Disable rewriteip for apache image (#1010)

* Disable rewrite ip for apache image

Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>

* Run update.sh

Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>

21 files changed, 178 insertions, 0 deletions

diff --git a/.config/reverse_proxy.config.php b/.config/reverse_proxy.config.php
new file mode 100644
index 00000000..26a8bff3
--- /dev/null
+++ b/.config/reverse_proxy.config.php
@@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
\ No newline at end of file
diff --git a/16.0/apache/config/reverse_proxy.config.php b/16.0/apache/config/reverse_proxy.config.php
new file mode 100644
index 00000000..26a8bff3
--- /dev/null
+++ b/16.0/apache/config/reverse_proxy.config.php
@@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
\ No newline at end of file
diff --git a/16.0/apache/entrypoint.sh b/16.0/apache/entrypoint.sh
index 2510743e..07b44d61 100755
--- a/16.0/apache/entrypoint.sh
+++ b/16.0/apache/entrypoint.sh
@@ -43,6 +43,12 @@ file_env() {
     unset "$fileVar"
 }
 
+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
diff --git a/16.0/fpm-alpine/config/reverse_proxy.config.php b/16.0/fpm-alpine/config/reverse_proxy.config.php
new file mode 100644
index 00000000..26a8bff3
--- /dev/null
+++ b/16.0/fpm-alpine/config/reverse_proxy.config.php
@@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
\ No newline at end of file
diff --git a/16.0/fpm-alpine/entrypoint.sh b/16.0/fpm-alpine/entrypoint.sh
index 2510743e..07b44d61 100755
--- a/16.0/fpm-alpine/entrypoint.sh
+++ b/16.0/fpm-alpine/entrypoint.sh
@@ -43,6 +43,12 @@ file_env() {
     unset "$fileVar"
 }
 
+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
diff --git a/16.0/fpm/config/reverse_proxy.config.php b/16.0/fpm/config/reverse_proxy.config.php
new file mode 100644
index 00000000..26a8bff3
--- /dev/null
+++ b/16.0/fpm/config/reverse_proxy.config.php
@@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
\ No newline at end of file
diff --git a/16.0/fpm/entrypoint.sh b/16.0/fpm/entrypoint.sh
index 2510743e..07b44d61 100755
--- a/16.0/fpm/entrypoint.sh
+++ b/16.0/fpm/entrypoint.sh
@@ -43,6 +43,12 @@ file_env() {
     unset "$fileVar"
 }
 
+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
diff --git a/17.0/apache/config/reverse_proxy.config.php b/17.0/apache/config/reverse_proxy.config.php
new file mode 100644
index 00000000..26a8bff3
--- /dev/null
+++ b/17.0/apache/config/reverse_proxy.config.php
@@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
\ No newline at end of file
diff --git a/17.0/apache/entrypoint.sh b/17.0/apache/entrypoint.sh
index 2510743e..07b44d61 100755
--- a/17.0/apache/entrypoint.sh
+++ b/17.0/apache/entrypoint.sh
@@ -43,6 +43,12 @@ file_env() {
     unset "$fileVar"
 }
 
+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
diff --git a/17.0/fpm-alpine/config/reverse_proxy.config.php b/17.0/fpm-alpine/config/reverse_proxy.config.php
new file mode 100644
index 00000000..26a8bff3
--- /dev/null
+++ b/17.0/fpm-alpine/config/reverse_proxy.config.php
@@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
\ No newline at end of file
diff --git a/17.0/fpm-alpine/entrypoint.sh b/17.0/fpm-alpine/entrypoint.sh
index 2510743e..07b44d61 100755
--- a/17.0/fpm-alpine/entrypoint.sh
+++ b/17.0/fpm-alpine/entrypoint.sh
@@ -43,6 +43,12 @@ file_env() {
     unset "$fileVar"
 }
 
+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
diff --git a/17.0/fpm/config/reverse_proxy.config.php b/17.0/fpm/config/reverse_proxy.config.php
new file mode 100644
index 00000000..26a8bff3
--- /dev/null
+++ b/17.0/fpm/config/reverse_proxy.config.php
@@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
\ No newline at end of file
diff --git a/17.0/fpm/entrypoint.sh b/17.0/fpm/entrypoint.sh
index 2510743e..07b44d61 100755
--- a/17.0/fpm/entrypoint.sh
+++ b/17.0/fpm/entrypoint.sh
@@ -43,6 +43,12 @@ file_env() {
     unset "$fileVar"
 }
 
+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
diff --git a/18.0/apache/config/reverse_proxy.config.php b/18.0/apache/config/reverse_proxy.config.php
new file mode 100644
index 00000000..26a8bff3
--- /dev/null
+++ b/18.0/apache/config/reverse_proxy.config.php
@@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
\ No newline at end of file
diff --git a/18.0/apache/entrypoint.sh b/18.0/apache/entrypoint.sh
index 2510743e..07b44d61 100755
--- a/18.0/apache/entrypoint.sh
+++ b/18.0/apache/entrypoint.sh
@@ -43,6 +43,12 @@ file_env() {
     unset "$fileVar"
 }
 
+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
diff --git a/18.0/fpm-alpine/config/reverse_proxy.config.php b/18.0/fpm-alpine/config/reverse_proxy.config.php
new file mode 100644
index 00000000..26a8bff3
--- /dev/null
+++ b/18.0/fpm-alpine/config/reverse_proxy.config.php
@@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
\ No newline at end of file
diff --git a/18.0/fpm-alpine/entrypoint.sh b/18.0/fpm-alpine/entrypoint.sh
index 2510743e..07b44d61 100755
--- a/18.0/fpm-alpine/entrypoint.sh
+++ b/18.0/fpm-alpine/entrypoint.sh
@@ -43,6 +43,12 @@ file_env() {
     unset "$fileVar"
 }
 
+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
diff --git a/18.0/fpm/config/reverse_proxy.config.php b/18.0/fpm/config/reverse_proxy.config.php
new file mode 100644
index 00000000..26a8bff3
--- /dev/null
+++ b/18.0/fpm/config/reverse_proxy.config.php
@@ -0,0 +1,11 @@
+<?php
+
+$trustedProxies = getenv('TRUSTED_PROXIES');
+
+if ($trustedProxies) {
+  $trustedProxies = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+} else {
+  $trustedProxies = null;
+}
+
+$CONFIG['trusted_proxies'] = $trustedProxies;
\ No newline at end of file
diff --git a/18.0/fpm/entrypoint.sh b/18.0/fpm/entrypoint.sh
index 2510743e..07b44d61 100755
--- a/18.0/fpm/entrypoint.sh
+++ b/18.0/fpm/entrypoint.sh
@@ -43,6 +43,12 @@ file_env() {
     unset "$fileVar"
 }
 
+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then
 
diff --git a/README.md b/README.md
index 69ab22d9..c7fda8a6 100644
--- a/README.md
+++ b/README.md
@@ -158,6 +158,14 @@ To use an external SMTP server, you have to provide the connection details. To c
 
 Check the [Nextcloud documentation](https://docs.nextcloud.com/server/15/admin_manual/configuration_server/email_configuration.html) for other values to configure SMTP.
 
+## Using the apache image behind a reverse proxy and auto configure server host and protocol
+
+The apache image will replace the remote addr (ip address visible to Nextcloud) with the ip address from `X-Real-IP` if the request is coming from a proxy in 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 by default. If you want Nextcloud to pick up the server host (`HTTP_X_FORWARDED_HOST`), protocol (`HTTP_X_FORWARDED_PROTO`) and client ip (`HTTP_X_FORWARDED_FOR`) from a trusted proxy disable rewrite ip and the reverse proxies ip address to `TRUSTED_PROXIES`.
+
+- `APACHE_DISABLE_REWRITE_IP` (not set by default): Set to 1 to disable rewrite ip.
+
+- `TRUSTED_PROXIES` (empty by default): A space-separated list of trusted proxies. CIDR notation is supported for IPv4.
+
 # Running this image with docker-compose
 The easiest way to get a fully featured and functional setup is using a `docker-compose` file. There are too many different possibilities to setup your system, so here are only some examples of what you have to look for.
 
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index 2510743e..07b44d61 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -43,6 +43,12 @@ file_env() {
     unset "$fileVar"
 }
 
+if expr "$1" : "apache" 1>/dev/null; then
+    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+        a2disconf remoteip
+    fi
+fi
+
 if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
     if [ -n "${REDIS_HOST+x}" ]; then