add headers to embed nextcloud in frame on external site

This introduces new env variables to configure nextloud to be embedded via iframe on an external site. Setting X_FRAME_OPTIONS_ENABLED=1 will configure nginx and nextcloud to set X-Frame-Options and CSP headers to allow the domain configured in X_FRAME_OPTIONS_ALLOW_FROM.
2022-08-31 15:40:18 +02:00
7 changed files with 105 additions and 47 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -11,17 +11,11 @@ steps:
      purge: true
      deploy_key:
        from_secret: drone_ssh_swarm_test
      networks:
        - proxy
    environment:
      DOMAIN: nextcloud.swarm-test.autonomic.zone
      STACK_NAME: nextcloud
      LETS_ENCRYPT_ENV: production
      ADMIN_USER: foobar
      FPM_TUNE_VERSION: v1
      NGINX_CONF_VERSION: v1
      MY_CNF_VERSION: v1
      ENTRYPOINT_VERSION: v1
      SECRET_DB_PASSWORD_VERSION: v1
      SECRET_DB_ROOT_PASSWORD_VERSION: v1
      SECRET_ADMIN_PASSWORD_VERSION: v1
--- a/.env.sample
+++ b/.env.sample
@ -19,5 +19,3 @@ EXTRA_VOLUME=/dev/null:/tmp/.dummy
 # X_FRAME_OPTIONS_ENABLED=1
 # X_FRAME_OPTIONS_ALLOW_FROM=embedding-site.example.org
 # APPS="calendar sociallogin onlyoffice"
--- a/abra.sh
+++ b/abra.sh
@ -1,38 +1,106 @@
 #!/bin/bash
 export FPM_TUNE_VERSION=v4
-export NGINX_CONF_VERSION=v4
+export NGINX_CONF_VERSION=v3
 export MY_CNF_VERSION=v4
-export ENTRYPOINT_VERSION=v2
+export ENTRYPOINT_VERSION=v1
-run_occ(){
+NC_APP_DIR="app:/var/www/html"
-    su -p www-data -s /bin/sh -c "/var/www/html/occ $@"
+
 sub_occ(){
  # shellcheck disable=SC2034
  abra__service_="app"
  # shellcheck disable=SC2034
  abra___user="www-data"
  sub_app_run php /var/www/html/occ "$@"
 }
-install_apps(){
+_backup_app() {
-    install_apps="$@"
+  # Copied _abra_backup_dir to make UX better on restore and backup
-    if [ -z "$install_apps" ]
+  {
-    then
+    abra__src_="$1"
-        install_apps=$APPS
+    abra__dst_="-"
-    fi
+  }
-    for app in $install_apps
+
-    do
+  # shellcheck disable=SC2154
-        run_occ "app:install $app"
+  FILENAME="$(basename "$1").tar"
-    done
+
  debug "Copying '$1' to '$FILENAME'"
  silence
  mkdir -p /tmp/abra
  sub_app_cp > /tmp/abra/$FILENAME
  unsilence
 }
-set_app_config(){
+next_maintenance_on() {
-    APP=$1
+  silence
-    KEY=$2
+  sub_occ maintenance:mode --on > /dev/null
-    VALUE=$3
+  unsilence
-    run_occ "config:app:set $APP $KEY --value $VALUE"
+  debug "Nextcloud maintenance mode enabled"
 }
-install_bbb(){
+next_maintenance_off() {
-    URL=$1 # https://talk.example.org/bigbluebutton/ (trailing slash!)
+  silence
-    SECRET=$2 # bbb secret key
+  sub_occ maintenance:mode --off > /dev/null
-    install_apps bbb
+  unsilence
-    set_app_config bbb app.navigation true
+  debug "Nextcloud maintenance mode disabled"
    set_app_config bbb api.url "$URL"
    set_app_config bbb api.secret "$SECRET"
 }
 abra_backup_app() {
  # shellcheck disable=SC2154
  ARK_FILENAME="$ABRA_BACKUP_DIR/${abra__app_}_app_$(date +%F).tar.gz"
  # Cant be FILENAME as that gets changed by something
  next_maintenance_on
  _backup_app $NC_APP_DIR/config
  _backup_app $NC_APP_DIR/data
  _backup_app $NC_APP_DIR/themes
  # Combine archives
  tar -Af /tmp/abra/config.tar /tmp/abra/data.tar
  tar -Af /tmp/abra/config.tar /tmp/abra/themes.tar
  gzip /tmp/abra/config.tar -c > "$ARK_FILENAME"
  rm /tmp/abra/*.tar
  success "Backed up 'app' to $ARK_FILENAME"
  next_maintenance_off
 }
 abra_backup_db() {
  next_maintenance_on
  _abra_backup_mysql "db" "nextcloud"
  next_maintenance_off
 }
 abra_backup() {
  abra_backup_app && abra_backup_db
 }
 abra_restore_app() {
  next_maintenance_on
  # shellcheck disable=SC2034
  {
  abra__src_="-"
  abra__dst_=$NC_APP_DIR
  }
  zcat "$@" | sub_app_cp
  next_maintenance_off
  sub_occ files:scan --all > /dev/null # Needs to be run in normal mode
  success "Restored 'app'"
 }
 # abra_restore_db() {
 #   warning "Restoring the database is on a existing app and not a new one has not been tested. Use with caution."
 #   next_maintenance_on
 #   # 3wc: unlike abra_backup_db, we can assume abra__service_ will be 'db' if we
 #   # got this far..
 #   # shellcheck disable=SC2034
 #   abra___no_tty="true"
 #   DB_PASSWORD=$(sub_app_run cat /run/secrets/db_password)
 #   zcat "$@" | sub_app_run mysql -u root -p"$DB_PASSWORD" wordpress
 #   success "Restored 'db'"
 #   next_maintenance_off
 # }
--- a/compose.postgres.yml
+++ b/compose.postgres.yml
@ -2,6 +2,7 @@ version: '3.8'
 services:
  app:
    entrypoint: "sh -c 'sleep 10 && /entrypoint.sh php-fpm'" # tries to mitigate this error with postgres https://github.com/nextcloud/docker/issues/1204
    environment:
      - POSTGRES_HOST=db
      - POSTGRES_DB=nextcloud
--- a/compose.yml
+++ b/compose.yml
@ -1,7 +1,7 @@
 version: "3.8"
 services:
  web:
-    image: nginx:1.23.2
+    image: nginx:1.23.1
    configs:
      - source: nginx_conf
        target: /etc/nginx/nginx.conf
@ -35,7 +35,7 @@ services:
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
  app:
-    image: nextcloud:25.0.1-fpm
+    image: nextcloud:24.0.3-fpm
    depends_on:
      - db
    configs:
@ -49,7 +49,6 @@ services:
      - db_password
      - admin_password
    environment:
      - APPS
      - X_FRAME_OPTIONS_ALLOW_FROM
      - X_FRAME_OPTIONS_ENABLED
      - DOMAIN
@ -78,12 +77,12 @@ services:
        failure_action: rollback
        order: start-first
      labels:
-        - "coop-cloud.${STACK_NAME}.version=3.0.1+25.0.1-fpm"
+        - "coop-cloud.${STACK_NAME}.version=2.1.2+24.0.3-fpm"
        - "backupbot.backup=true"
        - "backupbot.backup.path=/var/www/html/config/,/var/www/html/data/,/var/www/html/custom_apps/"
  cron:
-    image: nextcloud:25.0.1-fpm
+    image: nextcloud:24.0.3-fpm
    volumes:
      - nextcloud:/var/www/html/
      - nextapps:/var/www/html/custom_apps:cached
@ -95,7 +94,7 @@ services:
    entrypoint: /cron.sh
  cache:
-    image: redis:7.0.5-alpine
+    image: redis:7.0.4-alpine
    networks:
      - internal
    volumes:
@ -107,7 +106,7 @@ secrets:
    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
  db_password:
    external: true
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+    name: ${STACK_NAME}_db_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
  admin_password:
    external: true
    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@ -1,8 +1,5 @@
 #!/bin/bash
 echo "Giving the db container some time to come up"; sleep 20
 # see this issue with postgres db https://github.com/nextcloud/docker/issues/1204
 {{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
 if ! [[ $(grep {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} lib/public/AppFramework/Http/ContentSecurityPolicy.php) ]]; then
    sed -i "91 a\\\t\t'{{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}', " lib/public/AppFramework/Http/ContentSecurityPolicy.php
--- a/nginx.conf.tmpl
+++ b/nginx.conf.tmpl
@ -67,7 +67,8 @@ http {
        add_header X-XSS-Protection                     "1; mode=block" always;
        {{ if eq (env "X_FRAME_OPTIONS_ENABLED") "1" }}
-        add_header Content-Security-Policy              "frame-ancestors {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }} {{ env "DOMAIN" }}";
+        add_header X-Frame-Options                      "{{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}"    always;
        add_header Content-Security-Policy              "frame-ancestors {{ env "X_FRAME_OPTIONS_ALLOW_FROM" }}";
        {{ else }}
        add_header X-Frame-Options                      "SAMEORIGIN"    always;
        {{ end }}