Adding nextcloud changes to make it more secure

2022-04-19 22:29:31 +02:00 · 2022-04-19 22:29:31 +02:00 · 07722671d4
parent 9a1a6b6bf4
commit 07722671d4
3 changed files with 51 additions and 0 deletions
--- a/k8s/README.md
+++ b/k8s/README.md
@ -73,6 +73,11 @@ k apply -f openebs/storageclass.yml

 Switching to [Bitnami chart](https://artifacthub.io/packages/helm/bitnami/minio) as "normal" chart just too big.

+Links:
+
+* [minio-console.haumdaucher.de](minio-console.haumdaucher.de)
+* [minio.haumdaucher.de](minio.haumdaucher.de)
+
 ```sh
 helm repo update
 helm upgrade --install -f minio/minio.secret.yaml --namespace minio --create-namespace minio bitnami/minio
--- a/k8s/minio/minio.secret.yaml
+++ b/k8s/minio/minio.secret.yaml
--- a/k8s/nextcloud/nextcloud.secret.yml
+++ b/k8s/nextcloud/nextcloud.secret.yml
@ -1,18 +1,64 @@
+phpClientHttpsFix:
+  enabled: "true" 
+  protocol: "https"
+

 ingress:
  enabled: true
+  ingressClass: nginx
  annotations:
    kubernetes.io/ingress.class: "nginx"    
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: 4G
+    nginx.ingress.kubernetes.io/server-snippet: |-
+      server_tokens off;
+      proxy_hide_header X-Powered-By;
+
+      rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
+      rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+      rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
+      location = /.well-known/carddav {
+        return 301 $scheme://$host/remote.php/dav;
+      }
+      location = /.well-known/caldav {
+        return 301 $scheme://$host/remote.php/dav;
+      }
+      location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+      }
+      location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+        deny all;
+      }
+      location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
+        deny all;
+      }
  tls:
  - hosts:
    - "cloud.haumdaucher.de"
    secretName: cloud-haumdaucher-de
+  
 nextcloud:
  host: "cloud.haumdaucher.de"
  username: admin
  password: loKeengoo6OoZaevahZai4Hie
+  configs:
+    proxy.config.php: |-
+      <?php
+      $CONFIG = array (
+        'trusted_proxies' => array(
+          0 => '127.0.0.1',
+          1 => '10.0.0.0/8',
+          2 => '136.243.23.215',
+        ),
+        'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
+      );
 cronjob:
  enabled: true
 internalDatabase: