2022-04-04 15:55:58 +02:00
|
|
|
set $main_domain "__DOMAIN__";
|
|
|
|
set $sandbox_domain "__SANDBOX_DOMAIN__";
|
|
|
|
|
|
|
|
set $allowed_origins "*";
|
|
|
|
# set $allowed_origins "https://${sandbox_domain}";
|
|
|
|
|
|
|
|
set $api_domain "api.__DOMAIN__";
|
|
|
|
set $files_domain "files.__DOMAIN__";
|
|
|
|
|
|
|
|
server_name __DOMAIN__ __SANDBOX_DOMAIN__;
|
|
|
|
|
|
|
|
|
|
|
|
# https://cipherli.st/
|
|
|
|
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
|
|
|
|
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
|
|
|
|
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
add_header Access-Control-Allow-Origin "${allowed_origins}";
|
|
|
|
# add_header X-Frame-Options "SAMEORIGIN";
|
|
|
|
|
|
|
|
# Enable SharedArrayBuffer in Firefox (for .xlsx export)
|
|
|
|
add_header Cross-Origin-Resource-Policy cross-origin;
|
|
|
|
add_header Cross-Origin-Embedder-Policy require-corp;
|
|
|
|
|
|
|
|
# Insert the path to your CryptPad repository root here
|
|
|
|
root /home/cryptpad/cryptpad;
|
|
|
|
index index.html;
|
|
|
|
error_page 404 /customize.dist/404.html;
|
|
|
|
|
|
|
|
# any static assets loaded with "ver=" in their URL will be cached for a year
|
|
|
|
if ($args ~ ver=) {
|
|
|
|
set $cacheControl max-age=31536000;
|
|
|
|
}
|
|
|
|
if ($uri ~ ^/.*(\/|\.html)$) {
|
|
|
|
set $cacheControl no-cache;
|
|
|
|
}
|
|
|
|
# Will not set any header if it is emptystring
|
|
|
|
add_header Cache-Control $cacheControl;
|
|
|
|
|
|
|
|
set $styleSrc "'unsafe-inline' 'self' https://${main_domain}";
|
|
|
|
set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}";
|
|
|
|
set $fontSrc "'self' data: https://${main_domain}";
|
|
|
|
set $imgSrc "'self' data: blob: https://${main_domain}";
|
|
|
|
set $frameSrc "'self' https://${sandbox_domain} blob:";
|
|
|
|
set $mediaSrc "blob:";
|
|
|
|
set $childSrc "https://${main_domain}";
|
|
|
|
set $workerSrc "'self'";
|
|
|
|
set $scriptSrc "'self' resource: https://${main_domain}";
|
|
|
|
|
|
|
|
|
|
|
|
set $frameAncestors "'self' https://${main_domain}";
|
|
|
|
# set $frameAncestors "'self' https: vector:";
|
|
|
|
|
|
|
|
set $unsafe 0;
|
|
|
|
|
|
|
|
if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
|
|
|
|
if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
|
|
|
|
if ($host != $sandbox_domain) { set $unsafe 0; }
|
|
|
|
if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
|
|
|
|
if ($unsafe) {
|
|
|
|
set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
|
|
|
|
}
|
|
|
|
|
2020-07-18 11:46:45 +02:00
|
|
|
location ^~ / {
|
2021-03-17 12:02:40 +01:00
|
|
|
|
2020-07-18 11:46:45 +02:00
|
|
|
proxy_pass http://127.0.0.1:__PORT__;
|
|
|
|
proxy_redirect off;
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Host $server_name;
|
2019-01-29 13:27:20 +01:00
|
|
|
|
2020-07-18 11:46:45 +02:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
proxy_set_header Connection "upgrade";
|
2019-01-29 13:27:20 +01:00
|
|
|
|
2020-07-18 11:46:45 +02:00
|
|
|
# Include SSOWAT user panel.
|
|
|
|
include conf.d/yunohost_panel.conf.inc;
|
|
|
|
more_clear_input_headers 'Accept-Encoding';
|
2017-07-04 01:19:07 +02:00
|
|
|
}
|
2022-04-04 15:55:58 +02:00
|
|
|
|
|
|
|
location ^~ /cryptpad_websocket {
|
|
|
|
proxy_pass http://localhost:__PORT__;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
|
|
|
# WebSocket support (nginx 1.4)
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
proxy_set_header Connection upgrade;
|
|
|
|
}
|