Various php and nginx site conf optimizations (#133)

* php.ini and site config updates

* display real ip in nginx logs with rp

* fixed diffs w/ upstream nextcloud git (#129)

* Bot Updating Package Versions

* fixed diffs w/ nextcloud upstream

Edit line 53, 67 - ocs-provider + ocm-provider, one call:
3206db9fb8
https://github.com/nextcloud/documentation/pull/1293

New line 55, edit 58 - try_files resets $fastcgi_path_info, fix so $path_info gets value:  
8f6c1aa61a
https://github.com/nextcloud/documentation/pull/1679

Co-authored-by: Evan Wade <evan+pgp@evanwade.com>

Dockerfile

@@ -5,7 +5,7 @@ ARG BUILD_DATE
 ARG VERSION
 ARG NEXTCLOUD_RELEASE
 LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
-LABEL maintainer="sparklyballs"
+LABEL maintainer="aptalca"
 
 # environment settings
 ENV NEXTCLOUD_PATH="/config/www/nextcloud"
@@ -82,6 +82,9 @@ RUN \
 	-e 's/;opcache.revalidate_freq.*=.*/opcache.revalidate_freq=1/g' \
 	-e 's/;always_populate_raw_post_data.*=.*/always_populate_raw_post_data=-1/g' \
 	-e 's/memory_limit.*=.*128M/memory_limit=512M/g' \
+	-e 's/max_execution_time.*=.*30/max_execution_time=120/g' \
+	-e 's/upload_max_filesize.*=.*2M/upload_max_filesize=1024M/g' \
+	-e 's/post_max_size.*=.*8M/post_max_size=1024M/g' \
 		/etc/php7/php.ini && \
  sed -i \
 	'/opcache.enable=1/a opcache.enable_cli=1' \

Dockerfile.aarch64

@@ -5,7 +5,7 @@ ARG BUILD_DATE
 ARG VERSION
 ARG NEXTCLOUD_RELEASE
 LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
-LABEL maintainer="sparklyballs"
+LABEL maintainer="aptalca"
 
 # environment settings
 ENV NEXTCLOUD_PATH="/config/www/nextcloud"
@@ -82,6 +82,9 @@ RUN \
 	-e 's/;opcache.revalidate_freq.*=.*/opcache.revalidate_freq=1/g' \
 	-e 's/;always_populate_raw_post_data.*=.*/always_populate_raw_post_data=-1/g' \
 	-e 's/memory_limit.*=.*128M/memory_limit=512M/g' \
+	-e 's/max_execution_time.*=.*30/max_execution_time=120/g' \
+	-e 's/upload_max_filesize.*=.*2M/upload_max_filesize=1024M/g' \
+	-e 's/post_max_size.*=.*8M/post_max_size=1024M/g' \
 		/etc/php7/php.ini && \
  sed -i \
 	'/opcache.enable=1/a opcache.enable_cli=1' \

Dockerfile.armhf

@@ -5,7 +5,7 @@ ARG BUILD_DATE
 ARG VERSION
 ARG NEXTCLOUD_RELEASE
 LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
-LABEL maintainer="sparklyballs"
+LABEL maintainer="aptalca"
 
 # environment settings
 ENV NEXTCLOUD_PATH="/config/www/nextcloud"
@@ -82,6 +82,9 @@ RUN \
 	-e 's/;opcache.revalidate_freq.*=.*/opcache.revalidate_freq=1/g' \
 	-e 's/;always_populate_raw_post_data.*=.*/always_populate_raw_post_data=-1/g' \
 	-e 's/memory_limit.*=.*128M/memory_limit=512M/g' \
+	-e 's/max_execution_time.*=.*30/max_execution_time=120/g' \
+	-e 's/upload_max_filesize.*=.*2M/upload_max_filesize=1024M/g' \
+	-e 's/post_max_size.*=.*8M/post_max_size=1024M/g' \
 		/etc/php7/php.ini && \
  sed -i \
 	'/opcache.enable=1/a opcache.enable_cli=1' \

README.md

@@ -219,6 +219,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **17.01.20:** - Updated php.ini defaults and site config, including an optional HSTS directive (existing users should delete `/config/nginx/site-confs/default` and restart the container).
 * **19.12.19:** - Rebasing to alpine 3.11.
 * **18.11.19:** - Nginx default site config updated for v17 (existing users should delete `/config/nginx/site-confs/default` and restart the container).
 * **28.10.19:** - Change cronjob to run every 5 minutes.

readme-vars.yml

@@ -60,6 +60,7 @@ app_setup_block: |
 
 # changelog
 changelogs:
+  - { date: "17.01.20:", desc: "Updated php.ini defaults and site config, including an optional HSTS directive (existing users should delete `/config/nginx/site-confs/default` and restart the container)." }
   - { date: "19.12.19:", desc: "Rebasing to alpine 3.11." }
   - { date: "18.11.19:", desc: "Nginx default site config updated for v17 (existing users should delete `/config/nginx/site-confs/default` and restart the container)." }
   - { date: "28.10.19:", desc: "Change cronjob to run every 5 minutes." }

root/defaults/default

@@ -13,6 +13,18 @@ server {
     server_name _;
     ssl_certificate /config/keys/cert.crt;
     ssl_certificate_key /config/keys/cert.key;
+
+    # Add headers to serve security related headers
+    # Before enabling Strict-Transport-Security headers please read into this
+    # topic first.
+    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+    #
+    # WARNING: Only add the preload option once you read about
+    # the consequences in https://hstspreload.org/. This option
+    # will add the domain to a hardcoded list that is shipped
+    # in all major browsers and getting removed from this list
+    # could take several months.
+
     add_header X-Content-Type-Options nosniff;
     add_header X-XSS-Protection "1; mode=block";
     add_header X-Robots-Tag none;
@@ -22,16 +34,19 @@ server {
     add_header Referrer-Policy no-referrer;
     fastcgi_hide_header X-Powered-By;
     root /config/www/nextcloud/;
+    # display real ip in nginx logs when connected through reverse proxy via docker network
+    set_real_ip_from 172.0.0.0/8;
+    real_ip_header X-Forwarded-For;
     location = /robots.txt {
         allow all;
         log_not_found off;
         access_log off;
     }
     location = /.well-known/carddav {
-      return 301 $scheme://$host/remote.php/dav;
+      return 301 $scheme://$host:$server_port/remote.php/dav;
     }
     location = /.well-known/caldav {
-      return 301 $scheme://$host/remote.php/dav;
+      return 301 $scheme://$host:$server_port/remote.php/dav;
     }
     client_max_body_size 10G;
     fastcgi_buffers 64 4K;
@@ -50,12 +65,13 @@ server {
     location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
         deny all;
     }
-    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|ocm-provider\/.+)\.php(?:$|\/) {
+    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
         fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+        set $path_info $fastcgi_path_info;
         try_files $fastcgi_script_name =404;
         include /etc/nginx/fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_param PATH_INFO $path_info;
         fastcgi_param HTTPS on;
         fastcgi_param modHeadersAvailable true;
         fastcgi_param front_controller_active true;
@@ -63,14 +79,23 @@ server {
         fastcgi_intercept_errors on;
         fastcgi_request_buffering off;
     }
-
-    location ~ ^\/(?:updater|ocs-provider|ocm-provider)(?:$|\/) {
+    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
         try_files $uri/ =404;
         index index.php;
     }
     location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
         try_files $uri /index.php$request_uri;
         add_header Cache-Control "public, max-age=15778463";
+        # Add headers to serve security related headers
+        # Before enabling Strict-Transport-Security headers please read into this
+        # topic first.
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+        #
+        # WARNING: Only add the preload option once you read about
+        # the consequences in https://hstspreload.org/. This option
+        # will add the domain to a hardcoded list that is shipped
+        # in all major browsers and getting removed from this list
+        # could take several months.
         add_header X-Content-Type-Options nosniff;
         add_header X-XSS-Protection "1; mode=block";
         add_header X-Robots-Tag none;