Table of Contents
Changelog
- 22/08/2022 : Fix traefik headers as same origin, trusted proxy, redirectregex
Informations importantes
- Nécéssite le stack pour traefik voir ici : https://slash-root.fr/docker-swarm-stack-traefik/
- Bien modifier ce qu'il faut dans le stack (voir commentaires)
Fichier stack.yml
version: '3.3'
services:
mariadb:
image: mariadb
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --skip-innodb-read-only-compressed
environment:
# Indiquer les mots de passe souhaités
MYSQL_ROOT_PASSWORD: MotDePasseTresSecure
MYSQL_PASSWORD: MotDePasseTresSecure
MYSQL_DATABASE: nextcloud
MYSQL_USER: nextcloud
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/localtime:/etc/localtime:ro
# Indiquer les volumes à monter. Si le volume est inexistant, il sera créé automatiquement. Attention si contexte de cluster (swarm), penser à placer une contrainte de label.
- mariadb:/var/lib/mysql
networks:
- net
deploy:
#resources:
#limits:
#cpus: '0.50'
#memory: 1024M
#reservations:
#cpus: '0.25'
#memory: 512M
placement:
constraints:
#- node.role == worker
- node.labels.nextcloud_mariadb == true
app:
image: nextcloud
environment:
# Indiquer le mot de passe inscrit précédement
MYSQL_PASSWORD: MotDePasseTresSecure
MYSQL_DATABASE: nextcloud
MYSQL_USER: nextcloud
MYSQL_HOST: mariadb
TRUSTED_PROXIES: traefik
# Indiquer le domaine souhaité de l'application
OVERWRITEHOST: nextcloud.example.com
OVERWRITEPROTOCOL: https
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/localtime:/etc/localtime:ro
# Indiquer les volumes à monter. Si le volume est inexistant, il sera créé automatiquement. Attention si contexte de cluster (swarm), penser à placer une contrainte de label.
- nextcloud:/var/www/html
networks:
- net
# Indispensable pour communiquer avec traefik
- traefik-public
deploy:
#resources:
#limits:
#cpus: '0.50'
#memory: 1024M
#reservations:
#cpus: '0.25'
#memory: 512M
placement:
constraints:
#- node.role == worker
- node.labels.nextcloud_nextcloud == true
labels:
# Activation de traefik
- traefik.enable=true
- traefik.docker.network=traefik-public
- traefik.constraint-label=traefik-public
# Indiquer le domaine souhaité pour l'application
- traefik.http.routers.nextcloud-http.rule=Host(`nextcloud.example.com`)
- traefik.http.routers.nextcloud-http.entrypoints=http
- traefik.http.routers.nextcloud-http.middlewares=https-redirect
# Indiquer le domaine souhaité pour l'application
- traefik.http.routers.nextcloud-https.rule=Host(`nextcloud.example.com`)
- traefik.http.routers.nextcloud-https.entrypoints=https
- traefik.http.routers.nextcloud-https.tls=true
- traefik.http.routers.nextcloud-https.tls.certresolver=le
# Middleware pour nextcloud
- traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.permanent=true
- traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.regex=https://(.*)/.well-known/(card|cal)dav
- traefik.http.middlewares.nextcloud-redirectregex.redirectRegex.replacement=https://$${1}/remote.php/dav/
- traefik.http.middlewares.hsts-headers.headers.stsSeconds=315360000
- traefik.http.middlewares.hsts-headers.headers.stsPreload=true
- traefik.http.middlewares.hsts-headers.headers.stsIncludeSubdomains=true
- traefik.http.middlewares.hsts-headers.headers.customFrameOptionsValue=SAMEORIGIN
- traefik.http.middlewares.hsts-headers.headers.sslRedirect=true
- traefik.http.middlewares.hsts-headers.headers.forceSTSHeader=true
- traefik.http.middlewares.hsts-headers.headers.referrerPolicy=same-origin
- traefik.http.routers.nextcloud-https.middlewares=hsts-headers,nextcloud-redirectregex
# Indiquer le port utiliser de l'application
- traefik.http.services.nextcloud.loadbalancer.server.port=80
networks:
net:
driver: overlay
attachable: true
traefik-public:
external: true
volumes:
mariadb:
driver: local
nextcloud:
driver: localDéploiement
docker stack deploy -c stack.yml nextcloud