From ee67ebca8b198b2d0ff09df094bdb3f20b163024 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 1 Sep 2022 11:58:24 +0200 Subject: [PATCH] webapps/nextcloud: Drop support for Nginx --- CHANGELOG.md | 1 + webapps/nextcloud/defaults/main.yml | 1 - webapps/nextcloud/meta/main.yml | 3 - webapps/nextcloud/tasks/main.yml | 7 - webapps/nextcloud/tasks/vhost-nginx.yml | 34 ----- webapps/nextcloud/templates/nginx.conf.j2 | 134 -------------------- webapps/nextcloud/templates/php-fpm.conf.j2 | 17 --- 7 files changed, 1 insertion(+), 196 deletions(-) delete mode 100644 webapps/nextcloud/tasks/vhost-nginx.yml delete mode 100644 webapps/nextcloud/templates/nginx.conf.j2 delete mode 100644 webapps/nextcloud/templates/php-fpm.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 5f2190ec..4a56dbdb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Removed * evocheck: remove failure if deprecated variable is used +* webapps/nextcloud: Drop support for Nginx ### Security diff --git a/webapps/nextcloud/defaults/main.yml b/webapps/nextcloud/defaults/main.yml index 3c1bf40a..574727de 100644 --- a/webapps/nextcloud/defaults/main.yml +++ b/webapps/nextcloud/defaults/main.yml @@ -1,5 +1,4 @@ --- -nextcloud_webserver: 'nginx' nextcloud_version: "21.0.0" nextcloud_archive_name: "nextcloud-{{ nextcloud_version }}.tar.bz2" nextcloud_releases_baseurl: "https://download.nextcloud.com/server/releases/" diff --git a/webapps/nextcloud/meta/main.yml b/webapps/nextcloud/meta/main.yml index d5852e32..ed97d539 100644 --- a/webapps/nextcloud/meta/main.yml +++ b/webapps/nextcloud/meta/main.yml @@ -1,4 +1 @@ --- -# dependencies: - # - { role: nginx, when: nextcloud_webserver == 'nginx' } - # - { role: php, php_fpm_enable: True } diff --git a/webapps/nextcloud/tasks/main.yml b/webapps/nextcloud/tasks/main.yml index 95269246..f11d62fa 100644 --- a/webapps/nextcloud/tasks/main.yml +++ b/webapps/nextcloud/tasks/main.yml @@ -47,14 +47,7 @@ - include: archive.yml -- name: Check if Apache or Nginx - service_facts: - -- include: vhost-nginx.yml - when: "'nginx.service' in services" - - include: vhost-apache.yml - when: "'apache2.service' in services" - include: mysql.yml diff --git a/webapps/nextcloud/tasks/vhost-nginx.yml b/webapps/nextcloud/tasks/vhost-nginx.yml deleted file mode 100644 index 1f1592cc..00000000 --- a/webapps/nextcloud/tasks/vhost-nginx.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -- block: - - name: Copy Nginx vhost - template: - src: nginx.conf.j2 - dest: "/etc/nginx/sites-available/{{ nextcloud_instance_name }}.conf" - mode: "0640" - notify: reload nginx - tags: - - nextcloud - - - name: Enable Nginx vhost - file: - src: "/etc/nginx/sites-available/{{ nextcloud_instance_name }}.conf" - dest: "/etc/nginx/sites-enabled/{{ nextcloud_instance_name }}.conf" - state: link - notify: reload nginx - tags: - - nextcloud - - - name: Generate ssl config - shell: - cmd: "/usr/local/sbin/vhost-domains {{ nextcloud_instance_name }} | /usr/local/sbin/make-csr {{ nextcloud_instance_name }}" - creates: "/etc/nginx/ssl/{{ nextcloud_instance_name }}.conf" - - - name: Copy PHP-FPM pool - template: - src: php-fpm.conf.j2 - dest: "/etc/php/7.3/fpm/pool.d/{{ nextcloud_instance_name }}.conf" - mode: "0640" - notify: reload php-fpm - tags: - - nextcloud - when: nextcloud_webserver == 'nginx' diff --git a/webapps/nextcloud/templates/nginx.conf.j2 b/webapps/nextcloud/templates/nginx.conf.j2 deleted file mode 100644 index c2b7b7e3..00000000 --- a/webapps/nextcloud/templates/nginx.conf.j2 +++ /dev/null @@ -1,134 +0,0 @@ -upstream php-handler-{{ nextcloud_instance_name }} { - server unix:/var/run/php/php-fpm-{{ nextcloud_instance_name }}.sock; -} - -server { - listen 80; - listen [::]:80; - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name {{ nextcloud_domains | join(' ') }}; - - access_log {{ nextcloud_home }}/log/access.log; - error_log {{ nextcloud_home }}/log/error.log; - - include /etc/nginx/snippets/letsencrypt.conf; - include /etc/nginx/ssl/{{ nextcloud_instance_name }}.conf; - - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - root {{ nextcloud_webroot }}; - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - # Make a regex exception for `/.well-known` so that clients can still - # access it despite the existence of the regex rule - # `location ~ /(\.|autotest|...)` which would otherwise handle requests - # for `/.well-known`. - location ^~ /.well-known { - # The following 6 rules are borrowed from `.htaccess` - - location = /.well-known/carddav { return 301 /remote.php/dav/; } - location = /.well-known/caldav { return 301 /remote.php/dav/; } - # Anything else is dynamically handled by Nextcloud - location ^~ /.well-known { return 301 /index.php$uri; } - location ~ ^/.well-known/acme-challenge/* { allow all; } - - try_files $uri $uri/ =404; - } - - # set max upload size - client_max_body_size 512M; - fastcgi_buffers 64 4K; - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - - location / { - rewrite ^ /index.php; - } - - location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { - deny all; - } - location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - - - location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) { - fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; - set $path_info $fastcgi_path_info; - try_files $fastcgi_script_name =404; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $path_info; - fastcgi_param HTTPS on; - # Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - # Enable pretty urls - fastcgi_param front_controller_active true; - fastcgi_pass php-handler-{{ nextcloud_instance_name }}; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { - try_files $uri/ =404; - index index.php; - } - - # Adding the cache control header for js, css and map files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff2?|svg|gif|map)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - # Add headers to serve security related headers (It is intended to - # have those duplicated to the ones above) - # Before enabling Strict-Transport-Security headers please read into - # this topic first. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Optional: Don't log access to assets - access_log off; - } - - location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { - try_files $uri /index.php$request_uri; - # Optional: Don't log access to other assets - access_log off; - } -} diff --git a/webapps/nextcloud/templates/php-fpm.conf.j2 b/webapps/nextcloud/templates/php-fpm.conf.j2 deleted file mode 100644 index 1b4c7861..00000000 --- a/webapps/nextcloud/templates/php-fpm.conf.j2 +++ /dev/null @@ -1,17 +0,0 @@ -[{{ nextcloud_instance_name }}] -user = {{ nextcloud_user }} -group = {{ nextcloud_user }} -listen = /run/php/php-fpm-{{ nextcloud_instance_name }}.sock -listen.owner = {{ nextcloud_user }} -listen.group = {{ nextcloud_user }} - -pm = ondemand -pm.max_children = 50 -pm.process_idle_timeout = 120s -pm.status_path = /fpm_status - -env[HOSTNAME] = $HOSTNAME -env[PATH] = /usr/local/bin:/usr/bin:/bin -env[TMP] = {{ nextcloud_home }}/tmp -env[TMPDIR] = {{ nextcloud_home }}/tmp -env[TEMP] = {{ nextcloud_home }}/tmp