From 1490774f4a87679f2d16557c2399830fe6f7a8a0 Mon Sep 17 00:00:00 2001
From: Ethan Paul <24588726+enpaul@users.noreply.github.com>
Date: Fri, 30 Apr 2021 20:20:22 -0400
Subject: [PATCH] Update nextcloud app to use separate proxy and fpm services

---
 resources/docker-compose/nextcloud.yaml.j2 | 33 +++++++++++---
 resources/nginx/nextcloud-proxy.conf       | 50 ++++++++++++++++++++++
 vars/applications.yaml                     |  6 ++-
 3 files changed, 83 insertions(+), 6 deletions(-)
 create mode 100644 resources/nginx/nextcloud-proxy.conf

diff --git a/resources/docker-compose/nextcloud.yaml.j2 b/resources/docker-compose/nextcloud.yaml.j2
index 1f0b776..0934058 100644
--- a/resources/docker-compose/nextcloud.yaml.j2
+++ b/resources/docker-compose/nextcloud.yaml.j2
@@ -22,6 +22,9 @@ volumes:
   config:
     name: datastore{{ omni_compose_apps.nextcloud.datastore }}/config
     driver: glusterfs
+  proxy:
+    name: datastore{{ omni_compose_apps.nextcloud.datastore }}/proxy
+    driver: glusterfs
 
 
 services:
@@ -49,19 +52,39 @@ services:
     deploy:
       replicas: 1
 
-  server:
-    image: nextcloud:{{ omni_compose_apps.nextcloud.versions.server | default(omni_compose_apps.nextcloud.versions.default) }}
-    hostname: nextcloud-server
+  proxy:
+    image: nginx:{{ omni_compose_apps.nextcloud.versions.proxy | default(omni_compose_apps.nextcloud.versions.default) }}
+    hostname: nextcloud-proxy
     networks:
       - nextcloud
     depends_on:
-      - database
-      - cache
+      - server
     ports:
       - published: {{ omni_compose_apps.nextcloud.published.ports.80 }}
         target: 80
         protocol: tcp
         mode: ingress
+    volumes:
+      - type: volume
+        source: config
+        target: /usr/share/nginx/nextcloud
+        read_only: true
+      - type: volume
+        source: proxy
+        target: /etc/nginx/conf.d
+        read_only: true
+    deploy:
+      replicas: 1
+
+  server:
+    image: nextcloud:{{ omni_compose_apps.nextcloud.versions.server | default(omni_compose_apps.nextcloud.versions.default) }}
+    hostname: nextcloud-server
+    user: "{{ omni_compose_apps.nextcloud.account.uid }}"
+    networks:
+      - nextcloud
+    depends_on:
+      - database
+      - cache
     volumes:
       - type: volume
         source: data
diff --git a/resources/nginx/nextcloud-proxy.conf b/resources/nginx/nextcloud-proxy.conf
new file mode 100644
index 0000000..02f8568
--- /dev/null
+++ b/resources/nginx/nextcloud-proxy.conf
@@ -0,0 +1,50 @@
+server {
+        listen 80;
+        root /usr/share/nginx/nextcloud;
+        index index.php index.html index.htm;
+
+        location / {
+            try_files $uri $uri/ =404;
+        }
+
+        location ~ [^/]\.php(/|$) {
+            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+            if (!-f $document_root$fastcgi_script_name) {
+                return 404;
+            }
+
+            # Mitigate https://httpoxy.org/ vulnerabilities
+            fastcgi_param HTTP_PROXY "";
+
+            fastcgi_pass server:9000;
+            fastcgi_index index.php;
+
+            fastcgi_param   QUERY_STRING            $query_string;
+            fastcgi_param   REQUEST_METHOD          $request_method;
+            fastcgi_param   CONTENT_TYPE            $content_type;
+            fastcgi_param   CONTENT_LENGTH          $content_length;
+
+            fastcgi_param   SCRIPT_FILENAME         /var/www/html$fastcgi_script_name;
+            fastcgi_param   SCRIPT_NAME             $fastcgi_script_name;
+            fastcgi_param   PATH_INFO               $fastcgi_path_info;
+            fastcgi_param   PATH_TRANSLATED         /var/www/html$fastcgi_path_info;
+            fastcgi_param   REQUEST_URI             $request_uri;
+            fastcgi_param   DOCUMENT_URI            $document_uri;
+            fastcgi_param   DOCUMENT_ROOT           /var/www/html/;
+            fastcgi_param   SERVER_PROTOCOL         $server_protocol;
+
+            fastcgi_param   GATEWAY_INTERFACE       CGI/1.1;
+            fastcgi_param   SERVER_SOFTWARE         nginx/$nginx_version;
+
+            fastcgi_param   REMOTE_ADDR             $remote_addr;
+            fastcgi_param   REMOTE_PORT             $remote_port;
+            fastcgi_param   SERVER_ADDR             $server_addr;
+            fastcgi_param   SERVER_PORT             $server_port;
+            fastcgi_param   SERVER_NAME             $server_name;
+
+            fastcgi_param   HTTPS                   $https;
+
+            # PHP only, required if PHP was built with --enable-force-cgi-redirect
+            fastcgi_param   REDIRECT_STATUS         200;
+      }
+}
diff --git a/vars/applications.yaml b/vars/applications.yaml
index 121c19d..a9aad5d 100644
--- a/vars/applications.yaml
+++ b/vars/applications.yaml
@@ -122,6 +122,10 @@ omni_compose_apps:
     networks:
       main: 192.168.107.0/24
     versions:
-      server: 21.0.1
+      proxy: latest
+      server: 21.0.1-fpm
       database: "10"
       cache: "6.2"
+    assets:
+      - src: nginx/nextcloud-proxy.conf
+        name: proxy/nextcloud.conf