mirror of
https://github.com/YunoHost-Apps/cryptpad_ynh.git
synced 2024-09-03 18:26:14 +02:00
set basic NGINX
This commit is contained in:
parent
d3bb1fd7b9
commit
3dfab40f3f
5 changed files with 183 additions and 148 deletions
126
conf/config.js
126
conf/config.js
|
@ -1,3 +1,7 @@
|
|||
// SPDX-FileCopyrightText: 2023 XWiki CryptPad Team <contact@cryptpad.org> and contributors
|
||||
//
|
||||
// SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
/* globals module */
|
||||
|
||||
/* DISCLAIMER:
|
||||
|
@ -11,7 +15,7 @@
|
|||
Support requests for such setups should be directed to their authors.
|
||||
|
||||
If you're having difficulty difficulty configuring your instance
|
||||
we suggest that you join the project's IRC/Matrix channel.
|
||||
we suggest that you join the project's Matrix channel.
|
||||
|
||||
If you don't have any difficulty configuring your instance and you'd like to
|
||||
support us for the work that went into making it pain-free we are quite happy
|
||||
|
@ -45,21 +49,13 @@ module.exports = {
|
|||
* In such a case this should be also handled by NGINX, as documented in
|
||||
* cryptpad/docs/example.nginx.conf (see the $main_domain variable)
|
||||
*
|
||||
* Note: you may provide multiple origins for the purpose of accessing
|
||||
* a development instance via different URLs, like so:
|
||||
* httpUnsafeOrigin: 'http://127.0.0.1:3000/ http://localhost:3000/',
|
||||
*
|
||||
* Such configuration is not recommended for production instances,
|
||||
* as the development team does not actively test such configuration
|
||||
* and it may have unintended consequences in practice.
|
||||
*
|
||||
*/
|
||||
httpUnsafeOrigin: 'https://__DOMAIN__',
|
||||
|
||||
/* httpSafeOrigin is the URL that is used for the 'sandbox' described above.
|
||||
* If you're testing or developing with CryptPad on your local machine then
|
||||
* it is appropriate to leave this blank. The default behaviour is to serve
|
||||
* the main domain over port 3000 and to serve the content over port 3001.
|
||||
* the main domain over port 3000 and to serve the sandbox content over port 3001.
|
||||
*
|
||||
* This is not appropriate in a production environment where invasive networks
|
||||
* may filter traffic going over abnormal ports.
|
||||
|
@ -70,14 +66,17 @@ module.exports = {
|
|||
* This value corresponds to the $sandbox_domain variable
|
||||
* in the example nginx file.
|
||||
*
|
||||
* Note that in order for the sandboxing system to be effective
|
||||
* httpSafeOrigin must be different from httpUnsafeOrigin.
|
||||
*
|
||||
* CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
|
||||
*/
|
||||
httpSafeOrigin: "https://__SANDBOXDOMAIN__",
|
||||
|
||||
/* httpAddress specifies the address on which the nodejs server
|
||||
* should be accessible. By default it will listen on 127.0.0.1
|
||||
* (IPv4 localhost on most systems). If you want it to listen on
|
||||
* all addresses, including IPv6, set this to '::'.
|
||||
* should be accessible. By default it will listen on localhost
|
||||
* (IPv4 & IPv6 if enabled). If you want it to listen on
|
||||
* a specific address, specify it here. e.g '192.168.0.1'
|
||||
*
|
||||
*/
|
||||
httpAddress: '::',
|
||||
|
@ -97,6 +96,19 @@ module.exports = {
|
|||
*/
|
||||
httpSafePort: __PORT_PORTI__,
|
||||
|
||||
/* Websockets need to be exposed on a separate port from the rest of
|
||||
* the platform's HTTP traffic. Port 3003 is used by default.
|
||||
* You can change this to a different port if it is in use by a
|
||||
* different service, but under most circumstances you can leave this
|
||||
* commented and it will work.
|
||||
*
|
||||
* In production environments, your reverse proxy (usually NGINX)
|
||||
* will need to forward websocket traffic (/cryptpad_websocket)
|
||||
* to this port.
|
||||
*
|
||||
*/
|
||||
websocketPort: __PORT_SOCKET__,
|
||||
|
||||
/* CryptPad will launch a child process for every core available
|
||||
* in order to perform CPU-intensive tasks in parallel.
|
||||
* Some host environments may have a very large number of cores available
|
||||
|
@ -105,6 +117,43 @@ module.exports = {
|
|||
*/
|
||||
// maxWorkers: 4,
|
||||
|
||||
/* =====================
|
||||
* Sessions
|
||||
* ===================== */
|
||||
|
||||
/* Accounts can be protected with an OTP (One Time Password) system
|
||||
* to add a second authentication layer. Such accounts use a session
|
||||
* with a given lifetime after which they are logged out and need
|
||||
* to be re-authenticated. You can configure the lifetime of these
|
||||
* sessions here.
|
||||
*
|
||||
* defaults to 7 days
|
||||
*/
|
||||
//otpSessionExpiration: 7*24, // hours
|
||||
|
||||
/* Registered users can be forced to protect their account
|
||||
* with a Multi-factor Authentication (MFA) tool like a TOTP
|
||||
* authenticator application.
|
||||
*
|
||||
* defaults to false
|
||||
*/
|
||||
//enforceMFA: false,
|
||||
|
||||
/* =====================
|
||||
* Privacy
|
||||
* ===================== */
|
||||
|
||||
/* Depending on where your instance is hosted, you may be required to log IP
|
||||
* addresses of the users who make a change to a document. This setting allows you
|
||||
* to do so. You can configure the logging system below in this config file.
|
||||
* Setting this value to true will include a log for each websocket connection
|
||||
* including this connection's unique ID, the user public key and the IP.
|
||||
* NOTE: this option requires a log level of "info" or below.
|
||||
*
|
||||
* defaults to false
|
||||
*/
|
||||
//logIP: false,
|
||||
|
||||
/* =====================
|
||||
* Admin
|
||||
* ===================== */
|
||||
|
@ -115,52 +164,15 @@ module.exports = {
|
|||
* To give access to the admin panel to a user account, just add their public signing
|
||||
* key, which can be found on the settings page for registered users.
|
||||
* Entries should be strings separated by a comma.
|
||||
* adminKeys: [
|
||||
* "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
|
||||
* "[cryptpad-user2@my.awesome.website/jA-9c5iNuG7SyxzGCjwJXVnk5NPfAOO8fQuQ0dC83RE=]",
|
||||
* ]
|
||||
*
|
||||
*/
|
||||
/*
|
||||
adminKeys: [
|
||||
"[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
|
||||
|
||||
],
|
||||
*/
|
||||
|
||||
/* CryptPad's administration panel includes a "support" tab
|
||||
* wherein administrators with a secret key can view messages
|
||||
* sent from users via the encrypted forms on the /support/ page
|
||||
*
|
||||
* To enable this functionality:
|
||||
* run `node ./scripts/generate-admin-keys.js`
|
||||
* save the public key in your config in the value below
|
||||
* add the private key via the admin panel
|
||||
* and back it up in a secure manner
|
||||
*
|
||||
*/
|
||||
supportMailboxPublicKey: '',
|
||||
|
||||
/* CryptPad will display a point of contact for your instance on its contact page
|
||||
* (/contact.html) if you provide it below.
|
||||
*/
|
||||
adminEmail: '__EMAIL__',
|
||||
|
||||
/* We're very proud that CryptPad is available to the public as free software!
|
||||
* We do, however, still need to pay our bills as we develop the platform.
|
||||
*
|
||||
* By default CryptPad will prompt users to consider donating to
|
||||
* our OpenCollective campaign. We publish the state of our finances periodically
|
||||
* so you can decide for yourself whether our expenses are reasonable.
|
||||
*
|
||||
* You can disable any solicitations for donations by setting 'removeDonateButton' to true,
|
||||
* but we'd appreciate it if you didn't!
|
||||
*/
|
||||
removeDonateButton: true,
|
||||
|
||||
/*
|
||||
* By default, CryptPad contacts one of our servers once a day.
|
||||
* This check-in will also send some very basic information about your instance including its
|
||||
* version and the adminEmail so we can reach you if we are aware of a serious problem.
|
||||
* We will never sell it or send you marketing mail.
|
||||
*
|
||||
* If you want to block this check-in and remain set 'blockDailyCheck' to true.
|
||||
*/
|
||||
blockDailyCheck: true,
|
||||
|
||||
/* =====================
|
||||
* STORAGE
|
||||
|
@ -180,7 +192,7 @@ module.exports = {
|
|||
* This archived data still takes up space and so you'll probably still want to
|
||||
* remove these files after a brief period.
|
||||
*
|
||||
* cryptpad/scripts/evict-inactive.js is intended to be run daily
|
||||
* cryptpad/scripts/evict-archived.js is intended to be run daily
|
||||
* from a crontab or similar scheduling service.
|
||||
*
|
||||
* The intent with this feature is to provide a safety net in case of accidental
|
||||
|
|
111
conf/nginx.conf
111
conf/nginx.conf
|
@ -1,91 +1,22 @@
|
|||
set $main_domain "__DOMAIN__";
|
||||
set $sandbox_domain "__SANDBOXDOMAIN__";
|
||||
set $allowed_origins "https://${sandbox_domain}";
|
||||
set $api_domain "__DOMAIN__";
|
||||
set $files_domain "__DOMAIN__";
|
||||
ssl_ecdh_curve secp384r1;
|
||||
more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'";
|
||||
more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
|
||||
more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
|
||||
root __INSTALL_DIR__/;
|
||||
index index.html;
|
||||
error_page 404 /customize.dist/404.html;
|
||||
if ($uri ~ ^(\/|.*\/|.*\.html)$) {
|
||||
set $cacheControl no-cache;
|
||||
}
|
||||
if ($args ~ ver=) {
|
||||
set $cacheControl max-age=31536000;
|
||||
}
|
||||
more_set_headers "Cache-Control: $cacheControl";
|
||||
set $styleSrc "'unsafe-inline' 'self' https://${main_domain}";
|
||||
set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}";
|
||||
set $fontSrc "'self' data: https://${main_domain}";
|
||||
set $imgSrc "'self' data: blob: https://${main_domain}";
|
||||
set $frameSrc "'self' https://${sandbox_domain} blob:";
|
||||
set $mediaSrc "blob:";
|
||||
set $childSrc "https://${main_domain}";
|
||||
set $workerSrc "'self'";
|
||||
set $scriptSrc "'self' resource: https://${main_domain}";
|
||||
set $frameAncestors "'self' https://${main_domain}";
|
||||
set $unsafe 0;
|
||||
if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
|
||||
if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
|
||||
if ($host != $sandbox_domain) { set $unsafe 0; }
|
||||
if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
|
||||
if ($unsafe) {
|
||||
set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
|
||||
}
|
||||
more_set_headers "Content-Security-Policy: default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";
|
||||
location ^~ /cryptpad_websocket {
|
||||
proxy_pass http://127.0.0.1:__PORT__;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection upgrade;
|
||||
}
|
||||
location ^~ /customize.dist/ {
|
||||
# This is needed in order to prevent infinite recursion between /customize/ and the root
|
||||
}
|
||||
location ^~ /customize/ {
|
||||
rewrite ^/customize/(.*)$ $1 break;
|
||||
try_files /customize/$uri /customize.dist/$uri;
|
||||
}
|
||||
location ~ ^/api/.*$ {
|
||||
proxy_pass http://127.0.0.1:__PORT__;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_hide_header Cross-Origin-Resource-Policy;
|
||||
more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
|
||||
proxy_hide_header Cross-Origin-Embedder-Policy;
|
||||
more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
|
||||
}
|
||||
location ^~ /blob/ {
|
||||
if ($request_method = 'OPTIONS') {
|
||||
more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}";
|
||||
more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
|
||||
more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range";
|
||||
more_set_headers "Access-Control-Max-Age: 1728000";
|
||||
more_set_headers "Content-Type: 'application/octet-stream; charset=utf-8'";
|
||||
more_set_headers "Content-Length: 0";
|
||||
return 204;
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:__PORT__;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
client_max_body_size 150m;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection upgrade;
|
||||
}
|
||||
more_set_headers "X-Content-Type-Options: nosniff";
|
||||
more_set_headers "Cache-Control: max-age=31536000'";
|
||||
more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}";
|
||||
more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
|
||||
more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length";
|
||||
more_set_headers "Access-Control-Expose-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length";
|
||||
try_files $uri =404;
|
||||
}
|
||||
location ^~ /block/ {
|
||||
more_set_headers "X-Content-Type-Options: nosniff";
|
||||
more_set_headers "Cache-Control: max-age=0";
|
||||
try_files $uri =404;
|
||||
}
|
||||
location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ {
|
||||
rewrite ^(.*)$ $1/ redirect;
|
||||
}
|
||||
try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri;
|
||||
|
||||
location ^~ /cryptpad_websocket {
|
||||
proxy_pass http://127.0.0.1:__PORT_SOCKET__;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection upgrade;
|
||||
}
|
91
conf/old.nginx.conf
Normal file
91
conf/old.nginx.conf
Normal file
|
@ -0,0 +1,91 @@
|
|||
set $main_domain "__DOMAIN__";
|
||||
set $sandbox_domain "__SANDBOXDOMAIN__";
|
||||
set $allowed_origins "https://${sandbox_domain}";
|
||||
set $api_domain "__DOMAIN__";
|
||||
set $files_domain "__DOMAIN__";
|
||||
ssl_ecdh_curve secp384r1;
|
||||
more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'";
|
||||
more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
|
||||
more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
|
||||
root __INSTALL_DIR__/;
|
||||
index index.html;
|
||||
error_page 404 /customize.dist/404.html;
|
||||
if ($uri ~ ^(\/|.*\/|.*\.html)$) {
|
||||
set $cacheControl no-cache;
|
||||
}
|
||||
if ($args ~ ver=) {
|
||||
set $cacheControl max-age=31536000;
|
||||
}
|
||||
more_set_headers "Cache-Control: $cacheControl";
|
||||
set $styleSrc "'unsafe-inline' 'self' https://${main_domain}";
|
||||
set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}";
|
||||
set $fontSrc "'self' data: https://${main_domain}";
|
||||
set $imgSrc "'self' data: blob: https://${main_domain}";
|
||||
set $frameSrc "'self' https://${sandbox_domain} blob:";
|
||||
set $mediaSrc "blob:";
|
||||
set $childSrc "https://${main_domain}";
|
||||
set $workerSrc "'self'";
|
||||
set $scriptSrc "'self' resource: https://${main_domain}";
|
||||
set $frameAncestors "'self' https://${main_domain}";
|
||||
set $unsafe 0;
|
||||
if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
|
||||
if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
|
||||
if ($host != $sandbox_domain) { set $unsafe 0; }
|
||||
if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
|
||||
if ($unsafe) {
|
||||
set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
|
||||
}
|
||||
more_set_headers "Content-Security-Policy: default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";
|
||||
location ^~ /cryptpad_websocket {
|
||||
proxy_pass http://127.0.0.1:__PORT__;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection upgrade;
|
||||
}
|
||||
location ^~ /customize.dist/ {
|
||||
# This is needed in order to prevent infinite recursion between /customize/ and the root
|
||||
}
|
||||
location ^~ /customize/ {
|
||||
rewrite ^/customize/(.*)$ $1 break;
|
||||
try_files /customize/$uri /customize.dist/$uri;
|
||||
}
|
||||
location ~ ^/api/.*$ {
|
||||
proxy_pass http://127.0.0.1:__PORT__;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_hide_header Cross-Origin-Resource-Policy;
|
||||
more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
|
||||
proxy_hide_header Cross-Origin-Embedder-Policy;
|
||||
more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
|
||||
}
|
||||
location ^~ /blob/ {
|
||||
if ($request_method = 'OPTIONS') {
|
||||
more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}";
|
||||
more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
|
||||
more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range";
|
||||
more_set_headers "Access-Control-Max-Age: 1728000";
|
||||
more_set_headers "Content-Type: 'application/octet-stream; charset=utf-8'";
|
||||
more_set_headers "Content-Length: 0";
|
||||
return 204;
|
||||
}
|
||||
more_set_headers "X-Content-Type-Options: nosniff";
|
||||
more_set_headers "Cache-Control: max-age=31536000'";
|
||||
more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}";
|
||||
more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
|
||||
more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length";
|
||||
more_set_headers "Access-Control-Expose-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length";
|
||||
try_files $uri =404;
|
||||
}
|
||||
location ^~ /block/ {
|
||||
more_set_headers "X-Content-Type-Options: nosniff";
|
||||
more_set_headers "Cache-Control: max-age=0";
|
||||
try_files $uri =404;
|
||||
}
|
||||
location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ {
|
||||
rewrite ^(.*)$ $1/ redirect;
|
||||
}
|
||||
try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri;
|
|
@ -52,6 +52,7 @@ ram.runtime = "50M"
|
|||
[resources.ports]
|
||||
main.default = 3000
|
||||
porti.default = 3001
|
||||
socket.default = 3003
|
||||
|
||||
[resources.system_user]
|
||||
|
||||
|
|
|
@ -78,7 +78,7 @@ yunohost service add $app --description="Zero Knowledge realtime collaborative e
|
|||
#=================================================
|
||||
ynh_script_progression --message="Adding a configuration file..."
|
||||
|
||||
ynh_add_config --template="../conf/config.js" --destination="$install_dir/config/config.js"
|
||||
ynh_add_config --template="config.js" --destination="$install_dir/config/config.js"
|
||||
|
||||
chmod 600 "$install_dir/config/config.js"
|
||||
chown $app "$install_dir/config/config.js"
|
||||
|
|
Loading…
Reference in a new issue