From a83426d198d62d7e968921a52ae2a18aefbde10a Mon Sep 17 00:00:00 2001
From: BeauTroll <->
Date: Sat, 20 Dec 2025 12:37:23 +0100
Subject: [PATCH] feat: enhance Apache config for Traefik reverse proxy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add RemoteIP configuration to capture real client IPs
- Enable HTTPS detection via X-Forwarded-Proto header
- Add security headers (X-Frame-Options, CSP, etc.)
- Disable Apache WebDAV to prevent conflicts with Nextcloud
- Add module activation script for remoteip and env
- Optimize Directory options (FollowSymLinks without MultiViews)
- Add commented alternative PHP limits for reference

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 apache/enable-modules.sh |  8 ++++++++
 apache/nextcloud.conf    | 34 +++++++++++++++++++++++++++++++++-
 docker-compose.yml       |  4 ++++
 3 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 apache/enable-modules.sh

diff --git a/apache/enable-modules.sh b/apache/enable-modules.sh
new file mode 100644
index 0000000..504cbfa
--- /dev/null
+++ b/apache/enable-modules.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# Active les modules Apache nécessaires pour Nextcloud derrière Traefik
+
+a2enmod remoteip   # Pour récupérer les vraies IPs clients
+a2enmod env        # Pour SetEnvIf (détection HTTPS)
+
+# Redémarre Apache
+apache2ctl graceful
diff --git a/apache/nextcloud.conf b/apache/nextcloud.conf
index 29752a9..04bc45c 100644
--- a/apache/nextcloud.conf
+++ b/apache/nextcloud.conf
@@ -1,5 +1,37 @@
+# Configuration pour reverse proxy Traefik
+# Récupération de l'IP réelle du client via X-Forwarded-For
+RemoteIPHeader X-Forwarded-For
+RemoteIPTrustedProxy 172.16.0.0/12
+RemoteIPTrustedProxy 10.0.0.0/8
+RemoteIPTrustedProxy 192.168.0.0/16
+
+# Activer la confiance des en-têtes X-Forwarded-Proto
+SetEnvIf X-Forwarded-Proto "https" HTTPS=on
+
 <Directory /var/www/html/>
-    Options FollowSymLinks
+    Options +FollowSymLinks
     AllowOverride All
     Require all granted
+
+    <IfModule mod_dav.c>
+        Dav off
+    </IfModule>
 </Directory>
+
+# Headers de sécurité (si non gérés par Traefik)
+<IfModule mod_headers.c>
+    # HSTS sera géré par Traefik
+    # Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
+
+    # Autres headers de sécurité
+    Header always set Referrer-Policy "no-referrer-when-downgrade"
+    Header always set X-Content-Type-Options "nosniff"
+    Header always set X-Frame-Options "SAMEORIGIN"
+    Header always set X-XSS-Protection "1; mode=block"
+    Header always set X-Robots-Tag "noindex, nofollow"
+</IfModule>
+
+# Logs avec IP réelle (pas l'IP de Traefik)
+<IfModule mod_remoteip.c>
+    LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+</IfModule>
diff --git a/docker-compose.yml b/docker-compose.yml
index e6b1a58..fc2df61 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -28,6 +28,10 @@ services:
       - PHP_POST_MAX_SIZE=2G
       - PHP_MAX_EXECUTION_TIME=1800
       - PHP_MAX_INPUT_TIME=1800
+      # - PHP_UPLOAD_MAX_FILESIZE=1024G
+      # - PHP_POST_MAX_SIZE=1024G
+      # - PHP_MAX_EXECUTION_TIME=86400
+      # - PHP_MAX_INPUT_TIME=86400
       # Apache
       - APACHE_BODY_LIMIT=2147483648
     healthcheck: