/fpm-alpine/entrypoint.sh
@ -43,6 +43,12 @@ file_env() {
    unset "$fileVar"
 }

+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
    if [ -n "${REDIS_HOST+x}" ]; then

--- a/17.0/fpm/config/reverse_proxy.config.php
+++ b/17.0/fpm/config/reverse_proxy.config.php
@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
--- a/17.0/fpm/entrypoint.sh
+++ b/17.0/fpm/entrypoint.sh
@ -43,6 +43,12 @@ file_env() {
    unset "$fileVar"
 }

+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
    if [ -n "${REDIS_HOST+x}" ]; then

--- a/18.0/apache/config/reverse_proxy.config.php
+++ b/18.0/apache/config/reverse_proxy.config.php
@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
--- a/18.0/apache/entrypoint.sh
+++ b/18.0/apache/entrypoint.sh
@ -43,6 +43,12 @@ file_env() {
    unset "$fileVar"
 }

+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
    if [ -n "${REDIS_HOST+x}" ]; then

--- a/18.0/fpm-alpine/config/reverse_proxy.config.php
+++ b/18.0/fpm-alpine/config/reverse_proxy.config.php
@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
--- a/18.0/fpm-alpine/entrypoint.sh
+++ b/18.0/fpm-alpine/entrypoint.sh
@ -43,6 +43,12 @@ file_env() {
    unset "$fileVar"
 }

+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
    if [ -n "${REDIS_HOST+x}" ]; then

--- a/18.0/fpm/config/reverse_proxy.config.php
+++ b/18.0/fpm/config/reverse_proxy.config.php
@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
--- a/18.0/fpm/entrypoint.sh
+++ b/18.0/fpm/entrypoint.sh
@ -43,6 +43,12 @@ file_env() {
    unset "$fileVar"
 }

+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
    if [ -n "${REDIS_HOST+x}" ]; then

--- a/README.md
+++ b/README.md
@ -158,6 +158,14 @@ To use an external SMTP server, you have to provide the connection details. To c

 Check the [Nextcloud documentation](https://docs.nextcloud.com/server/15/admin_manual/configuration_server/email_configuration.html) for other values to configure SMTP.

+## Using the apache image behind a reverse proxy and auto configure server host and protocol
+
+The apache image will replace the remote addr (ip address visible to Nextcloud) with the ip address from `X-Real-IP` if the request is coming from a proxy in 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 by default. If you want Nextcloud to pick up the server host (`HTTP_X_FORWARDED_HOST`), protocol (`HTTP_X_FORWARDED_PROTO`) and client ip (`HTTP_X_FORWARDED_FOR`) from a trusted proxy disable rewrite ip and the reverse proxies ip address to `TRUSTED_PROXIES`.
+
+- `APACHE_DISABLE_REWRITE_IP` (not set by default): Set to 1 to disable rewrite ip.
+
+- `TRUSTED_PROXIES` (empty by default): A space-separated list of trusted proxies. CIDR notation is supported for IPv4.
+
 # Running this image with docker-compose
 The easiest way to get a fully featured and functional setup is using a `docker-compose` file. There are too many different possibilities to setup your system, so here are only some examples of what you have to look for.

--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@ -43,6 +43,12 @@ file_env() {
    unset "$fileVar"
 }

+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
    if [ -n "${REDIS_HOST+x}" ]; then