Merge branch 'CVE' of adasauce/nextcloud-docker into master

fix nginx configuration to protect against CVE-2019-11043.
changes are pulled from nextcloud blogpost covering the issue. https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/ should also pull and build a new web container.
2 changed files with 29 additions and 9 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -2,7 +2,7 @@ version: '3'

 services:
  db:
-    image: postgres:alpine
+    image: postgres:11-alpine
    restart: always
    volumes:
      - db:/var/lib/postgresql/data
@ -46,11 +46,29 @@ services:
      while /bin/true; do
        echo Starting cron
        su -s "/bin/sh" -c "/usr/local/bin/php /var/www/html/cron.php" www-data
-        echo $$(date) - Running cron finished
+        echo \$$(date) - Running cron finished
        sleep 900
      done
      EOF'

+  thumbnailer:
+    image: nextcloud:fpm-alpine
+    restart: always
+    volumes:
+      - nextcloud:/var/www/html
+    depends_on:
+      - app
+    entrypoint: |
+      sh -c 'sh -s <<EOF
+      trap "break;exit" SIGHUP SIGINT SIGTERM
+      while /bin/true; do
+        echo Starting thumbnail cron
+        su -s "/bin/sh" -c "/usr/local/bin/php occ preview:pre-generate" www-data
+        echo \$$(date) - Running thumbnail cron finished
+        sleep 60
+      done
+      EOF'
+
  proxy:
    build: ./proxy
    restart: always
--- a/web/nginx.conf
+++ b/web/nginx.conf
@ -94,7 +94,7 @@ http {
        #pagespeed off;

        location / {
-            rewrite ^ /index.php$request_uri;
+            rewrite ^ /index.php;
        }

        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
@ -104,14 +104,16 @@ http {
            deny all;
        }

-        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
-            fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+            fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+            try_files $fastcgi_script_name =404;
            include fastcgi_params;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $fastcgi_path_info;
-            # fastcgi_param HTTPS on;
-            #Avoid sending the security headers twice
+            fastcgi_param SCRIPTFILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATHINFO $fastcgi_path_info;
+            fastcgi_param HTTPS on;
+            # Avoid sending the security headers twice
            fastcgi_param modHeadersAvailable true;
+            # Enable pretty urls
            fastcgi_param front_controller_active true;
            fastcgi_pass php-handler;
            fastcgi_intercept_errors on;
Author	SHA1	Message	Date
Thurloat	0f176aa7ca	Merge branch 'CVE' of adasauce/nextcloud-docker into master	5 years ago
Adasauce	84997bfb9a	fix nginx configuration to protect against CVE-2019-11043. changes are pulled from nextcloud blogpost covering the issue. https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/ should also pull and build a new web container.	5 years ago
Thurloat	31e5dc7d45	Merge branch 'postgres11' of adasauce/nextcloud-docker into master	5 years ago
Adasauce	b96b3d1091	Lock to Postgres 11 for now Not ready to migrate DBs into 12, and don't have a migration strategy yet.	5 years ago
Thurloat	8c9c91e755	Merge branch 'cronjob' of adasauce/nextcloud-docker into master	5 years ago
Adasauce	8c5a109eb0	Add a 'thumbnailer container' uses the same method as the cron container, runs every 60 seconds. fixed an issue with the original cron scripts outputting the same date over and over. Closes #1	5 years ago