• Purchasing a license grants permission to use the software and to get Tech Support. A license purchase doesn't grant customization support.

[Guide] Docker paid version with nmtan/chevereto:installer and real ip fix (reverse proxy).

zaywalker

Core license
License owner
It's a bit tricky to use nmtan/chevereto:installer with the docker hub instruction. Because when docker container down and up, the html data is gone.

So, you need to mount "/var/www/html" not "/var/www/html/images".

first of all, my server runs with debian buster and chevereto docker compose directory tree is like this.

/docker
----/chevereto
--------/.chevereto-dockerized
------------.env
------------docker-compose.yaml
------------/data
----------------/conf
--------------------/apache2
------------------------remoteip.load
--------------------/mysql
------------------------my.cnf
--------/html
------------/images


html and images directory is chowned www-data:www-data and permission octal is 42755

docker compose like this

docker-compose.yaml:
version: '2.1'
services:

    mysql-chevereto:
      container_name: chevereto-mysql
      image: mariadb:10.2
      restart: always
      labels:
        - com.centurylinklabs.watchtower.enable=true
      volumes:
        - mysql-vol-1:/var/lib/mysql/
        - ./data/conf/mysql/:/etc/mysql/conf.d/:ro
      environment:
        - TZ=${TZ}
        - MYSQL_ROOT_PASSWORD=${DBROOT}
        - MYSQL_DATABASE=${DBNAME}
        - MYSQL_USER=${DBUSER}
        - MYSQL_PASSWORD=${DBPASS}
      networks:
        chevereto-network:
          ipv4_address: ${IPV4_NETWORK:-172.23.1}.20
          aliases:
            - mysql

    web-chevereto:
      container_name: chevereto-web
      image: nmtan/chevereto:installer
      restart: always
      depends_on:
        - mysql-chevereto
      labels:
        - com.centurylinklabs.watchtower.enable=true
      volumes:
        - ./data/conf/apache2/remoteip.load:/etc/apache2/mods-enabled/remoteip.load
        - /docker/chevereto/html:/var/www/html
        - /docker/chevereto/html/images:/var/www/html/images
      environment:
        - TZ=${TZ}
        - CHEVERETO_DB_HOST=mysql-chevereto
        - CHEVERETO_DB_NAME=${DBNAME}
        - CHEVERETO_DB_USERNAME=${DBUSER}
        - CHEVERETO_DB_PASSWORD=${DBPASS}
        - CHEVERETO_DB_PREFIX=chv_
      networks:
        chevereto-network:
          ipv4_address: ${IPV4_NETWORK:-172.23.1}.10
          aliases:
            - web

volumes:
  mysql-vol-1:

networks:
  chevereto-network:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: ${IPV4_NETWORK:-172.23.1}.0/24

and .env at same directory with docker-compose.yaml

.env or chevereto.conf and sym-link to .env:
# ------------------------------
# SQL database configuration
# ------------------------------
DBNAME=chevereto
DBUSER=chevereto

# Please use long, random alphanumeric strings (A-Za-z0-9)
DBPASS=your chevereto db password
DBROOT=your mysql root password

# Your timezone
TZ=Asia/Seoul

# Fixed project name
COMPOSE_PROJECT_NAME=chevereto

# Internal IPv4 /24 subnet, format n.n.n. (expands to n.n.n.0/24)
IPV4_NETWORK=172.23.1

and you need to create remoteip.load in order to get the real-ip at /docker/chevereto/.chevereto-dockerized/data/conf/apache2

remoteip.load:
LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so

RemoteIPHeader X-FORWARDED-FOR

and create my.cnf at /docker/chevereto/.chevereto-dockerized/data/conf/mysql. it's optional.

my.cnf:
[mysqld]
character-set-client-handshake = FALSE
character-set-server           = utf8mb4
collation-server               = utf8mb4_unicode_ci
innodb_file_per_table          = TRUE
innodb_file_format             = barracuda
innodb_large_prefix            = TRUE
#sql_mode=IGNORE_SPACE,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
max_allowed_packet=192M
max-connections=1500
innodb-strict-mode=0
skip-host-cache
skip-name-resolve
log-warnings=0
event_scheduler=1

# Enable listening from outbound
bind-address            = 0.0.0.0

[client]
default-character-set = utf8mb4

[mysql]
default-character-set = utf8mb4

time to launch docker-compose!

root@my-NAS:/docker/chevereto/.chevereto-dockerized#docker-compose up -d

connect chevereto with your reverse proxy. If you try to access chevereto, there will be 403 error. because there is no index.php.

So, you need to get installer.

root@my-NAS:/docker/chevereto/html#curl https://chevereto.com/download/file/installer >>index.php

And make sure chown with www-data:www-data.

root@my-NAS:/docker/chevereto/html#chown www-data:www-data index.php

Now, you can access your chevereto web. just follow install procedure. use your license key.

When ask database information, enter these

host : mysql-chevereto

port : 3306

name : chevereto

user : chevereto

user password : your chevereto db password which is in .env file.

And setup with your admin account and no-reply mail etc and proceed install.

Probably you will get yellow error message. I'm not sure why it comes up. but all you need to do is set the db again.

just refresh setup web page, and connect to the database page comes up. the value is same as above and prefix is chv_

Database table prefix : chv_

then admin and mail setup again. these are same as above.

Now you get working chevereto web paid version.

It's not finished yet. You need to fix real-ip. Even apache2 remoteip module is enabled, the real-ip is not working.

A little modification will bring realip function. Find settings.php at /docker/chevereto/html/app

root@my-NAS:/docker/chevereto/html/app#nano settings.php

add follow codes end of settings.php.

additional codes for settings.php:
// Use X-Forwarded-For HTTP Header to Get Visitor's Real IP Address
if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
        $http_x_headers = explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] );

        $_SERVER['REMOTE_ADDR'] = $http_x_headers[0];
}

Done.


PS.

If you need to upload large image, add follow codes end of /docker/chevereto/html/.htaccess

additional codes to extend max upload cap .htaccess:
php_value upload_max_filesize 10G
php_value post_max_size 10G
php_value memory_limit 1G
php_value max_execution_time 300
php_value max_input_time 300

Thanks for spending the time to read this :)
 

Rodolfo

Don Chevere
Chevereto Staff
Administrator
License owner
Awesome, thanks for sharing!

Keep in mind that is unsafe to base the IP detection on the value of $_SERVER['HTTP_X_FORWARDED_FOR as it can be easily injected on the client request. That makes unsafe the IP flood detection and the login bruteforce protection. You should look forward to achieve the functionality using the server layer.
 

a9ef9a

Network license
License owner
hi zaywalker, thanks for putting together this Docker container. I'm having a tough time mounting my CIFS network images folder into the container. I can add the share by adding an additional volume line as below and those files are visible from the container itself but access to files is failing within the chevereto web browser for some reason.

Code:
            -v /var/lib/chevereto-data:/var/www/html \
            -v /mnt/images:/var/www/html/images \


I can see the files being added (and deleted) from the CIFS share itself, but when Chevereto tries to load them to display in the browsers I'm seeing 500 errors.

Code:
root@f789cd643739:/var/www/html# ls -l images/2020/11/29/*
-rw-rw-r-- 1 www-data www-data  9816 Nov 29 07:40 images/2020/11/29/image.png
-rw-rw-r-- 1 www-data www-data 14819 Nov 29 07:40 images/2020/11/29/image.th.png
-rw-rw-r-- 1 www-data www-data 11169 Nov 29 22:37 images/2020/11/29/image0483aa226e591fc9.png
-rw-rw-r-- 1 www-data www-data 24104 Nov 29 22:37 images/2020/11/29/image0483aa226e591fc9.th.png
-rw-rw-r-- 1 www-data www-data  8579 Nov 29 20:42 images/2020/11/29/image5cf10f570c520798.png
-rw-rw-r-- 1 www-data www-data 13794 Nov 29 20:42 images/2020/11/29/image5cf10f570c520798.th.png

I cant make anything out form the logs that is helping at this stage so any pointers where to look would be super appreciated.[/CODE]

EDITS:
If I use the default 'image' folder Chevereto works as expected.
 

Attachments

  • chevereto error.png
    chevereto error.png
    502.7 KB · Views: 5
Last edited:

a9ef9a

Network license
License owner
Appreciate the heads up Rodolfo, I've looked at the linuxserver one and it doesnt support the installer script (or all east as far as I can tell) so free version only.
The nmtan dockerfile has the same issue as the fork in this thread and Ive raised an issue on the github page, hopefully the author can help troubleshoot. I *think* this is an Apache issue but I'm far from experienced with Apache so may try and build a nginx version which I'm more familiar with. I'll update here if I find any solutions.
EDIT: Of course this will be all be moot once v4 is ready ;)
 
Last edited:

zaywalker

Core license
License owner
hi zaywalker, thanks for putting together this Docker container. I'm having a tough time mounting my CIFS network images folder into the container. I can add the share by adding an additional volume line as below and those files are visible from the container itself but access to files is failing within the chevereto web browser for some reason.

Code:
            -v /var/lib/chevereto-data:/var/www/html \
            -v /mnt/images:/var/www/html/images \


I can see the files being added (and deleted) from the CIFS share itself, but when Chevereto tries to load them to display in the browsers I'm seeing 500 errors.

Code:
root@f789cd643739:/var/www/html# ls -l images/2020/11/29/*
-rw-rw-r-- 1 www-data www-data  9816 Nov 29 07:40 images/2020/11/29/image.png
-rw-rw-r-- 1 www-data www-data 14819 Nov 29 07:40 images/2020/11/29/image.th.png
-rw-rw-r-- 1 www-data www-data 11169 Nov 29 22:37 images/2020/11/29/image0483aa226e591fc9.png
-rw-rw-r-- 1 www-data www-data 24104 Nov 29 22:37 images/2020/11/29/image0483aa226e591fc9.th.png
-rw-rw-r-- 1 www-data www-data  8579 Nov 29 20:42 images/2020/11/29/image5cf10f570c520798.png
-rw-rw-r-- 1 www-data www-data 13794 Nov 29 20:42 images/2020/11/29/image5cf10f570c520798.th.png

I cant make anything out form the logs that is helping at this stage so any pointers where to look would be super appreciated.[/CODE]

EDITS:
If I use the default 'image' folder Chevereto works as expected.
Hello a9ef9a!

Sorry for the late reply. Unfortunatly, I'm not a docker expert, but someone said, there are some security measure to prevent for share mounts like cifs.
If you want to mount cifs, you need some flags.
This link can help you i guess. linux - Mount SMB/CIFS share within a Docker container - Stack Overflow
 

a9ef9a

Network license
License owner
Thanks,for,your response, I don’t believe that’s the issue as the files are written and read from the CIFS stores (200 responses) however chevereto still stalls. I posted more comprehensive details on the GitHub linked above.
ill find time over the holidays to debug.
 

a9ef9a

Network license
License owner
I reviewed those documents and it doesnt look like this applies to this use case. The CIFS/SMB shares are mounted into the docker host and exposed to the container with the docker run -v parameter as opposed to mounting the folder directly in the container itself which as you point out, has security implications.
 

Rodolfo

Don Chevere
Chevereto Staff
Administrator
License owner
Even linuxserver images (which are the best available right now) aren't optimized for the software because the software wasn't made for containers. Unless you know Docker really well I recommended you to go with root installing.

Fortunately, V4 is being made for containers so you will be able to run, tweak and scale the application with plenty more peace of mind. I also hope to make V3 more container friendly as it is a mature solution already, and it will be great to optimize for this type of environment.
 
Top