Caddy Community container mounts (and uses) nextcloud data volume #46
Description
Steps to reproduce
- Install Nextcloud-AIO with Caddy Community container
- Inspect mounted volumes
- See the Nextcloud-AIO-data volume mounted on the Caddy container
Expected behavior
I wold like to see mounting of the nextcloud datadir would not be needed.
Actual behavior
Mounted
Host OS
Debian (RaspberryPI-OS)
Nextcloud AIO version
9.3.0
Current channel
Latest
Other valuable info
Since a reverse proxy, like Caddy in this case, is somewhat the first line of defence to external threats, seen from an application perspective, it strikes me as odd/unwelcome to have the complete Nextcloud Data dir mounted in that container.
I know the Nextcloud Datadir is actively used by Caddy to read some configuration settings, but cant that be solved in an other way?
Of course it's debatable how much a security risk this is, or even if it's a security risk at all, but it's not unthinkable that this can fairly easily result in exposure of the complete Nextcloud Datadir.
For example: One can have a custom Caddy config in /data/caddy-imports that (inadvertently) exposes the Nextcloud Datadir to the internet.
Maybe a way out of this would be a separate volume, that can be used for config files, like the geoblocking part. This volume can then be mounted as an external mount in Nextcloud and used as a stand-alone volume in Caddy, or at any other place needed.
I hope this helps making AIO even more secure.
Thank you, Bas Bleeker