From c32e240d2eaf484ebb04876e3bb12ef58fb009fa Mon Sep 17 00:00:00 2001 From: Lucas Date: Fri, 23 Jan 2026 10:49:01 +0000 Subject: [PATCH] chore: switch to caddy for fpm and postgres 16 --- Caddyfile | 42 +++++++ app_public.env => app.env.example | 4 +- clean_locked_files | 5 - clean_versions | 2 - db_public.env => db.env.example | 0 docker-compose.yml | 54 +++----- nginx.conf | 202 ------------------------------ opcache-recommended.ini | 8 +- scripts/clean_locked_files | 5 + scripts/clean_versions | 2 + web_public.env | 2 - zz-php-fpm-custom.conf | 5 +- 12 files changed, 81 insertions(+), 250 deletions(-) create mode 100644 Caddyfile rename app_public.env => app.env.example (58%) delete mode 100755 clean_locked_files delete mode 100755 clean_versions rename db_public.env => db.env.example (100%) delete mode 100644 nginx.conf create mode 100755 scripts/clean_locked_files create mode 100755 scripts/clean_versions delete mode 100644 web_public.env diff --git a/Caddyfile b/Caddyfile new file mode 100644 index 0000000..02276f2 --- /dev/null +++ b/Caddyfile @@ -0,0 +1,42 @@ +:80 { + # Racine du site (doit correspondre au volume partagé) + root * /var/www/html + file_server + + # Sécurité : En-têtes recommandés par Nextcloud + header { + Strict-Transport-Security "max-age=15552000;" + X-Content-Type-Options "nosniff" + X-Frame-Options "SAMEORIGIN" + Referrer-Policy "no-referrer" + X-XSS-Protection "1; mode=block" + Permissions-Policy "interest-cohort=()" + } + + # Redirections obligatoires pour la synchro Contacts/Calendrier + redir /.well-known/carddav /remote.php/dav/ 301 + redir /.well-known/caldav /remote.php/dav/ 301 + + # Empêcher l'accès aux dossiers critiques + @forbidden { + path /data/* /config/* /db_structure /README /3rdparty/* /lib/* /templates/* /occ /console.php + } + respond @forbidden 403 + + # Configuration PHP-FPM + php_fastcgi nextcloud-app:9000 { + env front_controller_active true + # Augmenter le timeout pour les gros transferts + read_timeout 3600s + } + + # Compression optimale + encode zstd gzip + + # Gestion du cache pour les fichiers statiques + @static { + file + path *.css *.js *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite + } + header @static Cache-Control "max-age=15778463" +} \ No newline at end of file diff --git a/app_public.env b/app.env.example similarity index 58% rename from app_public.env rename to app.env.example index dcf8165..d02758a 100644 --- a/app_public.env +++ b/app.env.example @@ -1,5 +1,5 @@ POSTGRES_USER=nextcloud POSTGRES_PASSWORD=mypassword POSTGRES_DATABASE=nextclouddb -POSTGRES_HOST=db -REDIS_HOST=redis +POSTGRES_HOST=nextcloud-db +REDIS_HOST=nextcloud-redis diff --git a/clean_locked_files b/clean_locked_files deleted file mode 100755 index 61c44d2..0000000 --- a/clean_locked_files +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -sudo docker exec --user www-data nextcloud-app php occ maintenance:mode --on -sudo docker exec -it nextcloud-db psql -U nextcloud -d nextclouddb -DELETE FROM oc_file_locks WHERE true; -sudo docker exec --user www-data nextcloud-app php occ maintenance:mode --off diff --git a/clean_versions b/clean_versions deleted file mode 100755 index c402f05..0000000 --- a/clean_versions +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -sudo docker exec --user www-data nextcloud-app php occ versions:cleanup diff --git a/db_public.env b/db.env.example similarity index 100% rename from db_public.env rename to db.env.example diff --git a/docker-compose.yml b/docker-compose.yml index b45d1ea..229275c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,7 +1,8 @@ services: - db: - image: postgres:13.1 + nextcloud-db: + image: postgres:16.11-alpine container_name: nextcloud-db + command: ["postgres", "-c", "shared_buffers=512MB", "-c", "work_mem=16MB"] restart: always volumes: - db:/var/lib/postgresql/data @@ -10,19 +11,19 @@ services: networks: - nextcloud - redis: - image: redis:alpine + nextcloud-redis: + image: redis:8.4.0-alpine container_name: nextcloud-redis restart: always networks: - nextcloud - app: - image: nextcloud:fpm-alpine + nextcloud-app: + image: nextcloud:32.0.5-fpm-alpine container_name: nextcloud-app depends_on: - - db - - redis + - nextcloud-db + - nextcloud-redis restart: always volumes: - nextcloud:/var/www/html @@ -37,44 +38,29 @@ services: networks: - nextcloud - web: - image: nginx:alpine + nextcloud-web: + image: caddy:2.10.2-alpine container_name: nextcloud-web - depends_on: - - app restart: always - volumes_from: - - app volumes: - - ./nginx.conf:/etc/nginx/nginx.conf:ro - env_file: - - web.env + - ./Caddyfile:/etc/caddy/Caddyfile:ro + - nextcloud:/var/www/html:ro + - ./app/custom_apps:/var/www/html/custom_apps:ro + depends_on: + - nextcloud-app networks: - nextcloud - reverse-proxy - # web: - # image: caddy:alpine - # container_name: nextcloud-web - # restart: always - # volumes: - # - nextcloud:/var/www/html:z,ro - # - ./Caddyfile:/etc/caddy/Caddyfile:ro - # depends_on: - # - app - # networks: - # - nextcloud - # - reverse-proxy - - cron: - image: nextcloud:fpm-alpine + nextcloud-cron: + image: nextcloud:32.0.5-fpm-alpine container_name: nextcloud-cron depends_on: - - app + - nextcloud-app restart: always entrypoint: /cron.sh volumes_from: - - app + - nextcloud-app networks: - nextcloud diff --git a/nginx.conf b/nginx.conf deleted file mode 100644 index e4a321e..0000000 --- a/nginx.conf +++ /dev/null @@ -1,202 +0,0 @@ -worker_processes auto; - -error_log /var/log/nginx/error.log warn; -pid /var/run/nginx.pid; - - -events { - worker_connections 1024; -} - - -http { - include mime.types; - default_type application/octet-stream; - types { - text/javascript mjs; - application/wasm wasm; - } - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - # Prevent nginx HTTP Server Detection - server_tokens off; - - keepalive_timeout 65; - - # Set the `immutable` cache control options only for assets with a cache busting `v` argument - map $arg_v $asset_immutable { - "" ""; - default ", immutable"; - } - - #gzip on; - - upstream php-handler { - server app:9000; - } - - server { - listen 80; - - # HSTS settings - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - - # set max upload size and increase upload timeout: - client_max_body_size 512M; - client_body_timeout 300s; - fastcgi_buffers 64 4K; - - # The settings allows you to optimize the HTTP2 bandwidth. - # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ - # for tuning hints - client_body_buffer_size 512k; - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - # Pagespeed is not supported by Nextcloud, so if your server is built - # with the `ngx_pagespeed` module, uncomment this line to disable it. - #pagespeed off; - - # HTTP response headers borrowed from Nextcloud `.htaccess` - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "noindex, nofollow" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - # Path to the root of your installation - root /var/www/html; - - # Specify how to handle directories -- specifying `/index.php$request_uri` - # here as the fallback means that Nginx always exhibits the desired behaviour - # when a client requests a path that corresponds to a directory that exists - # on the server. In particular, if that directory contains an index.php file, - # that file is correctly served; if it doesn't, then the request is passed to - # the front-end controller. This consistent behaviour means that we don't need - # to specify custom rules for certain paths (e.g. images and other assets, - # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus - # `try_files $uri $uri/ /index.php$request_uri` - # always provides the desired behaviour. - index index.php index.html /index.php$request_uri; - - # Rule borrowed from `.htaccess` to handle Microsoft DAV clients - location = / { - if ( $http_user_agent ~ ^DavClnt ) { - return 302 /remote.php/webdav/$is_args$args; - } - } - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - # Make a regex exception for `/.well-known` so that clients can still - # access it despite the existence of the regex rule - # `location ~ /(\.|autotest|...)` which would otherwise handle requests - # for `/.well-known`. - location ^~ /.well-known { - # The rules in this block are an adaptation of the rules - # in `.htaccess` that concern `/.well-known`. - - location = /.well-known/carddav { return 301 /remote.php/dav/; } - location = /.well-known/caldav { return 301 /remote.php/dav/; } - - location /.well-known/acme-challenge { try_files $uri $uri/ =404; } - location /.well-known/pki-validation { try_files $uri $uri/ =404; } - - # Let Nextcloud's API for `/.well-known` URIs handle all other - # requests by passing them to the front-end controller. - return 301 /index.php$request_uri; - } - - # Rules borrowed from `.htaccess` to hide certain paths from clients - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } - - # Ensure this block, which passes PHP files to the PHP process, is above the blocks - # which handle static assets (as seen below). If this block is not declared first, - # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` - # to the URI, resulting in a HTTP 500 error response. - location ~ \.php(?:$|/) { - # Required for legacy support - rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; - - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - set $path_info $fastcgi_path_info; - - try_files $fastcgi_script_name =404; - - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $path_info; - fastcgi_param HTTPS on; - - fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice - fastcgi_param front_controller_active true; # Enable pretty urls - fastcgi_pass php-handler; - - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - - fastcgi_max_temp_file_size 0; - } - - # Serve static files - location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463$asset_immutable"; - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "noindex, nofollow" always; - add_header X-XSS-Protection "1; mode=block" always; - access_log off; # Optional: Don't log access to assets - - location ~ \.wasm$ { - default_type application/wasm; - } - } - - location ~ \.(otf|woff2?)$ { - try_files $uri /index.php$request_uri; - expires 7d; # Cache-Control policy borrowed from `.htaccess` - access_log off; # Optional: Don't log access to assets - } - - # Rule borrowed from `.htaccess` - location /remote { - return 301 /remote.php$request_uri; - } - - location / { - try_files $uri $uri/ /index.php$request_uri; - } - } -} \ No newline at end of file diff --git a/opcache-recommended.ini b/opcache-recommended.ini index ac4b12f..be844c6 100644 --- a/opcache-recommended.ini +++ b/opcache-recommended.ini @@ -1,7 +1,13 @@ [opcache] opcache.enable=1 -opcache.interned_strings_buffer=16 +opcache.enable_cli=1 +opcache.interned_strings_buffer=32 opcache.max_accelerated_files=10000 opcache.memory_consumption=256 opcache.save_comments=1 opcache.revalidate_freq=60 +opcache.fast_shutdown=1 +opcache.use_cwd=1 +opcache.validate_timestamps=1 +opcache.jit=tracing +opcache.jit_buffer_size=128M diff --git a/scripts/clean_locked_files b/scripts/clean_locked_files new file mode 100755 index 0000000..fbc45df --- /dev/null +++ b/scripts/clean_locked_files @@ -0,0 +1,5 @@ +#!/bin/bash +docker exec --user www-data nextcloud-app php occ maintenance:mode --on +docker exec -it nextcloud-db psql -U nextcloud -d nextclouddb +DELETE FROM oc_file_locks WHERE true; +docker exec --user www-data nextcloud-app php occ maintenance:mode --off diff --git a/scripts/clean_versions b/scripts/clean_versions new file mode 100755 index 0000000..9c49da7 --- /dev/null +++ b/scripts/clean_versions @@ -0,0 +1,2 @@ +#!/bin/bash +docker exec --user www-data nextcloud-app php occ versions:cleanup diff --git a/web_public.env b/web_public.env deleted file mode 100644 index dfdba99..0000000 --- a/web_public.env +++ /dev/null @@ -1,2 +0,0 @@ -VIRTUAL_HOST=nextcloud.mydomain.fr -VIRTUAL_PORT=80 \ No newline at end of file diff --git a/zz-php-fpm-custom.conf b/zz-php-fpm-custom.conf index 7fe731a..e6a2671 100644 --- a/zz-php-fpm-custom.conf +++ b/zz-php-fpm-custom.conf @@ -1,7 +1,8 @@ [www] pm = dynamic pm.max_children = 50 -pm.start_servers = 10 +pm.start_servers = 5 pm.min_spare_servers = 5 -pm.max_spare_servers = 15 +pm.max_spare_servers = 10 pm.max_requests = 500 +request_terminate_timeout = 300 \ No newline at end of file