From ae451e005eb10a864046a443f7529a2aa8be3284 Mon Sep 17 00:00:00 2001 From: bioluks Date: Tue, 4 Jul 2023 00:15:00 +0200 Subject: [PATCH 1/2] Moved enable_cors to the right section. Added explanation for difference of versions. Added bind_address for making sure the container uses all interfaces given. Added spaces between 'origins' and removed spaces between the 'methods' elements because it's like this in the official Documentation. Added a write permission warning since many newbies had this mistake with couchdb. --- docs/setup_own_server.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/setup_own_server.md b/docs/setup_own_server.md index 339b624..8ae865a 100644 --- a/docs/setup_own_server.md +++ b/docs/setup_own_server.md @@ -4,7 +4,7 @@ The easiest way to set up a CouchDB instance is using the official [docker image](https://hub.docker.com/_/couchdb). -Some initial configuration is required. Create a `local.ini` to use Self-hosted LiveSync as follows: +Some initial configuration is required. Create a `local.ini` to use Self-hosted LiveSync as follows ([CouchDB has to be version 3.2 or higher](https://docs.couchdb.org/en/latest/config/http.html#chttpd/enable_cors), if lower `enable_cors = true` has to be under section `[httpd]` ): ```ini [couchdb] @@ -14,6 +14,7 @@ max_document_size = 50000000 [chttpd] require_valid_user = true max_http_request_size = 4294967296 +enable_cors = true [chttpd_auth] require_valid_user = true @@ -21,13 +22,13 @@ authentication_redirect = /_utils/session.html [httpd] WWW-Authenticate = Basic realm="couchdb" -enable_cors = true +bind_address = 0.0.0.0 [cors] -origins = app://obsidian.md,capacitor://localhost,http://localhost +origins = app://obsidian.md, capacitor://localhost, http://localhost credentials = true headers = accept, authorization, content-type, origin, referer -methods = GET, PUT, POST, HEAD, DELETE +methods = GET,PUT,POST,HEAD,DELETE max_age = 3600 ``` @@ -48,7 +49,7 @@ $ docker run -d --restart always -e COUCHDB_USER=admin -e COUCHDB_PASSWORD=passw *Remember to replace the path with the path to your local.ini* ### Docker Compose -Create a directory, place your `local.ini` within it, and create a `docker-compose.yml` alongside it. The directory structure should look similar to this: +Create a directory, place your `local.ini` within it, and create a `docker-compose.yml` alongside it. Make sure to have write permissions for `local.ini` and the about to be created `data` folder after the container start. The directory structure should look similar to this: ``` obsidian-livesync ├── docker-compose.yml From 2b2011dc49b94cb8b7ec7880dbe62918b34cd304 Mon Sep 17 00:00:00 2001 From: bioluks Date: Tue, 4 Jul 2023 01:52:48 +0200 Subject: [PATCH 2/2] Added docker-compose, table of contents, a new reverse proxies section populated with traefik for now --- docker-compose.traefik.yml | 46 +++++++++++++++++++++ docs/setup_own_server.md | 85 +++++++++++++++++++++++++++++++++++++- 2 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 docker-compose.traefik.yml diff --git a/docker-compose.traefik.yml b/docker-compose.traefik.yml new file mode 100644 index 0000000..8b7ab90 --- /dev/null +++ b/docker-compose.traefik.yml @@ -0,0 +1,46 @@ +# For details and other explanations about this file refer to: +# https://github.com/vrtmrz/obsidian-livesync/blob/main/docs/setup_own_server.md#traefik + +version: "2.1" +services: + couchdb: + image: couchdb:latest + container_name: obsidian-livesync + user: 1000:1000 + environment: + - COUCHDB_USER=username + - COUCHDB_PASSWORD=password + volumes: + - ./data:/opt/couchdb/data + - ./local.ini:/opt/couchdb/etc/local.ini + # Ports not needed when already passed to Traefik + #ports: + # - 5984:5984 + restart: unless-stopped + networks: + - proxy + labels: + - "traefik.enable=true" + # The Traefik Network + - "traefik.docker.network=proxy" + # Don't forget to replace 'obsidian-livesync.example.org' with your own domain + - "traefik.http.routers.obsidian-livesync.rule=Host(`obsidian-livesync.example.org`)" + # The 'websecure' entryPoint is basically your HTTPS entrypoint. Check the next code snippet if you are encountering problems only; you probably have a working traefik configuration if this is not your first container you are reverse proxying. + - "traefik.http.routers.obsidian-livesync.entrypoints=websecure" + - "traefik.http.routers.obsidian-livesync.service=obsidian-livesync" + - "traefik.http.services.obsidian-livesync.loadbalancer.server.port=5984" + - "traefik.http.routers.obsidian-livesync.tls=true" + # Replace the string 'letsencrypt' with your own certificate resolver + - "traefik.http.routers.obsidian-livesync.tls.certresolver=letsencrypt" + - "traefik.http.routers.obsidian-livesync.middlewares=obsidiancors" + # The part needed for CORS to work on Traefik 2.x starts here + - "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowmethods=GET,PUT,POST,HEAD,DELETE" + - "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowheaders=accept,authorization,content-type,origin,referer" + - "traefik.http.middlewares.obsidiancors.headers.accesscontrolalloworiginlist=app://obsidian.md,capacitor://localhost,http://localhost" + - "traefik.http.middlewares.obsidiancors.headers.accesscontrolmaxage=3600" + - "traefik.http.middlewares.obsidiancors.headers.addvaryheader=true" + - "traefik.http.middlewares.obsidiancors.headers.accessControlAllowCredentials=true" + +networks: + proxy: + external: true \ No newline at end of file diff --git a/docs/setup_own_server.md b/docs/setup_own_server.md index 8ae865a..598067b 100644 --- a/docs/setup_own_server.md +++ b/docs/setup_own_server.md @@ -1,5 +1,17 @@ # Setup a CouchDB server +## Table of Contents +- [Configure](#configure) +- [Run](#run) + - [Docker CLI](#docker-cli) + - [Docker Compose](#docker-compose) +- [Access from a mobile device](#access-from-a-mobile-device) + - [Testing from a mobile](#testing-from-a-mobile) + - [Setting up your domain](#setting-up-your-domain) +- [Reverse Proxies](#reverse-proxies) + - [Traefik](#traefik) +--- + ## Configure The easiest way to set up a CouchDB instance is using the official [docker image](https://hub.docker.com/_/couchdb). @@ -128,6 +140,77 @@ Set the A record of your domain to point to your server, and host reverse proxy Note: Mounting CouchDB on the top directory is not recommended. Using Caddy is a handy way to serve the server with SSL automatically. -I have published [docker-compose.yml and ini files](https://github.com/vrtmrz/self-hosted-livesync-server) that launch Caddy and CouchDB at once. Please try it out. +I have published [docker-compose.yml and ini files](https://github.com/vrtmrz/self-hosted-livesync-server) that launch Caddy and CouchDB at once. If you are using Traefik you can check the [Reverse Proxies](#reverse-proxies) section below. And, be sure to check the server log and be careful of malicious access. + + +## Reverse Proxies + +### Traefik + +If you are using Traefik, this [docker-compose.yml](https://github.com/vrtmrz/obsidian-livesync/blob/main/docker-compose.traefik.yml) file (also pasted below) has all the right CORS parameters set. It assumes you have an external network called `proxy`. + +```yaml +version: "2.1" +services: + couchdb: + image: couchdb:latest + container_name: obsidian-livesync + user: 1000:1000 + environment: + - COUCHDB_USER=username + - COUCHDB_PASSWORD=password + volumes: + - ./data:/opt/couchdb/data + - ./local.ini:/opt/couchdb/etc/local.ini + # Ports not needed when already passed to Traefik + #ports: + # - 5984:5984 + restart: unless-stopped + networks: + - proxy + labels: + - "traefik.enable=true" + # The Traefik Network + - "traefik.docker.network=proxy" + # Don't forget to replace 'obsidian-livesync.example.org' with your own domain + - "traefik.http.routers.obsidian-livesync.rule=Host(`obsidian-livesync.example.org`)" + # The 'websecure' entryPoint is basically your HTTPS entrypoint. Check the next code snippet if you are encountering problems only; you probably have a working traefik configuration if this is not your first container you are reverse proxying. + - "traefik.http.routers.obsidian-livesync.entrypoints=websecure" + - "traefik.http.routers.obsidian-livesync.service=obsidian-livesync" + - "traefik.http.services.obsidian-livesync.loadbalancer.server.port=5984" + - "traefik.http.routers.obsidian-livesync.tls=true" + # Replace the string 'letsencrypt' with your own certificate resolver + - "traefik.http.routers.obsidian-livesync.tls.certresolver=letsencrypt" + - "traefik.http.routers.obsidian-livesync.middlewares=obsidiancors" + # The part needed for CORS to work on Traefik 2.x starts here + - "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowmethods=GET,PUT,POST,HEAD,DELETE" + - "traefik.http.middlewares.obsidiancors.headers.accesscontrolallowheaders=accept,authorization,content-type,origin,referer" + - "traefik.http.middlewares.obsidiancors.headers.accesscontrolalloworiginlist=app://obsidian.md,capacitor://localhost,http://localhost" + - "traefik.http.middlewares.obsidiancors.headers.accesscontrolmaxage=3600" + - "traefik.http.middlewares.obsidiancors.headers.addvaryheader=true" + - "traefik.http.middlewares.obsidiancors.headers.accessControlAllowCredentials=true" + +networks: + proxy: + external: true +``` + +Partial `traefik.yml` config file mentioned in above: +```yml +... + +entryPoints: + web: + address: ":80" + http: + redirections: + entryPoint: + to: "websecure" + scheme: "https" + websecure: + address: ":443" + +... +``` \ No newline at end of file