fix proxies for lychee

README.md

@@ -45,6 +45,14 @@ dcc restart nextcloud-db
 dcc up -d nextcloud
 ```
 
+## Backup
+
+To backup the named volumes, run:
+
+```shell
+./backup.py
+```
+
 ## Logs
 
     2022-11-02 Created OVH token

backup.py

@@ -0,0 +1,110 @@
+#!/usr/bin/env python
+# file backup.py
+# author Florent Guiotte <florent.guiotte@irisa.fr>
+# version 0.0
+# date 10 août 2024
+"""Abstract
+
+doc.
+"""
+
+import yaml
+from pathlib import Path
+import subprocess
+from datetime import datetime
+
+
+COMPOSE_PATH = Path('docker-compose.yml')
+BACKUP_PATH = Path('/mnt/storage/docker-bkp')
+VOLUME_PREFIX = 'docker_'
+
+
+class UnionFind:
+    def __init__(self):
+        self.parent = {}
+
+    def make(self, service):
+        self.parent.setdefault(service, service)
+
+    def find(self, service):
+        """return root"""
+        if self.parent[service] != service:
+            self.parent[service] = self.find(self.parent[service])
+
+        return self.parent[service]
+
+    def union(self, service1, service2):
+        root1 = self.find(service1)
+        root2 = self.find(service2)
+        if root1 != root2:
+            self.parent[root2] = root1 # compress!
+
+def build_services_graph(services):
+    uf = UnionFind()
+
+    for service in services:
+        uf.make(service)
+        for dependency in services[service].get('depends_on', []):
+            uf.make(dependency)
+            uf.union(service, dependency)
+
+    return uf
+
+def group_services(services, graph):
+    grouped_services = {}
+    for service in services:
+        root = graph.find(service)
+        if root not in grouped_services:
+            grouped_services[root] = {'services': []}
+        grouped_services[root]['services'].append(service)
+
+    return grouped_services
+
+
+def group_volumes(services, volumes, services_group):
+    for group_name, group in services_group.items():
+        group_volumes = group.setdefault('volumes', [])
+        for service in group['services']:
+            for volume in [v.split(':')[0] for v in services[service]['volumes']]:
+                if volume in volumes: group_volumes += [volume]
+
+    return services_group
+
+def backup(volume):
+    current_date = datetime.now()
+    date_string = current_date.strftime("%Y-%m-%d")
+    archive_name = f'{date_string}_{volume}.tar'
+    print(f'backup volume {volume} to {BACKUP_PATH}/{archive_name}')
+
+    subprocess.run(f'docker run --rm --volume {VOLUME_PREFIX}{volume}:/data --volume {BACKUP_PATH}:/bkp ubuntu tar -cf /bkp/{archive_name} -C /data .'.split())
+
+
+def run_docker_compose(cmd):
+    subprocess.run(f'docker compose {cmd}'.split())
+
+
+if __name__ == '__main__':
+    with COMPOSE_PATH.open() as cf:
+        compose = yaml.safe_load(cf)
+
+    services = compose['services']
+    volumes = compose['volumes']
+
+
+    services_graph = build_services_graph(services)
+    services_group = group_services(services, services_graph)
+    services_group = group_volumes(services, volumes, services_group)
+
+    for group_name, group in services_group.items():
+        print(f'Service group {group_name} ', end='')
+
+        if not group['volumes']:
+            print('no volumes')
+            continue
+
+        print('run backup...')
+
+        run_docker_compose(f'stop {" ".join(group["services"])}')
+        for volume in group['volumes']:
+            backup(volume)
+        run_docker_compose(f'start {" ".join(group["services"])}')

docker-compose.yml

@@ -148,9 +148,12 @@ services:
       <<: *common-environment
       FILE__DB_PASSWORD: /run/secrets/lychee-db-pw
       DB_HOST: lychee-db
+      DB_CONNECTION: mysql
       DB_USERNAME: lychee
       DB_DATABASE: lychee
       DB_PORT: 3306
+      APP_URL: https://photos.guiotte.fr
+      TRUSTED_PROXIES: 172.22.0.0/24
     secrets:
       - lychee-db-pw
 
@@ -292,7 +295,7 @@ services:
       - SSH_HOSTNAME=192.168.1.5
       - SSH_USERNAME=alarm
       - SSH_LOCAL_PORT=55443
-      - SSH_DESTINATION=10.0.0.130
+      - SSH_DESTINATION=10.0.0.100
       - SSH_DESTINATION_PORT=55443
         #ports:
         #  - 55443:55443
@@ -308,7 +311,7 @@ services:
       - SSH_HOSTNAME=192.168.1.5
       - SSH_USERNAME=alarm
       - SSH_LOCAL_PORT=55443
-      - SSH_DESTINATION=10.0.0.251
+      - SSH_DESTINATION=10.0.0.101
       - SSH_DESTINATION_PORT=55443
         #ports:
         #  - 55443:55443

swag/nginx/nginx.conf

@@ -1,4 +1,7 @@
-## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
+## Version 2023/04/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/nginx.conf.sample
+
+### Based on alpine defaults
+# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.19-stable
 
 user abc;
 
@@ -14,11 +17,13 @@ error_log /config/log/nginx/error.log;
 # Includes files with directives to load dynamic modules.
 include /etc/nginx/modules/*.conf;
 
+# Include files with config snippets into the root context.
+include /etc/nginx/conf.d/*.conf;
+
 events {
     # The maximum number of simultaneous connections that can be opened by
     # a worker process.
     worker_connections 1024;
-    # multi_accept on;
 }
 
 http {
@@ -49,101 +54,29 @@ http {
     # instead of using partial frames. Default is 'off'.
     tcp_nopush on;
 
+    # all ssl related config moved to ssl.conf
+    # included in server blocks where listen 443 is defined
+
+    # Enable gzipping of responses.
+    #gzip on;
+
+    # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
+    gzip_vary on;
+
     # Helper variable for proxying websockets.
     map $http_upgrade $connection_upgrade {
         default upgrade;
         '' close;
     }
 
-    # Saves unauthorized log messages to a separate log file
-    map $status $unauthorized {
-        default 0;
-        ~^401  1;
-    }
-    access_log /config/log/nginx/unauthorized.log combined if=$unauthorized;
-    
     # Sets the path, format, and configuration for a buffered log write.
     access_log /config/log/nginx/access.log;
 
     # Includes virtual hosts configs.
-    #include /etc/nginx/http.d/*.conf;
-
-    # WARNING: Don't use this directory for virtual hosts anymore.
-    # This include will be moved to the root context in Alpine 3.14.
-    #include /etc/nginx/conf.d/*.conf;
-
-
-    ##
-    # Basic Settings
-    ##
-
-    client_body_buffer_size 128k;
-    keepalive_timeout 65;
-    large_client_header_buffers 4 16k;
-    send_timeout 5m;
-    tcp_nodelay on;
-    types_hash_max_size 2048;
-    variables_hash_max_size 2048;
-    # server_names_hash_bucket_size 64;
-    # server_name_in_redirect off;
-
-    ##
-    # Gzip Settings
-    ##
-
-    gzip on;
-    gzip_disable "msie6";
-    # gzip_vary on;
-    # gzip_proxied any;
-    # gzip_comp_level 6;
-    # gzip_buffers 16 8k;
-    # gzip_http_version 1.1;
-    # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
-
-    ##
-    # nginx-naxsi config
-    ##
-    # Uncomment it if you installed nginx-naxsi
-    ##
-
-    #include /etc/nginx/naxsi_core.rules;
-
-    ##
-    # nginx-passenger config
-    ##
-    # Uncomment it if you installed nginx-passenger
-    ##
-
-    #passenger_root /usr;
-    #passenger_ruby /usr/bin/ruby;
-
-    ##
-    # Virtual Host Configs
-    ##
+    include /etc/nginx/http.d/*.conf;
     include /config/nginx/site-confs/*.conf;
-    #Removed lua. Do not remove this comment
 }
 
-#mail {
-#    # See sample authentication script at:
-#    # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
-#
-#    # auth_http localhost/auth.php;
-#    # pop3_capabilities "TOP" "USER";
-#    # imap_capabilities "IMAP4rev1" "UIDPLUS";
-#
-#    server {
-#        listen     localhost:110;
-#        protocol   pop3;
-#        proxy      on;
-#    }
-#
-#    server {
-#        listen     localhost:143;
-#        protocol   imap;
-#        proxy      on;
-#    }
-#}
-
 daemon off;
 pid /run/nginx.pid;
+

swag/nginx/proxy-confs/lychee.subdomain.conf

@@ -1,9 +1,10 @@
-## Version 2021/05/18
+## Version 2023/05/31
+# make sure that your lychee container is named lychee
 # make sure that your dns has a cname set for lychee
 
 server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
 
     server_name photos.*;
 
@@ -11,24 +12,29 @@ server {
 
     client_max_body_size 0;
 
-    # enable for ldap auth, fill in ldap details in ldap.conf
-    #include /config/nginx/ldap.conf;
+    # enable for ldap auth (requires ldap-location.conf in the location block)
+    #include /config/nginx/ldap-server.conf;
 
-    # enable for Authelia
+    # enable for Authelia (requires authelia-location.conf in the location block)
     #include /config/nginx/authelia-server.conf;
 
+    # enable for Authentik (requires authentik-location.conf in the location block)
+    #include /config/nginx/authentik-server.conf;
+
     location / {
         # enable the next two lines for http auth
         #auth_basic "Restricted";
         #auth_basic_user_file /config/nginx/.htpasswd;
 
-        # enable the next two lines for ldap auth
-        #auth_request /auth;
-        #error_page 401 =200 /ldaplogin;
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
 
-        # enable for Authelia
+        # enable for Authelia (requires authelia-server.conf in the server block)
         #include /config/nginx/authelia-location.conf;
 
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
         set $upstream_app lychee;

swag/nginx/proxy.conf

@@ -1,4 +1,4 @@
-## Version 2021/10/26 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/proxy.conf
+## Version 2023/02/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample
 
 # Timeout if the real server is dead
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
@@ -10,7 +10,7 @@ proxy_headers_hash_bucket_size 128;
 proxy_headers_hash_max_size 1024;
 proxy_http_version 1.1;
 proxy_read_timeout 240;
-proxy_redirect  http://  $scheme://;
+proxy_redirect http:// $scheme://;
 proxy_send_timeout 240;
 
 # Proxy Cache and Cookie Settings
@@ -26,6 +26,13 @@ proxy_set_header Proxy "";
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Host $host;
-proxy_set_header X-Forwarded-Proto https;
+proxy_set_header X-Forwarded-Method $request_method;
+proxy_set_header X-Forwarded-Port $server_port;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-Ssl on;
+proxy_set_header X-Forwarded-Uri $request_uri;
+proxy_set_header X-Original-Method $request_method;
+proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
 proxy_set_header X-Real-IP $remote_addr;
+

swag/nginx/site-confs/default.conf

@@ -0,0 +1,85 @@
+## Version 2024/03/06 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
+
+# redirect all traffic to https
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# main server block
+server {
+    listen 443 ssl http2 default_server;
+    listen [::]:443 ssl http2 default_server;
+
+    server_name _;
+
+    include /config/nginx/ssl.conf;
+
+    root /config/www;
+    index index.html index.htm index.php;
+
+    # enable subfolder method reverse proxy confs
+    include /config/nginx/proxy-confs/*.subfolder.conf;
+
+    # enable for ldap auth (requires ldap-location.conf in the location block)
+    #include /config/nginx/ldap-server.conf;
+
+    # enable for Authelia (requires authelia-location.conf in the location block)
+    #include /config/nginx/authelia-server.conf;
+
+    # enable for Authentik (requires authentik-location.conf in the location block)
+    #include /config/nginx/authentik-server.conf;
+
+    location / {
+        # enable for basic auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
+        try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
+    }
+
+    location ~ ^(.+\.php)(.*)$ {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
+        fastcgi_split_path_info ^(.+\.php)(.*)$;
+        if (!-f $document_root$fastcgi_script_name) { return 404; }
+        fastcgi_pass 127.0.0.1:9000;
+        fastcgi_index index.php;
+        include /etc/nginx/fastcgi_params;
+    }
+
+    # deny access to .htaccess/.htpasswd files
+    location ~ /\.ht {
+        deny all;
+    }
+}
+
+# enable subdomain method reverse proxy confs
+include /config/nginx/proxy-confs/*.subdomain.conf;
+# enable proxy cache for auth
+proxy_cache_path cache/ keys_zone=auth_cache:10m;
+

swag/nginx/ssl.conf

@@ -1,46 +1,40 @@
-## Version 2021/09/19 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
+## Version 2023/08/13 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample
 
 ### Mozilla Recommendations
-# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
-# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4
+# generated 2023-06-25, Mozilla Guideline v5.7, nginx 1.24.0, OpenSSL 3.1.1, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.24.0&config=intermediate&openssl=3.1.1&guideline=5.7
 
+ssl_certificate /config/keys/cert.crt;
+ssl_certificate_key /config/keys/cert.key;
 ssl_session_timeout 1d;
-ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
 ssl_session_tickets off;
 
+# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+ssl_dhparam /config/nginx/dhparams.pem;
+
 # intermediate configuration
 ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 ssl_prefer_server_ciphers off;
 
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+#add_header Strict-Transport-Security "max-age=63072000" always;
+
 # OCSP stapling
 ssl_stapling on;
 ssl_stapling_verify on;
 
-
-### Linuxserver.io Defaults
-
-# Certificates
-ssl_certificate /config/keys/letsencrypt/fullchain.pem;
-ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
 # verify chain of trust of OCSP response using Root CA and Intermediate certs
-ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;
-
-# Diffie-Hellman Parameters
-ssl_dhparam /config/nginx/dhparams.pem;
-
-# Enable TLS 1.3 early data
-ssl_early_data on;
-
-# HSTS, remove # from the line below to enable HSTS
-#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+ssl_trusted_certificate /config/keys/cert.crt;
 
 # Optional additional headers
 #add_header Cache-Control "no-transform" always;
-#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
-#add_header Permissions-Policy "interest-cohort=()";
+#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always;
+#add_header Permissions-Policy "interest-cohort=()" always;
 #add_header Referrer-Policy "same-origin" always;
 #add_header X-Content-Type-Options "nosniff" always;
 #add_header X-Frame-Options "SAMEORIGIN" always;
 #add_header X-UA-Compatible "IE=Edge" always;
 #add_header X-XSS-Protection "1; mode=block" always;
+