forked from bunkerity/bunkerweb
/
docker-compose.yml
87 lines (81 loc) · 3 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
version: '3'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.8
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# another example for existing folder : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
environment:
- SERVER_NAME=www.example.com # replace with your domain
- AUTO_LETS_ENCRYPT=yes
- DISABLE_DEFAULT_SERVER=yes
- MAX_CLIENT_SIZE=10G
- USE_CLIENT_CACHE=yes
- SERVE_FILES=no
- ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
- X_FRAME_OPTIONS=SAMEORIGIN
- USE_GZIP=yes
- BAD_BEHAVIOR_STATUS_CODES=400 401 403 405 444
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL=/
- REVERSE_PROXY_HOST=http://mync
- LIMIT_REQ_URL_1=/apps
- LIMIT_REQ_RATE_1=5r/s
- LIMIT_REQ_URL_2=/apps/text/session/sync
- LIMIT_REQ_RATE_2=8r/s
- LIMIT_REQ_URL_3=/core/preview
- LIMIT_REQ_RATE_3=5r/s
- |
CUSTOM_CONF_MODSEC_CRS_nextcloud=
SecAction \
"id:900130,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_exclusions_nextcloud=1"
# WebDAV
SecAction \
"id:900200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"
- |
CUSTOM_CONF_MODSEC_nextcloud=
SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:2000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
mync:
image: nextcloud:24-apache
volumes:
- ./nc-files:/var/www/html
environment:
- MYSQL_HOST=mydb
- MYSQL_DATABASE=nc
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
- NEXTCLOUD_ADMIN_USER=admin # replace with the admin username
- NEXTCLOUD_ADMIN_PASSWORD=changeme # replace with a stronger password
- NEXTCLOUD_TRUSTED_DOMAINS=www.example.com # replace with your domain(s)
- TRUSTED_PROXIES=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
- APACHE_DISABLE_REWRITE_IP=1
mydb:
image: mariadb:10.9
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- ./db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
- MYSQL_DATABASE=nc
- MYSQL_USER=user
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
volumes:
bw_data: