version: "3" x-bunkerweb-env: &bunkerweb-env DATABASE_URI: "mariadb+pymysql://${NEXTCLOUD_USER:-user}:${NEXTCLOUD_PASSWORD:-secret}@mydb:3306/${BUNKERWEB_DATABASE:-bunkerweb}" services: mybunker: image: bunkerity/bunkerweb:1.5.0 ports: - 80:8080 - 443:8443 # ⚠️ read this if you use local folders for volumes ⚠️ # bunkerweb runs as an unprivileged user with UID/GID 101 # don't forget to edit the permissions of the files and folders accordingly # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder # another example for existing folder : chown -R root:101 folder && chmod -R 770 folder # more info at https://docs.bunkerweb.io volumes: - bw-data:/data environment: <<: *bunkerweb-env SERVER_NAME: "www.example.com" # replace with your domain API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24" AUTO_LETS_ENCRYPT: "yes" DISABLE_DEFAULT_SERVER: "yes" MAX_CLIENT_SIZE: "10G" USE_CLIENT_CACHE: "yes" SERVE_FILES: "no" ALLOWED_METHODS: "GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS" X_FRAME_OPTIONS: "SAMEORIGIN" USE_GZIP: "yes" BAD_BEHAVIOR_STATUS_CODES: "400 401 403 405 444" USE_REVERSE_PROXY: "yes" REVERSE_PROXY_URL: "/" REVERSE_PROXY_HOST: "http://mync" LIMIT_REQ_URL_1: "/apps" LIMIT_REQ_RATE_1: "5r/s" LIMIT_REQ_URL_2: "/apps/text/session/sync" LIMIT_REQ_RATE_2: "8r/s" LIMIT_REQ_URL_3: "/core/preview" LIMIT_REQ_RATE_3: "5r/s" CUSTOM_CONF_MODSEC_CRS_nextcloud: "\ SecAction \ \"id:900130,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:tx.crs_exclusions_nextcloud=1\" # WebDAV SecAction \ \"id:900200,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'\"" CUSTOM_CONF_MODSEC_nextcloud: "\ SecRule REQUEST_FILENAME \"@rx ^/remote.php/dav/files/\" \"id:1000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog\"" labels: - "bunkerweb.INSTANCE" # required for the scheduler to recognize the container networks: - bw-universe - bw-services bw-scheduler: image: bunkerity/bunkerweb-scheduler:1.5.0 depends_on: - mybunker environment: <<: *bunkerweb-env DOCKER_HOST: "tcp://docker-proxy:2375" volumes: - bw-data:/data networks: - bw-universe - net-docker docker-proxy: image: tecnativa/docker-socket-proxy volumes: - /var/run/docker.sock:/var/run/docker.sock:ro environment: - CONTAINERS=1 networks: - net-docker mync: image: nextcloud:24-apache volumes: - ./nc-files:/var/www/html environment: - NEXTCLOUD_ADMIN_USER=admin # replace with the admin username - NEXTCLOUD_ADMIN_PASSWORD=changeme # replace with a stronger password - NEXTCLOUD_TRUSTED_DOMAINS=www.example.com # replace with your domain(s) - TRUSTED_PROXIES=192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 - APACHE_DISABLE_REWRITE_IP=1 - MYSQL_HOST=mydb - MYSQL_DATABASE=${NEXTCLOUD_DATABASE:-nextclouddb} - MYSQL_USER=${NEXTCLOUD_USER:-user} - MYSQL_PASSWORD=${NEXTCLOUD_PASSWORD:-secret} # set a stronger password in a .env file (must match MYSQL_PASSWORD) networks: - bw-services mydb: image: mariadb:10.5 volumes: - db-data:/var/lib/mysql environment: MARIADB_RANDOM_ROOT_PASSWORD: "yes" entrypoint: sh -c "echo 'DROP USER IF EXISTS \"${NEXTCLOUD_USER:-user}\"; CREATE USER \"${NEXTCLOUD_USER:-user}\"@\"%\"; CREATE DATABASE IF NOT EXISTS ${NEXTCLOUD_DATABASE:-nextclouddb}; CREATE DATABASE IF NOT EXISTS ${BUNKERWEB_DATABASE:-bunkerweb}; GRANT ALL PRIVILEGES ON ${NEXTCLOUD_DATABASE:-nextclouddb}.* TO \"${NEXTCLOUD_USER:-user}\"@\"%\" IDENTIFIED BY \"${NEXTCLOUD_PASSWORD:-secret}\"; GRANT ALL PRIVILEGES ON ${BUNKERWEB_DATABASE:-bunkerweb}.* TO \"${NEXTCLOUD_USER:-user}\"@\"%\" IDENTIFIED BY \"${NEXTCLOUD_PASSWORD:-secret}\"; FLUSH PRIVILEGES;' > /docker-entrypoint-initdb.d/init.sql; /usr/local/bin/docker-entrypoint.sh --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci" networks: - bw-universe - bw-services volumes: bw-data: db-data: networks: bw-universe: ipam: driver: default config: - subnet: 10.20.30.0/24 bw-services: net-docker: