Nextcloud AIO Docker Container and Crowdsec
Hi,
I run Nextcloud AIO (NC AIO) in docker and would like to also use the Crowdsec docker container. From my limited understanding, Crowdsec works by parsing the webserver logs and I do know that NC AIO uses apache as it's webserver, so the Crowdsec container will need to be able to parse the apache log files. I'm just not sure how to make this happen and was hoping someone with knowledge could help me out here. Thank you 🙂
31 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
how do you run the container (command or docker-compose please)?
ok, first of all don't use
latest tag, use explicit tag or digest (it will save you some maintenance horrors for later)Ah, so pin it to a specific version?
yeah
Cool, I'll pin it to
nextcloud/all-in-one:20250325_084656oh god they use supervisord inside
seems like they use
/usr/local/apache2/logs) ( https://github.com/nextcloud/all-in-one/blob/main/Containers/apache/Dockerfile#L77 ) for apache logsGitHub
all-in-one/Containers/apache/Dockerfile at main · nextcloud/all-in...
📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance. - nextcloud/all-in-one
um what, I'd serioulsy reconsider not using that XD
ok, so you could do
docker exec -it <id of the container> --entrypoint=bash ls -la /usr/local/apache2/logs to see if the apache logs are actually there
if yes then the easiest fix would to stop te docker-compose, edit docker compose file to add volume as host path from host to the container and then start the container - this way apache logs will be availabe on the hostthen you can edit crowdsec to mount that host path in that container to process the logs
GitHub
all-in-one/Containers/apache/supervisord.conf at main · nextcloud/...
📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance. - nextcloud/all-in-one
eh, they run apache under supervisord as foreground process and tehy actually drop apache logs - so it will not log to files
Ah, so it's not possible to have Crowdsec parse logs if they are dropping them huh?
well it is possible
but it's more complicated
few options, first one:
- on the host create custom supervisord. config, as on https://github.com/nextcloud/all-in-one/blob/main/Containers/apache/supervisord.conf#L16 and edit line 13 to set stdout_logfile=stdout
- edit docker-compose volumes and mount that supervisord.conf from the host inside the container un the path (not sure where, though, would need more investigation)
- then run docker compose, you should have a real flood of messages in the docker
- then you coudl edit crowdsec container to read logs from the host, but may require adjusting them because apache logs via supervisord may have extra prefixes (such as process name and timestamps from supervisord), so that crwodsec may nedd to be adjusted
Ah, sounds like going with the all-in-one container has introduced a lot of unnecessary complexity for me.
another option:
- similiar to above but make apache run in the background (but supervisord would see the process would exit which is a problem)
- in that case apache would log to the file paths, and you could cross mount that path to host and from host to crowdsec - having raw apache logs would be the best
Well, this is all far too complicated for me and would make things far more difficult to maintain in the future I'm sure. I appreciate you looking into this for me. I may reconsider the choice of using AIO.
frankly speaking I'd use https://hub.docker.com/_/nextcloud/
nextcloud - Official Image | Docker Hub
Nextcloud manual docker image
or even
fpm tag, and link it via nginx or apache
this way you have just the app with the php worker, and nothing else@KaszpiR I'm curious, would we be able to instead parse the nextcloud.log?
https://app.crowdsec.net/hub/author/crowdsecurity/collections/nextcloud if you look at the nextcloud collection, it only uses the nextcloud log
Collections, AppSec Rules & Configurations | CrowdSec Hub
Manage collections, configurations, remediation components, and AppSec rules with CrowdSec Hub. Streamline security with tools and integrations for enhanced protection.
After much searching I found it in
I'm going to see if I can bind mount it
I have been using crowdsec with nextcloud for many years now and more recently started using it with AIO. The main difference with AIO is that now the logs are inside a AIO defined docker volume rather than a human defined persistent volume.
Usually it's as simple as mounting the nextcloud logs path to crowdsec, but I use Unraid which stores non user defined storage in an image, so I had to convert that to a file storage rather than image storage, and then mount the logs to the crowdsec container.
For you it might be as simple as mounting the logs
That's my crowdsec mount points if helpful
@fleabeard you probably want to parse both - apache and nextcloud logs
Last I checked, AIO recommends using reverse proxy, and does not expose access logs - https://github.com/nextcloud/all-in-one/discussions/1563
In my case, the traefik access logs are parsed by crowdsec
GitHub
Where is my access log? · nextcloud all-in-one · Discussion #1563
I recently moved from a classic nextcloud installation to aio and do only start to get comfortable with docker. So sry if this question is somehow "stupid". My basic setup is working incl...
Thanks, I've used SWAG in the past but wasn't sure if it would help in this case or not. I may go back to it just to see.
Actually it won't help here because CrowdSec doesn't use the reverse proxy logs...
In my case Crowdsec uses the reverse proxy - traefik logs
this is what I use as well /var/lib/docker/volumes/nextcloud_aio_nextcloud/_data/data/nextcloud.log
I have it mounted at /var/log/nextcloud/nextcloud.log within the container
Also on unraid