You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Install Nextcloud-AIO with Caddy Community container
Inspect mounted volumes
See the Nextcloud-AIO-data volume mounted on the Caddy container
Expected behavior
I wold like to see mounting of the nextcloud datadir would not be needed.
Actual behavior
Mounted
Host OS
Debian (RaspberryPI-OS)
Nextcloud AIO version
9.3.0
Current channel
Latest
Other valuable info
Since a reverse proxy, like Caddy in this case, is somewhat the first line of defence to external threats, seen from an application perspective, it strikes me as odd/unwelcome to have the complete Nextcloud Data dir mounted in that container.
I know the Nextcloud Datadir is actively used by Caddy to read some configuration settings, but cant that be solved in an other way?
Of course it's debatable how much a security risk this is, or even if it's a security risk at all, but it's not unthinkable that this can fairly easily result in exposure of the complete Nextcloud Datadir.
For example: One can have a custom Caddy config in /data/caddy-imports that (inadvertently) exposes the Nextcloud Datadir to the internet.
Maybe a way out of this would be a separate volume, that can be used for config files, like the geoblocking part. This volume can then be mounted as an external mount in Nextcloud and used as a stand-alone volume in Caddy, or at any other place needed.
I hope this helps making AIO even more secure.
Thank you, Bas Bleeker
The text was updated successfully, but these errors were encountered:
Steps to reproduce
Expected behavior
I wold like to see mounting of the nextcloud datadir would not be needed.
Actual behavior
Mounted
Host OS
Debian (RaspberryPI-OS)
Nextcloud AIO version
9.3.0
Current channel
Latest
Other valuable info
Since a reverse proxy, like Caddy in this case, is somewhat the first line of defence to external threats, seen from an application perspective, it strikes me as odd/unwelcome to have the complete Nextcloud Data dir mounted in that container.
I know the Nextcloud Datadir is actively used by Caddy to read some configuration settings, but cant that be solved in an other way?
Of course it's debatable how much a security risk this is, or even if it's a security risk at all, but it's not unthinkable that this can fairly easily result in exposure of the complete Nextcloud Datadir.
For example: One can have a custom Caddy config in /data/caddy-imports that (inadvertently) exposes the Nextcloud Datadir to the internet.
Maybe a way out of this would be a separate volume, that can be used for config files, like the geoblocking part. This volume can then be mounted as an external mount in Nextcloud and used as a stand-alone volume in Caddy, or at any other place needed.
I hope this helps making AIO even more secure.
Thank you, Bas Bleeker
The text was updated successfully, but these errors were encountered: