Sommaire
Bonjour à tous,
Je fais fonctionner nextcloud derrière nginx avec php8.4-fpm.
J'essaie d'isoler le user www-data du specific_user_php_fpm par un groupe spécifique specific_group.
Ça ne marche pas comme attendu.
Est-ce que vous auriez des conseils pour que je puisse accéder à la page de login nextcloud ?
Voici ma configuration pour nginx, php8.4-fpm et les users/groupes associées.
MAINTENANCE
sudo -u specific_user_php_fpm php /srv/http/domain.org/cloud.domain.org/occ maintenance:mode --on
sudo -u specific_user_php_fpm php /srv/http/domain.org/cloud.domain.org/occ upgrade
Nextcloud or one of the apps require upgrade - only a limited number of commands are available
You may use your browser or the occ upgrade command to do the upgrade
Setting log level to debug
Updating database schema
Updated database
Updating <circles> ...
Updated <circles> to 31.0.0
Starting code integrity check...
Finished code integrity check
Update successful
Maintenance mode is kept active
Resetting log level
NEXTCLOUD
sudo groupadd -g XXXX specific_group
sudo usermod -a -G specific_group specific_user_php_fpm
sudo usermod -a -G specific_group www-data
PHP-FPM
/etc/php/8.4/fpm/pool.d/fpm-cloud.domain.org.conf
; Unix user/group of processes
user = specific_user_php_fpm
group = specific_group
; Set permissions for unix socket
listen.owner = specific_user_php_fpm
listen.group = specific_group
listen.mode = 0660
PERMISSION
# Appliquer à tous les fichiers et dossiers specific_user_php_fpm:specific_group
chown -R specific_user_php_fpm:specific_group /srv/http/domain.org/cloud.domain.org/
# Appliquer à tous les fichiers et dossier la permission 440
chmod -R 440 /srv/http/domain.org/cloud.domain.org/
# Ajouter +X à tous les dossiers donc passage de permission 440 à 550
# u=user, g=group, o=other
chmod -R ug+X /srv/http/domain.org/cloud.domain.org/
chmod 750 /srv/http/domain.org/cloud.domain.org/config/
chmod 750 /srv/http/domain.org/cloud.domain.org/apps/
chmod 750 /srv/http/domain.org/cloud.domain.org/config/config.php
Nginx Configuration
/etc/nginx/sites-enabled/cloud.domain.org.conf
# Version 2024-07-17
upstream php-handler {
server unix:/run/php/php-fpm-cloud.domain.org.sock;
}
# Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable {
"" "";
default ", immutable";
}
server {
if ($host = cloud.domain.org) {
return 301 https://$host$request_uri;
} # managed by Certbot
#if ($host = chat.xmpp.domain.org) {
# return 301 https://$host$request_uri;
#} # managed by Certbot
server_name cloud.domain.org;
listen 80;
listen [::]:80;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
# With NGinx >= 1.25.1 you should use this instead:
# listen 443 ssl;
# listen [::]:443 ssl;
http2 on;
server_name cloud.domain.org;
# Path to the root of your installation
root /srv/http/domain.org/cloud.domain.org;
access_log /var/log/nginx/cloud.domain.org.access;
error_log /var/log/nginx/cloud.domain.org.error;
# Use Mozilla's guidelines for SSL/TLS settings
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_certificate /etc/letsencrypt/live/cloud.domain.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.domain.org/privkey.pem;
# Prevent nginx HTTP Server Detection
server_tokens off;
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
# set max upload size and increase upload timeout:
client_max_body_size 512M;
client_body_timeout 300s;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;
# The settings allows you to optimize the HTTP2 bandwidth.
# See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
# for tuning hints
client_body_buffer_size 512k;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Set .mjs and .wasm MIME types
# Either include it in the default mime.types list
# and include that list explicitly or add the file extension
# only for Nextcloud like below:
include mime.types;
types {
text/javascript mjs;
application/wasm;
}
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_max_temp_file_size 0;
}
# Serve static files
location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
try_files $uri /index.php$request_uri;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Cache-Control "public, max-age=15778463$asset_immutable";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
access_log off; # Optional: Don't log access to assets
}
location ~ \.(otf|woff2?)$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}
Le problème est que je n'ai pas la page de Login de nextcloud.
Voici l'erreur php remonté par le log nginx.
apps/app_api/lib/Service/ProvidersAI/SpeechToTextService.php
```
{"reqId":"H31IZYdok0Uu1JUUzkul",
"level":4,"time":"2025-04-17T15:25:19+02:00","remoteAddr":"","user":false,"app":"app_api","method":"","url":"--",
"message":"Error during app service registration: array_map(): Argument #2 ($array) must be of type array, false given"
,
"userAgent":"--",
"version":"31.0.0.18",
"exception":
{"Exception":"TypeError","Message":"array_map(): Argument #2 ($array) must be of type array, false given","Code":0,
"Trace":[{"file":"/srv/http/domain.org/cloud.domain.org/apps/app_api/lib/Service/ProvidersAI/SpeechToTextService.php",
"line":97,"function":"array_map"},
{"file":"/srv/http/domain.org/cloud.domain.org/apps/app_api/lib/Service/ProvidersAI/SpeechToTextService.php","line":137,"function":"getRegisteredSpeechToTextProviders","class":"OCA\AppAPI\Service\ProvidersAI\SpeechToTextService","type":"->"},
{"file":"/srv/http/domain.org/cloud.domain.org/apps/app_api/lib/AppInfo/Application.php","line":84,"function":"registerExAppSpeechToTextProviders","class":"OCA\\AppAPI\\Service\\ProvidersAI\\SpeechToTextService","type":"->"},
{"file":"/srv/http/domain.org/cloud.domain.org/lib/private/AppFramework/Bootstrap/Coordinator.php","line":99,"function":"register","class":"OCA\\AppAPI\\AppInfo\\Application","type":"->"},{"file":"/srv/http/domain.org/cloud.domain.org/lib/private/AppFramework/Bootstrap/Coordinator.php","line":48,"function":"registerApps","class":"OC\\AppFramework\\Bootstrap\\Coordinator","type":"->"},
{"file":"/srv/http/domain.org/cloud.domain.org/lib/base.php","line":667,"function":"runInitialRegistration","class":"OC\\AppFramework\\Bootstrap\\Coordinator","type":"->"},{"file":"/srv/http/domain.org/cloud.domain.org/lib/base.php","line":1149,"function":"init","class":"OC","type":"::"},{"file":"/srv/http/domain.org/cloud.domain.org/console.php","line":28,"args":["/srv/http/domain.org/cloud.domain.org/lib/base.php"],"function":"require_once"},
{"file":"/srv/http/domain.org/cloud.domain.org/occ","line":11,"args":["/srv/http/domain.org/cloud.domain.org/console.php"],"function":"require_once"}],"File":"/srv/http/domain.org/cloud.domain.org/apps/app_api/lib/Service/ProvidersAI/SpeechToTextService.php","Line":97,"message":"Error during app service registration: array_map(): Argument #2 ($array) must be of type array, false given","exception":{},"CustomMessage":"Error during app service registration: array_map(): Argument #2 ($array) must be of type array, false given"}}
{"reqId":"H31IZYdok0Uu1JUUzkul","level":3,"time":"2025-04-17T15:25:19+02:00","remoteAddr":"","user":false,"app":"PHP","method":"","url":"--","message":"foreach() argument must be of type array|object, false given at /srv/http/domain.org/cloud.domain.org/apps/workflowengine/lib/AppInfo/Application.php#52","userAgent":"--","version":"31.0.0.18","data":{"app":"PHP"}
}
# les droits de www-data
Posté par NeoX . Évalué à 3 (+0/-0).
tu met des droits 750 sur certains dossiers
mais le proprio du dossier c'est ton "specific_user_phpfpm"
du coup www-data ne peut pas ecrire dans les dossiers, pour les fichiers temporaire par exemple
car il n'a les droits que du "specific_group" (4) sur tes dossiers
la question est "pourquoi" tu veux faire de telle manip ?
quelle logique t'as poussé à changer les droits de tout ton dossier.
[^] # Re: les droits de www-data
Posté par Voltairine . Évalué à 2 (+0/-0).
L’utilisateur www-data n'a pas besoin d''écrire dans les dossiers, juste d'y entrer et de pouvoir y lire les fichiers pour pouvoir servir les fichiers statiques (sons, vidéos,images, ccs, js, etc.)
Les scripts PHP sont exécutés par l'utilisateur specific_user_phpfpm et si des fichiers sont créés ou téléversés il lui appartiendront (avec specific_group comme groupe). C'est donc une bonne idée de limiter les droits au strict minimum sur le dossier qui contient l'application web. Et c'est tout l’intérêt des « pools » php-fpm qui permettent une isolation des différentes application avec séparations des utilisateurs et des doits.
Avec des droits 750 sur les dossiers et 640 sur les fichiers, il faut et il suffit que l'utilisateur www-data soit dans le groupe specific_group. Mais visiblement ce n'est pas ce qui a été défini…
Envoyer un commentaire
Suivre le flux des commentaires
Note : les commentaires appartiennent à celles et ceux qui les ont postés. Nous n’en sommes pas responsables.