Caddy Community container mounts (and uses) nextcloud data volume

Question

Caddy Community container mounts (and uses) nextcloud data volume

Bubbelb opened this issue 5 months ago · 0 comments

Bubbelb commented 5 months ago

Steps to reproduce

Install Nextcloud-AIO with Caddy Community container
Inspect mounted volumes
See the Nextcloud-AIO-data volume mounted on the Caddy container

Expected behavior

I wold like to see mounting of the nextcloud datadir would not be needed.

Actual behavior

Mounted

Host OS

Debian (RaspberryPI-OS)

Nextcloud AIO version

9.3.0

Current channel

Latest

Other valuable info

Since a reverse proxy, like Caddy in this case, is somewhat the first line of defence to external threats, seen from an application perspective, it strikes me as odd/unwelcome to have the complete Nextcloud Data dir mounted in that container.

I know the Nextcloud Datadir is actively used by Caddy to read some configuration settings, but cant that be solved in an other way?

Of course it's debatable how much a security risk this is, or even if it's a security risk at all, but it's not unthinkable that this can fairly easily result in exposure of the complete Nextcloud Datadir.
For example: One can have a custom Caddy config in /data/caddy-imports that (inadvertently) exposes the Nextcloud Datadir to the internet.

Maybe a way out of this would be a separate volume, that can be used for config files, like the geoblocking part. This volume can then be mounted as an external mount in Nextcloud and used as a stand-alone volume in Caddy, or at any other place needed.

I hope this helps making AIO even more secure.

Thank you, Bas Bleeker