Hi at all,
in order to replace my Nextcloud instance with OpenCloud I deployed OpenCloud in my produstion setup and made same basic tests with an 500 MB large test text file (Upload, Download, Copy/Paste vi Web Browser).
During the first tests in my productions setup I faced the issue that up- and downloads with OpenCloud more or less half as fast as Nextcloud. Copy and Paste the test file via web ui takes round about the same time as uploading the file.
Further tests with local only access show up, that in case the reverse proxy is not hosted at the same host the up- / downloads much slower than in case the proxy is hosted at the same host.
Test results:
Are there any addional configs I have to set wehn the reverse proxy is hosted on an different host?
Thanks you in advance!
Folling all my configs:
---compse.yaml
services:
opencloud:
image: opencloudeu/opencloud-rolling:$OC_DOCKER_TAG
entrypoint:
- /bin/sh
command:
- -c
- opencloud init || true; opencloud server
ports:
- 9201:9201
env_file:
- .env
environment:
OC_URL: https://$OC_DOMAIN
COLLABORA_DOMAIN: $COLLABORA_DOMAIN
IDP_ACCESS_TOKEN_EXPIRATION: 2592000
IDP_ID_TOKEN_EXPIRATION: 2592000
FRONTEND_DISABLE_RADICALE: "true"
volumes:
#Achtung! der Ordner Config enthält die Dateien aus dem Ordner der Main-Repo config/opencloud und wurden für die Anbindung von SSO und der eigenen DrawIO-Instanz angepasst
- ./config:/etc/opencloud
- ./data:/var/lib/opencloud
- ./apps:/var/lib/opencloud/web/assets/apps
- ./themes:/var/lib/opencloud/web/assets/themes
restart: always
collaboration:
network_mode: host
image: opencloudeu/opencloud-rolling:$OC_DOCKER_TAG
depends_on:
opencloud:
condition: service_started
entrypoint:
- /bin/sh
command:
- -c
- opencloud collaboration server
ports:
- 9300:9300
env_file:
- .env
environment:
COLLABORATION_WOPI_SRC: https://$WOPISERVER_DOMAIN
COLLABORATION_APP_ADDR: https://$COLLABORA_DOMAIN
COLLABORATION_APP_ICON: https://${COLLABORA_DOMAIN}/favicon.ico
OC_URL: https://$OC_DOMAIN
volumes:
- ./config:/etc/opencloud
restart: always
radicale:
network_mode: host
image: opencloudeu/radicale:latest
restart: always
volumes:
- ./config/radicale/config:/etc/radicale/config
- ./radicale:/var/lib/radicale
Env-file
#General settings
OC_DOCKER_TAG=7.0.0
PROXY_HTTP_ADDR=0.0.0.0:9201
PROXY_TLS=false
#URL settings
OC_DOMAIN=cloud.mydomain.tld
COLLABORA_DOMAIN=collabora.mydomain.tld
WOPISERVER_DOMAIN=wopi.mydomain.tld
#OpenCloud settings
OC_INSECURE=false
OC_DISABLE_VERSIONING=true
OC_ADD_RUN_SERVICES="notifications"
NOTIFICATIONS_SMTP_HOST=smtp.mydomain.tld
NOTIFICATIONS_SMTP_PORT=465
NOTIFICATIONS_SMTP_SENDER=OpenCloud <opencloud@mydomain.tld>
NOTIFICATIONS_SMTP_USERNAME=opencloud@mydomain.tld
NOTIFICATIONS_SMTP_PASSWORD=xxx
NOTIFICATIONS_SMTP_INSECURE=false
NOTIFICATIONS_SMTP_AUTHENTICATION=plain
NOTIFICATIONS_SMTP_ENCRYPTION=ssltls
FRONTEND_ARCHIVER_MAX_SIZE=10000000000
PROXY_CSP_CONFIG_FILE_LOCATION=/etc/opencloud/csp.yaml
OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST=banned-password-list.txt
OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=false
OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=false
OC_PASSWORD_POLICY_DISABLED=false
OC_PASSWORD_POLICY_MIN_CHARACTERS=8
OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS=1
OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS=1
OC_PASSWORD_POLICY_MIN_DIGITS=1
OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS=1
PROXY_ENABLE_BASIC_AUTH=false
IDM_CREATE_DEMO_USERS=false
IDM_ADMIN_PASSWORD=xxx
STORAGE_USERS_DRIVER=posix
STORAGE_USERS_ID_CACHE_STORE=nats-js-kv
STORAGE_USERS_POSIX_WATCH_FS=true
NATS_NATS_HOST=0.0.0.0
GATEWAY_GRPC_ADDR=0.0.0.0:9142
FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR=eu.opencloud.api.collaboration.CollaboraOnline
GRAPH_AVAILABLE_ROLES=b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6
COLLABORA_ADMIN_USER=xxx
COLLABORA_ADMIN_PASSWORD=xxx
COLLABORA_SSL_ENABLE=false
COLLABORA_SSL_VERIFICATION=false
COLLABORATION_GRPC_ADDR=0.0.0.0:9301
COLLABORATION_HTTP_ADDR=0.0.0.0:9300
MICRO_REGISTRY=nats-js-kv
#MICRO_REGISTRY_ADDRESS=opencloud:9233
MICRO_REGISTRY_ADDRESS=localhost:9233
COLLABORATION_APP_NAME=CollaboraOnline
COLLABORATION_APP_PRODUCT=Collabora
COLLABORATION_APP_INSECURE=false
COLLABORATION_CS3API_DATAGATEWAY_INSECURE=false
COLLABORATION_LOG_LEVEL=info
#SSO settings
OC_OIDC_ISSUER=https://auth.mydomain.tld/application/o/opencloud/
WEB_OIDC_CLIENT_ID=xxx
## Proxy
PROXY_AUTOPROVISION_ACCOUNTS=true
PROXY_ROLE_ASSIGNMENT_DRIVER=oidc
PROXY_OIDC_REWRITE_WELLKNOWN="true"
PROXY_USER_OIDC_CLAIM="preferred_username"
PROXY_USER_CS3_CLAIM="username"
## role assignment
OC_EXCLUDE_RUN_SERVICES=idp,activitylog
WEB_OIDC_SCOPE=openid profile email groups
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM=groups
GRAPH_ASSIGN_DEFAULT_USER_ROLE=false
GRAPH_USERNAME_MATCH="none"
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
csp.yaml
directives:
child-src:
- '''self'''
connect-src:
- '''self'''
- 'blob:'
# - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/'
# - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
- 'https://cloud.mydomain.tld/'
- 'wss://cloud.mydomain.tld/'
- 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
- 'https://auth.mydomain.tld/'
- 'wss://auth.mydomain.tld/'
# - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
- 'https://update.opencloud.eu/'
default-src:
- '''none'''
font-src:
- '''self'''
frame-ancestors:
- '''self'''
frame-src:
- '''self'''
- 'blob:'
- 'https://draw.mydomain.tld/'
# - 'https://embed.diagrams.net/'
# In contrary to bash and docker the default is given after the | character
# - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
- 'https://collabora.mydomain.tld/'
# This is needed for the external-sites web extension when embedding sites
- 'https://docs.opencloud.eu'
- 'https://auth.mydomain.tld/'
img-src:
- '''self'''
- 'data:'
- 'blob:'
- 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
# In contrary to bash and docker the default is given after the | character
# - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
- 'https://collabora.mydomain.tld/'
manifest-src:
- '''self'''
media-src:
- '''self'''
object-src:
- '''self'''
- 'blob:'
script-src:
- '''self'''
- '''unsafe-inline'''
# - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
- 'https://auth.mydomain.tld/'
style-src:
- '''self'''
- '''unsafe-inline'''
Proxy.yaml
# This adds four additional routes to the proxy. Forwarding
# request on '/carddav/', '/caldav/' and the respective '/.well-knwown'
# endpoints to the radicale container and setting the required headers.
additional_policies:
- name: default
routes:
- endpoint: /caldav/
backend: http://radicale:5232
remote_user_header: X-Remote-User
skip_x_access_token: true
additional_headers:
- X-Script-Name: /caldav
- endpoint: /.well-known/caldav
backend: http://radicale:5232
remote_user_header: X-Remote-User
skip_x_access_token: true
additional_headers:
- X-Script-Name: /caldav
- endpoint: /carddav/
backend: http://radicale:5232
remote_user_header: X-Remote-User
skip_x_access_token: true
additional_headers:
- X-Script-Name: /carddav
- endpoint: /.well-known/carddav
backend: http://radicale:5232
remote_user_header: X-Remote-User
skip_x_access_token: true
additional_headers:
- X-Script-Name: /carddav
# To enable the radicale web UI add this rule.
# "unprotected" is True because the Web UI itself ask for
# the password.
# Also set "type" to "internal" in the config/radicale/config
- endpoint: /caldav/.web/
backend: http://radicale:5232/
unprotected: true
skip_x_access_token: true
additional_headers:
- X-Script-Name: /caldav
role_assignment:
driver: oidc
oidc_role_mapper:
role_claim: groups
role_mapping:
- role_name: admin
claim_value: Admin-Services
- role_name: spaceadmin
claim_value: Admin-Services
- role_name: user
claim_value: Home-Services
- role_name: guest
claim_value: Guests
Nginx Reverse Proxy
proxy_buffering off;
proxy_request_buffering off;
#proxy_cookie_path / /;
#proxy_set_header Cookie $http_cookie;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
client_max_body_size 10G;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
keepalive_requests 100000;
keepalive_timeout 5m;
http2_max_concurrent_streams 512;
proxy_next_upstream off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
Hi at all,
in order to replace my Nextcloud instance with OpenCloud I deployed OpenCloud in my produstion setup and made same basic tests with an 500 MB large test text file (Upload, Download, Copy/Paste vi Web Browser).
During the first tests in my productions setup I faced the issue that up- and downloads with OpenCloud more or less half as fast as Nextcloud. Copy and Paste the test file via web ui takes round about the same time as uploading the file.
Further tests with local only access show up, that in case the reverse proxy is not hosted at the same host the up- / downloads much slower than in case the proxy is hosted at the same host.
Test results:
Are there any addional configs I have to set wehn the reverse proxy is hosted on an different host?
Thanks you in advance!
Folling all my configs:
---compse.yaml
Env-file
csp.yaml
Proxy.yaml
Nginx Reverse Proxy