Relevant: nextcloud/server#13612

Hi @JanoschDeurer
Thanks for the traefik 2.0 based docker-compose file.
I created full docker-compose.yml for with required containers and parameter.

It is available at
https://gist.github.com/ismailyenigul/f03b4f5f15e5e61ac5b80905c5d2890a
and feel free for any comments

Adding here full YAML here also.

# docker network create nextcloud

NOTES:

1. Edit certificatesresolvers.myresolver.acme.email=myemail@gmail.com
2. Set TRUSTED_PROXIES values based on your 'nexcloud docker network'
3. remove traefik.http.middlewares.nextcloud.headers.contentSecurityPolicy and
   traefik.http.middlewares.nextcloud.headers.customFrameOptionsValue if you don't want to allow iframe your domain

# cat docker-compose.yml
version: '3.1'

volumes:
  nextcloud-www:
    driver: local
  nextcloud-db:
    driver: local
  redis:
    driver: local
  letsencrypt:
    driver: local


services:

  traefik:
    image: traefik:v2.2
    container_name: traefik
    restart: always
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.myresolver.acme.email=myemail@gmail.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - 80:80
      - 443:443
    networks:
      - nextcloud
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - letsencrypt:/letsencrypt
  db:
    restart: always
    image: postgres:11
    networks:
      - nextcloud
    environment:
    - POSTGRES_USER=nextcloud
    - POSTGRES_PASSWORD=password
    - POSTGRES_DB=nextcloud
    volumes:
    - nextcloud-db:/var/lib/postgresql/data
  redis:
    image: redis:latest
    restart: always
    networks:
      - nextcloud
    volumes:
      - redis:/var/lib/redis

  nextcloud:
    image: nextcloud:latest
    restart: always
    networks:
      - nextcloud
    depends_on:
      - redis
      - db
    labels:
      - traefik.protocol=http
      - traefik.port=80
      - traefik.http.routers.nextcloud.middlewares=nextcloud,nextcloud_redirect
      - traefik.http.routers.nextcloud.tls=true
      - traefik.http.routers.nextcloud.entrypoints=websecure
      - traefik.http.routers.nextcloud.tls.certresolver=myresolver
      - traefik.http.routers.nextcloud.rule=Host(`nextcloud.mydomain.com`)
      - traefik.http.middlewares.nextcloud.headers.customFrameOptionsValue=ALLOW-FROM https://mydomain.com
      - traefik.http.middlewares.nextcloud.headers.contentSecurityPolicy=frame-ancestors 'self' mydomain.com *.mydomain.net
      - traefik.http.middlewares.nextcloud.headers.stsSeconds=155520011
      - traefik.http.middlewares.nextcloud.headers.stsIncludeSubdomains=true
      - traefik.http.middlewares.nextcloud.headers.stsPreload=true
      - traefik.http.middlewares.nextcloud_redirect.redirectregex.regex=/.well-known/(card|cal)dav
      - traefik.http.middlewares.nextcloud_redirect.redirectregex.replacement=/remote.php/dav/
    environment:
      - POSTGRES_DB=nextcloud
      - POSTGRES_USER=nextcloud
      - POSTGRES_PASSWORD=password
      - POSTGRES_HOST=db
      - NEXTCLOUD_ADMIN_USER=admin
      - NEXTCLOUD_ADMIN_PASSWORD=adminpass
      - REDIS_HOST=redis
      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.mydomain.com
      - TRUSTED_PROXIES=172.18.0.0/16
    volumes:
      - nextcloud-www:/var/www/html

networks:
  nextcloud:
    external: true

I have two comments: First of all I thinks in most setups traefik should be in a separate docker-compose.yml. If you want to provide a single docker-compose.yml with traefik I think that it should have two different networks, such that traefik can only talk to nextcloud and not to the databases.

For the traefik labels there are a view options in the new traefik versions which enable you to configure more of these options globally and omit them for the containers. If you have a traefik configuration like this (sorry I don't have a configuration with labels at hand):

entryPoints:       
  web:    
    address: ":80"  
    http:           
      redirections:      
        entryPoint:     
          to: web-secure
          scheme: https
                    
  web-secure:
    address: ":443"
    http:                         
      tls:
        certResolver: letsencrypt

you can ommit the following lables:

      - traefik.protocol=http
      - traefik.http.routers.nextcloud.tls=true
      - traefik.http.routers.nextcloud.tls.certresolver=myresolver

you can also ommit:

      - traefik.port=80

as there is only one port exposed by Nextcloud, but I think it can still be useful to write this here anyway for documentation purposes.

Hi,

As you said if we deploy traefik with a different docker-compose.yml then we need to configure two networks for nextcloud. I just keep the config simple for nextcloud deployment only.
Maybe we can create another example deployment for this.
I submitted a PR for the above example at #1115 I am going to create another example for two different network setup.

Yes, we can omit protocol, tls and port parameters. I was also deploying owncloud which uses port 8080 when I for it when modifying yml for nextcloud

We must set certresolver

 traefik.http.routers.nextcloud.tls.certresolver=myresolver

Ref: https://docs.traefik.io/https/acme/#the-different-acme-challenges

Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must reference it.

I removed - traefik.http.routers.nextcloud.tls.certresolver=myresolver then traefik started using self-signed certificate for nextcloud

time="2020-05-10T09:25:04Z" level=debug msg="No default certificate, generating one"

 $ curl -I https://nextcloud.mydomain.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

I added certresolver and traefik generated Let's Encrypt certificate.

Why cant we fix the problem where the problem is caused from?

An environmental variable telling nextcloud that it is behind a reverse-proxy and should behave properly.

I should not have to have two route stacks to work around nextcloud trying to "help" me by refusing to act properly in the manner it should be doing so. Very few people place nextcloud as their https facing application, the overwhelming majority put it behind a reverseproxy.

@JanoschDeurer are those labels suppose to work?
If so, nextcloud must have just updated the look to show "404 page not found" as a social engineering tactic to trick people into thinking that the page does not exist and is not route-able via the reverseproxy. Interesting move by the people in charge of nextcloud, I do not see any updates on this in the documentation.

@Motophan
We are just discussing Traefik 2.0 based deployment.
Can you give more details about the problem that you mention ?

@ismailyenigul
None of the labels posted in this thread will work.

The first persons labels will not route, your labels not pass the trusted ssl cert.
Neither of your "solutions" should be used.

The problem is the labels posted in this thread. Delete them.
Or at a minimum preface them with a warning not to be used.
They will not work.

@Motophan
Still not clear to me. What do you mean trusted cert does not pass?
I created another docker-compose files for multi-network deployment at https://gist.github.com/ismailyenigul/0d25f37337bf9b56f537488670121365
I just tested and it created Lets Encrypt SSL for my domain and it works fine.
Can you send me your docker-compose, and docker logs, errors?

Also you mention about image #1113 (comment)
I don't provide an image?

fam lmao that wont werk xDDDDDDDDD
https://i.imgur.com/IY9ljvw.png

now, if you take his compose file and add under lables
- "traefik.enable=true"
to the labels section it will.

But we should not do this.
This is bad.

Nextcloud should fix thier crap "sekur" features and let me pass an env variable that will let me send a reverseproxy at it and be done w/ this. Why do they make this harder than it should.

Are you aware of --providers.docker.exposedByDefault=true parameter?

Check https://docs.traefik.io/providers/docker/#exposedbydefault

exposedByDefault
Optional, Default=true
Expose containers by default through Traefik. If set to false, containers that don't have a traefik.enable=true label will be ignored from the resulting routing configuration.

And this is config from my traefik container deployment

services:

  traefik:
    image: traefik:v2.2
    container_name: traefik
    restart: always
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.network=traefik"
      - "--providers.docker.exposedbydefault=true"

@Motophan I created this ticket to document nextcloud specific lables for Traefik 2.0. There are other lables required as well, as you can see in the examples of @ismailyenigul. An example of such labels is given by him, however the labels for you really depend on your Traefik setup.

Setting

- "traefik.enable=true"

is totally fine. I also don't understand what your problem with "Nextclouds crap sekur features" my traefik config is working fine and I never had any problem running Nextclound behind a reverse proxy.

@ismailyenigul Thanks for creating all these examples :) My intention was that you can also create multiple networks in a single docker-compose.yml to increase security.

The cert resolver works for me with the above config without setting it for each container as it is configured as a default resolver. So I think we can omit the resolver.

Here is my configuration with an external traefik 2 instance running withing the http_network namespace.

Note: Within this config bind volume mounts are used. Adapt to your use-case...

version: '3'

networks:
    http_network:
        external: true
    nextcloud_network:
        external: false

services:
  db:
    image: postgres:12-alpine
    container_name: nextcloud-db
    restart: unless-stopped
    volumes:
      - /data/<service_name>/db:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=<db_password>
      - POSTGRES_DB=nextcloud
      - POSTGRES_USER=nextcloud
    networks:
      - nextcloud_network

  app:
    image: nextcloud:18
    container_name: nextcloud-app
    restart: unless-stopped
    labels:
      - traefik.enable=true
      - traefik.http.services.<service_name>.loadbalancer.server.port=80
      - traefik.http.routers.<service_name>.rule=Host(`<url>`)
      - traefik.http.routers.<service_name>.middlewares=<service_name>,<service_name>_redirect
      - traefik.http.routers.<service_name>.entrypoints=websecure
      - traefik.http.middlewares.<service_name>.headers.stsSeconds=155520011
      - traefik.http.middlewares.<service_name>.headers.stsIncludeSubdomains=true
      - traefik.http.middlewares.<service_name>.headers.stsPreload=true
      - traefik.http.middlewares.<service_name>.headers.contentTypeNosniff=true
      - traefik.http.middlewares.<service_name>.headers.browserXSSFilter=true
      - traefik.http.middlewares.<service_name>_redirect.redirectregex.permanent=true
      - traefik.http.middlewares.<service_name>_redirect.redirectregex.regex=/.well-known/(card|cal)dav
      - traefik.http.middlewares.<service_name>_redirect.redirectregex.replacement=/remote.php/dav/

    environment:
      - POSTGRES_HOST=db
      - NEXTCLOUD_TRUSTED_DOMAINS=<url>
      - TRUSTED_PROXIES=172.16.0.0/12
    depends_on:
      - db
    volumes:
      - /data/<service_name>/data:/var/www/html
    networks:
      - nextcloud_network
      - http_network