Drop Apache+mod_php for the actual performance win — nginx + PHP-FPM — without the LinuxServer image cascade (custom auto-install, /custom-cont-init.d, abc-vs- www-data rewrites in the auth adapter + every tool, HTTPS-by-default quirks). The official fpm-alpine image keeps env-var auto-install and the www-data user, so the auth adapter, all tools, and the compose-tags hook keep working unchanged. - Compose: nextcloud-service is now fpm-alpine (still container_name=nextcloud- service so docker exec ... nextcloud-service php occ in the auth adapter is untouched). New nextcloud-web nginx sidecar serves :80 over the shared ./html volume, terminating FastCGI to nextcloud-service:9000. Traefik labels + PORTS_ TAG_1 move to nextcloud-web (the HTTP face); backup.files stays on -service (the file-owning brain). nextcloud-db + nextcloud-redis unchanged. - resources/nginx.conf: Nextcloud's recommended nginx config, trimmed for behind-Traefik (no TLS), large-upload + caldav/carddav/.well-known redirects. - scripts/nextcloud_update_specifics.sh: NEW post-install hook — appUpdateSpecifics_nextcloud waits for first-boot occ install to complete (config.php + occ status=installed), then wires Redis as memcache.distributed + memcache.locking via occ config:system:set. Idempotent. Auto-install is unchanged (official image's NEXTCLOUD_ADMIN_USER + MYSQL_* env flow). Redis caching now actually USED by Nextcloud (previously the container was up but config.php had no memcache config). Container-side backup capture still the right answer for the perm boundary — image change doesn't affect it. Verified statically: yaml structure, hook parses + dispatches + has the right graceful-timeout fallback when occ isn't reachable. Live verification (sync performance + actual Redis hit rate + traefik proxy of FastCGI) needs a fresh install on a throwaway box. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
91 lines
3.8 KiB
Nginx Configuration File
91 lines
3.8 KiB
Nginx Configuration File
# Nginx sidecar config for the Nextcloud PHP-FPM container. Based on the
|
|
# Nextcloud admin-manual's recommended config, trimmed to what we need behind
|
|
# Traefik (no TLS here — Traefik terminates).
|
|
|
|
worker_processes auto;
|
|
events { worker_connections 1024; }
|
|
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
server_tokens off;
|
|
|
|
keepalive_timeout 65;
|
|
client_max_body_size 10G; # large uploads
|
|
fastcgi_buffers 64 4K;
|
|
|
|
gzip on;
|
|
gzip_vary on;
|
|
gzip_comp_level 4;
|
|
gzip_min_length 256;
|
|
gzip_proxied any;
|
|
gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
|
|
|
# Traefik does the TLS, so Nextcloud sees its forwarded headers.
|
|
map $http_x_forwarded_proto $forwarded_scheme {
|
|
default off;
|
|
https on;
|
|
}
|
|
|
|
upstream php-handler {
|
|
server nextcloud-service:9000;
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
server_name _;
|
|
root /var/www/html;
|
|
|
|
# Security headers (Nextcloud expects these; Traefik may also add some)
|
|
add_header Referrer-Policy "no-referrer" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
|
add_header X-Robots-Tag "noindex, nofollow" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
fastcgi_hide_header X-Powered-By;
|
|
|
|
# .well-known redirects (CalDAV / CardDAV / WebFinger / NodeInfo)
|
|
location = /.well-known/carddav { return 301 /remote.php/dav/; }
|
|
location = /.well-known/caldav { return 301 /remote.php/dav/; }
|
|
location = /.well-known/webfinger{ return 301 /index.php$uri; }
|
|
location = /.well-known/nodeinfo { return 301 /index.php$uri; }
|
|
|
|
# Block sensitive paths
|
|
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
|
|
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
|
|
|
|
index index.php index.html /index.php$request_uri;
|
|
try_files $uri $uri/ /index.php$request_uri;
|
|
|
|
location ~ \.php(?:$|/) {
|
|
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)/.+\.php$ /index.php$request_uri;
|
|
|
|
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
|
|
set $path_info $fastcgi_path_info;
|
|
try_files $fastcgi_script_name =404;
|
|
|
|
include fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_param PATH_INFO $path_info;
|
|
fastcgi_param HTTPS $forwarded_scheme;
|
|
fastcgi_param modHeadersAvailable true;
|
|
fastcgi_param front_controller_active true;
|
|
fastcgi_pass php-handler;
|
|
fastcgi_intercept_errors on;
|
|
fastcgi_request_buffering off;
|
|
fastcgi_read_timeout 300;
|
|
}
|
|
|
|
location ~ \.(?:css|js|svg|gif|png|jpg|ico|woff2?|otf|wasm|tflite|map|html|json)$ {
|
|
try_files $uri /index.php$request_uri;
|
|
expires 6M;
|
|
access_log off;
|
|
}
|
|
}
|
|
}
|