examples - nextcloud fix and moodle

examples/moodle/docker-compose.yml

@@ -0,0 +1,46 @@
+version: '3'
+
+services:
+
+  mywww:
+    image: bunkerity/bunkerized-nginx
+    restart: always
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - ./letsencrypt:/etc/letsencrypt
+      - ./server-confs:/server-confs         # custom confs to reverse proxy to moodle
+    environment:
+      - SERVER_NAME=www.website.com          # replace with your domain
+      - AUTO_LETS_ENCRYPT=yes
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - DISABLE_DEFAULT_SERVER=yes
+      - MAX_CLIENT_SIZE=50m
+
+  mymoodle:
+    image: bitnami/moodle
+    restart: always
+    volumes:
+      - ./moodle-files:/bitnami/moodle
+      - ./moodle-data:/bitnami/moodledata
+    environment:
+      - MOODLE_USERNAME=admin                # replace with your moodle admin username
+      - MOODLE_PASSWORD=password             # replace with your moodle admin password
+      - MOODLE_EMAIL=moodle@website.com      # replace with your moodle admin email
+      - MOODLE_SITE_NAME=My Moodle           # replace with your moodle site name
+      - MOODLE_DATABASE_HOST=mydb
+      - MOODLE_DATABASE_NAME=moodle
+      - MOODLE_DATABASE_USER=user
+      - MOODLE_DATABASE_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
+
+  mydb:
+    image: mariadb
+    restart: always
+    volumes:
+      - ./db-data:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=db-root-pwd      # replace with a stronger password
+      - MYSQL_DATABASE=moodle
+      - MYSQL_USER=user
+      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match MOODLE_DATABASE_PASSWORD)

examples/moodle/server-confs/reverse-proxy.conf

@@ -0,0 +1,8 @@
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+location / {
+	if ($host = www.website.com) {
+		proxy_pass http://mymoodle:8443$request_uri;
+	}
+}

examples/nextcloud/docker-compose.yml

@@ -13,6 +13,7 @@ services:
       - ./letsencrypt:/etc/letsencrypt
       - ./server-confs:/server-confs         # custom nginx confs at server context to make Nextcloud working
       - ./modsec-crs-confs:/modsec-crs-confs # custom Core Rule Set confs to add Nextcloud exclusions
+      - ./modsec-confs:/modsec-confs         # disable some false positive
     environment:
       - SERVER_NAME=www.website.com          # replace with your domain
       - AUTO_LETS_ENCRYPT=yes
@@ -23,7 +24,7 @@ services:
       - REMOTE_PHP_PATH=/var/www/html
       - LIMIT_REQ_RATE=40r/s
       - LIMIT_REQ_BURST=60
-      - ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT
+      - ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
 
   mync:
     image: nextcloud:stable-fpm

examples/nextcloud/modsec-confs/nextcloud.conf

@@ -0,0 +1 @@
+SecRuleRemoveById 921110

examples/nextcloud/modsec-crs-confs/nextcloud.conf

@@ -5,3 +5,11 @@ SecAction \
   pass,\
   t:none,\
   setvar:tx.crs_exclusions_nextcloud=1"
+
+SecAction \
+ "id:900200,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:'tx.allowed_methods=GET HEAD POST PROPFIND DELETE PUT MKCOL MOVE COPY PROPPATCH REPORT'"

examples/nextcloud/server-confs/nextcloud.conf

@@ -31,7 +31,7 @@ location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
 	index index.php;
 }
 
-location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+location ~ \.(?:css|js|woff2?|svg|gif|map|mp4)$ {
 	try_files $uri /index.php$request_uri;
 	add_header Cache-Control "public, max-age=15778463";
 }