How to protect Nextclouds datadir and html dir
RononDex opened this issue · 2 comments
I am trying to setup a secure docker compose with protected data and html directories for Nextcloud (no read / write or execute access for "other" permissions).
However, docker keeps setting up the folders like this:
If I then remove write or read access to others, the app no longer works for some reason.
Should not all containers be using the same user to access the folder?
How can I remove write / read access for every user on this sensitive data / folders?
I already tried setting user on every container which resulted again in a broken app.
My compose.yaml:
version: '3'
services:
db:
image: mariadb:10.6
command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
restart: always
# user: 918:918
volumes:
- db:/var/lib/mysql:Z
environment:
- MYSQL_ROOT_PASSWORD=xxxxx
- MARIADB_AUTO_UPGRADE=1
- MARIADB_DISABLE_UPGRADE_BACKUP=1
env_file:
- db.env
redis:
# user: 918:918
image: redis:alpine
restart: always
app:
image: nextcloud:fpm-alpine
restart: always
# user: 918:918
volumes:
- nextcloud:/var/www/html:z
- data:/var/www/html/data:z
environment:
- MYSQL_HOST=db
- REDIS_HOST=redis
- TRUSTED_PROXIES=nextcloud-proxy-1
env_file:
- db.env
depends_on:
- db
- redis
web:
build: ./web
restart: always
# user: 918:918
volumes:
- nextcloud:/var/www/html:z,ro
- data:/var/www/html/data:z
environment:
- VIRTUAL_HOST=somedomain.ch
- LETSENCRYPT_HOST=somdomain.ch
- LETSENCRYPT_EMAIL=somemail@blabla.com
depends_on:
- app
networks:
- proxy-tier
- default
cron:
image: nextcloud:fpm-alpine
restart: always
# user: 918:918
volumes:
- nextcloud:/var/www/html:z
- data:/var/www/html/data:z
entrypoint: /cron.sh
depends_on:
- db
- redis
proxy:
build: ./proxy
restart: always
# user: 918:918
ports:
- 80:80
- 443:443
labels:
com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
volumes:
- certs:/etc/nginx/certs:z,ro
- vhost.d:/etc/nginx/vhost.d:z
- html:/usr/share/nginx/html:z
- /var/run/docker.sock:/tmp/docker.sock:z,ro
networks:
- proxy-tier
letsencrypt-companion:
image: nginxproxy/acme-companion
restart: always
# user: 918:918
volumes:
- certs:/etc/nginx/certs:z
- acme:/etc/acme.sh:z
- vhost.d:/etc/nginx/vhost.d:z
- html:/usr/share/nginx/html:z
- /var/run/docker.sock:/var/run/docker.sock:z,ro
networks:
- proxy-tier
depends_on:
- proxy
# self signed
# omgwtfssl:
# image: paulczar/omgwtfssl
# restart: "no"
# volumes:
# - certs:/certs
# environment:
# - SSL_SUBJECT=servhostname.local
# - CA_SUBJECT=my@example.com
# - SSL_KEY=/certs/servhostname.local.key
# - SSL_CSR=/certs/servhostname.local.csr
# - SSL_CERT=/certs/servhostname.local.crt
# networks:
# - proxy-tier
volumes:
db:
driver: local # Define the driver and options under the volume name
driver_opts:
type: none
device: /data/containers/nextcloud/db
o: bind
nextcloud:
driver: local # Define the driver and options under the volume name
driver_opts:
type: none
device: /data/Nextcloud_Html
o: bind
data:
driver: local # Define the driver and options under the volume name
driver_opts:
type: none
device: /data/Nextcloud_Data
o: bind
certs:
driver: local # Define the driver and options under the volume name
driver_opts:
type: none
device: /data/containers/nextcloud/certs
o: bind
acme:
driver: local # Define the driver and options under the volume name
driver_opts:
type: none
device: /data/containers/nextcloud/acme
o: bind
vhost.d:
driver: local # Define the driver and options under the volume name
driver_opts:
type: none
device: /data/containers/nextcloud/vhost.d
o: bind
html:
driver: local # Define the driver and options under the volume name
driver_opts:
type: none
device: /data/containers/nextcloud/html
o: bind
networks:
proxy-tier:
Anybody else had this issue so far? It seems to me like this is quite a big security issue, having to open up the folder to every user on the host system
I think I found a way to do this using docker managed volumes
These are protected folders that are on the host system and are still accessible by the host so that they can be easily backuped