Merge pull request #2665 from Pilzinsel64/release/27.1.6snap1

Release 27.1.6snap1

.github/workflows/test-daily.yml

@@ -24,29 +24,33 @@ jobs:
         working-directory: tests
         run: bundle exec ./run-tests.sh integration
 
-  test-daily-v25:
+  test-daily-v26:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
         uses: actions/checkout@v3
 
       - name: Install nextcloud
-        run: sudo snap install nextcloud --channel=25/edge
+        run: sudo snap install nextcloud --channel=26/edge
 
       - name: Setup ruby
         uses: ruby/setup-ruby@v1
         with:
           working-directory: tests
           bundler-cache: true
 
-  test-daily-v26:
+      - name: Run tests
+        working-directory: tests
+        run: bundle exec ./run-tests.sh integration
+
+  test-daily-v27:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
         uses: actions/checkout@v3
 
       - name: Install nextcloud
-        run: sudo snap install nextcloud --channel=26/edge
+        run: sudo snap install nextcloud --channel=27/edge
 
       - name: Setup ruby
         uses: ruby/setup-ruby@v1
@@ -58,14 +62,14 @@ jobs:
         working-directory: tests
         run: bundle exec ./run-tests.sh integration
 
-  test-daily-v27:
+  test-daily-v28:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
         uses: actions/checkout@v3
 
       - name: Install nextcloud
-        run: sudo snap install nextcloud --channel=27/edge
+        run: sudo snap install nextcloud --channel=28/edge
 
       - name: Setup ruby
         uses: ruby/setup-ruby@v1

CHANGELOG

@@ -1,3 +1,10 @@
+v 27.1.6snap1
+  - nextcloud: update to 27.1.6
+  - mysql: update to 8.0.36
+  - php: update to 8.2.15
+  - php: enable sodium
+  - apache: add config to enable reverse proxy for notify_push
+
 v 27.1.4snap1
   - nextcloud: update to 27.1.4
 

README.md

@@ -116,6 +116,7 @@ If you want to disable the cronjob completely, run:
 
 To reenable it again simply set the `nextcloud.cron-interval` snap variable to a value that isn't `-1`
 
+
 #### HTTP compression configuration
 
 By default, the snap does not enable HTTP compression. To enable it, run:
@@ -126,6 +127,22 @@ To disable it, run:
 
     $ sudo snap set nextcloud http.compression=false
 
+
+#### Reverse Proxy for Files High Performance Backeend
+
+This option simply enables the reverse proxy configuration mentioned in [Client Push Readme](https://github.com/nextcloud/notify_push#apache) that is required to setup the `notify_push` component. Read more [at our wiki](https://github.com/nextcloud-snap/nextcloud-snap/wiki/FAQ's#q-how-to-install-files-hpb-client-push)!
+
+By default, the snap does not enable the reverse proxy for notify_push. To enable it, run:
+
+    $ sudo snap set nextcloud http.notify-push-reverse-proxy=true
+
+To disable it, run:
+
+    $ sudo snap set nextcloud http.notify-push-reverse-proxy=false
+
+Note: You still need to setup `notify_push` yourself. This option only enables the reverse proxy, as the apache configuration is read-only.
+
+
 #### Debug mode
 
 By default, the snap installs itself in production mode, which prevents Apache

snap/snapcraft.yaml

@@ -129,7 +129,7 @@ parts:
     plugin: apache
     source: https://archive.apache.org/dist/httpd/httpd-2.4.58.tar.bz2
     source-checksum: sha256/fa16d72a078210a54c47dd5bef2f8b9b8a01d94909a51453956b3ec6442ea4c5
-    
+
     build-packages:
       - libbrotli-dev
 
@@ -181,8 +181,8 @@ parts:
 
   nextcloud:
     plugin: dump
-    source: https://download.nextcloud.com/server/releases/nextcloud-27.1.4.tar.bz2
-    source-checksum: sha256/bec65f2166b82c9303baf476c1e424f71aa196dad010ffe4c0c39d03990d594c
+    source: https://download.nextcloud.com/server/releases/nextcloud-27.1.6.tar.bz2
+    source-checksum: sha256/ae7b72b7fc525ac49798c2de6a697a4cff25b34972d69d469959885d3351befa
     organize:
       '*': htdocs/
       '.htaccess': htdocs/.htaccess
@@ -195,8 +195,8 @@ parts:
 
   php:
     plugin: php
-    source: https://php.net/get/php-8.1.25.tar.bz2/from/this/mirror
-    source-checksum: sha256/a86a88c1840c1bc832bcfd2fbec3b8a1942c8314da5dff53f09f9c98d0c12e8a
+    source: https://php.net/get/php-8.2.15.tar.bz2/from/this/mirror
+    source-checksum: sha256/50c3e220b7aa63a85716233c902eb44cc0a4667ed0b8335722ae2391b1355e7a
     source-type: tar
     install-via: prefix
     configflags:
@@ -213,6 +213,7 @@ parts:
       - --with-curl
       - --with-openssl
       - --with-bz2
+      - --with-sodium
       - --enable-exif
       - --enable-intl
       - --enable-pcntl
@@ -248,6 +249,7 @@ parts:
       - libgmp-dev
       - libzip-dev
       - libargon2-0-dev
+      - libsodium-dev
 
       # This is no longer bundled with PHP as of v7.4
       - libonig-dev
@@ -275,6 +277,7 @@ parts:
       - libzip4
       - libargon2-0
       - libonig4
+      - libsodium23
     prime:
      - -sbin/
      - -etc/
@@ -333,8 +336,8 @@ parts:
     after: [boost]
 
     # Get from https://dev.mysql.com/downloads/mysql/
-    source: https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.35.tar.gz
-    source-checksum: md5/9da2fff787551a12307002c1ead747bd
+    source: https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.36.tar.gz
+    source-checksum: md5/6708e66d69bafc0dd7b481468e192203
     configflags:
       - -DCMAKE_INSTALL_PREFIX=/
       - -DBUILD_CONFIG=mysql_release

src/apache/bin/httpd-wrapper

@@ -39,6 +39,13 @@ if debug_mode_enabled; then
 	params="$params -DDebug"
 fi
 
+if apache_notify_push_reverse_proxy_enabled; then
+	echo "notify_push reverse proxy is enabled"
+	params="$params -DEnableNotifyPushReverseProxy"
+else
+	echo "notify_push reverse proxy is disabled"
+fi
+
 
 HTTP_PORT="$(apache_http_port)"
 HTTPS_PORT="$(apache_https_port)"

src/apache/conf/httpd.conf

@@ -206,6 +206,13 @@ ServerSignature Off
     ServerSignature On
 </IfDefine>
 
+# Enable notify_push reverse proxy
+<IfDefine EnableNotifyPushReverseProxy>
+    ProxyPass /push/ws unix:/tmp/sockets/notify_push.sock|ws://localhost/ws
+    ProxyPass /push/ unix:/tmp/sockets/notify_push.sock|http://localhost/
+    ProxyPassReverse /push/ unix:/tmp/sockets/notify_push.sock|http://localhost/
+</IfDefine>
+
 # Only enable SSL if requested
 <IfDefine EnableHTTPS>
     Include ${SNAP}/conf/ssl.conf

src/apache/utilities/apache-utilities

@@ -6,6 +6,7 @@
 DEFAULT_HTTP_PORT="80"
 DEFAULT_HTTPS_PORT="443"
 DEFAULT_HTTP_COMPRESSION="false"
+DEFAULT_HTTP_NOTIFY_PUSH_REVERSE_PROXY="false"
 
 : "${APACHE_PIDFILE:="/tmp/pids/httpd.pid"}"
 export APACHE_PIDFILE
@@ -153,3 +154,51 @@ _apache_set_previous_http_compression()
 {
 	snapctl set private.http.compression="$1"
 }
+
+apache_notify_push_reverse_proxy_enabled()
+{
+	[ "$(apache_get_notify_push_reverse_proxy_enabled)" = "true" ]
+}
+
+apache_enable_notify_push_reverse_proxy_enabled()
+{
+	_apache_set_notify_push_reverse_proxy_enabled "true"
+}
+
+apache_disable_notify_push_reverse_proxy_enabled()
+{
+	_apache_set_notify_push_reverse_proxy_enabled "false"
+}
+
+apache_notify_push_reverse_proxy_enabled_has_changed()
+{
+	[ "$(apache_get_notify_push_reverse_proxy_enabled)" != "$(_apache_get_previous_notify_push_reverse_proxy_enabled)" ]
+}
+
+apache_get_notify_push_reverse_proxy_enabled()
+{
+	notify_push_reverse_proxy="$(snapctl get http.notify-push-reverse-proxy)"
+
+	if [ -z "$notify_push_reverse_proxy" ]; then
+		notify_push_reverse_proxy="$DEFAULT_HTTP_NOTIFY_PUSH_REVERSE_PROXY"
+		_apache_set_notify_push_reverse_proxy_enabled "$notify_push_reverse_proxy"
+	fi
+
+	echo "$notify_push_reverse_proxy"
+}
+
+_apache_set_notify_push_reverse_proxy_enabled()
+{
+	snapctl set http.notify-push-reverse-proxy="$1"
+	_apache_set_previous_notify_push_reverse_proxy_enabled "$1"
+}
+
+_apache_get_previous_notify_push_reverse_proxy_enabled()
+{
+	snapctl get private.http.notify-push-reverse-proxy
+}
+
+_apache_set_previous_notify_push_reverse_proxy_enabled()
+{
+	snapctl set private.http.notify-push-reverse-proxy="$1"
+}

src/hooks/bin/configure

@@ -19,6 +19,10 @@
 #   Whether or not HTTP compression should be enabled. Valid values are 'true'
 #   and 'false'.
 #
+# - http.notify-push-reverse-proxy (string)
+#   Whether or not the notify_push reverse proxy should be enabled. Valid
+#   values are 'true' and 'false'.
+#
 # - mode (string)
 #   Configure the operating mode of the snap. Valid values are 'debug' and
 #   'production'.
@@ -156,8 +160,27 @@ handle_http_compression()
 	snapctl restart nextcloud.apache
 }
 
+handle_notify_push_reverse_proxy()
+{
+	# If no changes were requested, then there's nothing to do here.
+	if ! apache_notify_push_reverse_proxy_enabled_has_changed; then
+		return 0
+	fi
+
+	# Validate input
+	value="$(apache_get_notify_push_reverse_proxy_enabled)"
+	if [ "$value" != "true" ] && [ "$value" != "false" ]; then
+		echo "http.notify-push-reverse-proxy must be either 'true' or 'false'"
+		return 1
+	fi
+
+	# Restart Apache to apply new config
+	snapctl restart nextcloud.apache
+}
+
 handle_apache_port_config
 handle_php_memory_limit
 handle_cronjob_interval
 handle_mode
 handle_http_compression
+handle_notify_push_reverse_proxy

src/php/config/php-fpm.conf

@@ -53,7 +53,7 @@ error_log = ${SNAP_DATA}/logs/php-fpm_errors.log
 ; Log buffering specifies if the log line is buffered which means that the
 ; line is written in a single write operation. If the value is false, then the
 ; data is written directly into the file descriptor. It is an experimental
-; option that can potentionaly improve logging performance and memory usage
+; option that can potentially improve logging performance and memory usage
 ; for some heavy logging scenarios. This option is ignored if logging to syslog
 ; as it has to be always buffered.
 ; Default value: yes

src/php/config/php-fpm.d/www.conf

@@ -41,7 +41,7 @@ group = root
 listen = ${PHP_FPM_SOCKET}
 
 ; Set listen(2) backlog.
-; Default Value: 511 (-1 on FreeBSD and OpenBSD)
+; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
 ;listen.backlog = 511
 
 ; Set permissions for unix socket, if one is used. In Linux, read/write
@@ -68,6 +68,10 @@ listen = ${PHP_FPM_SOCKET}
 ; Default Value: any
 ;listen.allowed_clients = 127.0.0.1
 
+; Set the associated the route table (FIB). FreeBSD only
+; Default Value: -1
+;listen.setfib = 1
+
 ; Specify the nice(2) priority to apply to the pool processes (only if set)
 ; The value can vary from -19 (highest priority) to 20 (lower priority)
 ; Note: - It will only work if the FPM master process is launched as root
@@ -76,7 +80,8 @@ listen = ${PHP_FPM_SOCKET}
 ; Default Value: no set
 ; process.priority = -19
 
-; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
+; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
 ; or group is different than the master process user. It allows to create process
 ; core dump and ptrace the process for the pool user.
 ; Default Value: no
@@ -348,6 +353,22 @@ pm.max_spare_servers = 3
 ; Default: "%R - %u %t \"%m %r\" %s"
 ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
 
+; A list of request_uri values which should be filtered from the access log.
+;
+; As a security precuation, this setting will be ignored if:
+;     - the request method is not GET or HEAD; or
+;     - there is a request body; or
+;     - there are query parameters; or
+;     - the response code is outwith the successful range of 200 to 299
+;
+; Note: The paths are matched against the output of the access.format tag "%r".
+;       On common configurations, this may look more like SCRIPT_NAME than the
+;       expected pre-rewrite URI.
+;
+; Default Value: not set
+;access.suppress_path[] = /ping
+;access.suppress_path[] = /health_check.php
+
 ; The log file for slow requests
 ; Default Value: not set
 ; Note: slowlog is mandatory if request_slowlog_timeout is set