mirror of
https://github.com/YunoHost-Apps/cryptpad_ynh.git
synced 2024-09-03 18:26:14 +02:00
set basic NGINX
This commit is contained in:
parent
d3bb1fd7b9
commit
3dfab40f3f
5 changed files with 183 additions and 148 deletions
126
conf/config.js
126
conf/config.js
|
@ -1,3 +1,7 @@
|
||||||
|
// SPDX-FileCopyrightText: 2023 XWiki CryptPad Team <contact@cryptpad.org> and contributors
|
||||||
|
//
|
||||||
|
// SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
/* globals module */
|
/* globals module */
|
||||||
|
|
||||||
/* DISCLAIMER:
|
/* DISCLAIMER:
|
||||||
|
@ -11,7 +15,7 @@
|
||||||
Support requests for such setups should be directed to their authors.
|
Support requests for such setups should be directed to their authors.
|
||||||
|
|
||||||
If you're having difficulty difficulty configuring your instance
|
If you're having difficulty difficulty configuring your instance
|
||||||
we suggest that you join the project's IRC/Matrix channel.
|
we suggest that you join the project's Matrix channel.
|
||||||
|
|
||||||
If you don't have any difficulty configuring your instance and you'd like to
|
If you don't have any difficulty configuring your instance and you'd like to
|
||||||
support us for the work that went into making it pain-free we are quite happy
|
support us for the work that went into making it pain-free we are quite happy
|
||||||
|
@ -45,21 +49,13 @@ module.exports = {
|
||||||
* In such a case this should be also handled by NGINX, as documented in
|
* In such a case this should be also handled by NGINX, as documented in
|
||||||
* cryptpad/docs/example.nginx.conf (see the $main_domain variable)
|
* cryptpad/docs/example.nginx.conf (see the $main_domain variable)
|
||||||
*
|
*
|
||||||
* Note: you may provide multiple origins for the purpose of accessing
|
|
||||||
* a development instance via different URLs, like so:
|
|
||||||
* httpUnsafeOrigin: 'http://127.0.0.1:3000/ http://localhost:3000/',
|
|
||||||
*
|
|
||||||
* Such configuration is not recommended for production instances,
|
|
||||||
* as the development team does not actively test such configuration
|
|
||||||
* and it may have unintended consequences in practice.
|
|
||||||
*
|
|
||||||
*/
|
*/
|
||||||
httpUnsafeOrigin: 'https://__DOMAIN__',
|
httpUnsafeOrigin: 'https://__DOMAIN__',
|
||||||
|
|
||||||
/* httpSafeOrigin is the URL that is used for the 'sandbox' described above.
|
/* httpSafeOrigin is the URL that is used for the 'sandbox' described above.
|
||||||
* If you're testing or developing with CryptPad on your local machine then
|
* If you're testing or developing with CryptPad on your local machine then
|
||||||
* it is appropriate to leave this blank. The default behaviour is to serve
|
* it is appropriate to leave this blank. The default behaviour is to serve
|
||||||
* the main domain over port 3000 and to serve the content over port 3001.
|
* the main domain over port 3000 and to serve the sandbox content over port 3001.
|
||||||
*
|
*
|
||||||
* This is not appropriate in a production environment where invasive networks
|
* This is not appropriate in a production environment where invasive networks
|
||||||
* may filter traffic going over abnormal ports.
|
* may filter traffic going over abnormal ports.
|
||||||
|
@ -70,14 +66,17 @@ module.exports = {
|
||||||
* This value corresponds to the $sandbox_domain variable
|
* This value corresponds to the $sandbox_domain variable
|
||||||
* in the example nginx file.
|
* in the example nginx file.
|
||||||
*
|
*
|
||||||
|
* Note that in order for the sandboxing system to be effective
|
||||||
|
* httpSafeOrigin must be different from httpUnsafeOrigin.
|
||||||
|
*
|
||||||
* CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
|
* CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
|
||||||
*/
|
*/
|
||||||
httpSafeOrigin: "https://__SANDBOXDOMAIN__",
|
httpSafeOrigin: "https://__SANDBOXDOMAIN__",
|
||||||
|
|
||||||
/* httpAddress specifies the address on which the nodejs server
|
/* httpAddress specifies the address on which the nodejs server
|
||||||
* should be accessible. By default it will listen on 127.0.0.1
|
* should be accessible. By default it will listen on localhost
|
||||||
* (IPv4 localhost on most systems). If you want it to listen on
|
* (IPv4 & IPv6 if enabled). If you want it to listen on
|
||||||
* all addresses, including IPv6, set this to '::'.
|
* a specific address, specify it here. e.g '192.168.0.1'
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
httpAddress: '::',
|
httpAddress: '::',
|
||||||
|
@ -97,6 +96,19 @@ module.exports = {
|
||||||
*/
|
*/
|
||||||
httpSafePort: __PORT_PORTI__,
|
httpSafePort: __PORT_PORTI__,
|
||||||
|
|
||||||
|
/* Websockets need to be exposed on a separate port from the rest of
|
||||||
|
* the platform's HTTP traffic. Port 3003 is used by default.
|
||||||
|
* You can change this to a different port if it is in use by a
|
||||||
|
* different service, but under most circumstances you can leave this
|
||||||
|
* commented and it will work.
|
||||||
|
*
|
||||||
|
* In production environments, your reverse proxy (usually NGINX)
|
||||||
|
* will need to forward websocket traffic (/cryptpad_websocket)
|
||||||
|
* to this port.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
websocketPort: __PORT_SOCKET__,
|
||||||
|
|
||||||
/* CryptPad will launch a child process for every core available
|
/* CryptPad will launch a child process for every core available
|
||||||
* in order to perform CPU-intensive tasks in parallel.
|
* in order to perform CPU-intensive tasks in parallel.
|
||||||
* Some host environments may have a very large number of cores available
|
* Some host environments may have a very large number of cores available
|
||||||
|
@ -105,6 +117,43 @@ module.exports = {
|
||||||
*/
|
*/
|
||||||
// maxWorkers: 4,
|
// maxWorkers: 4,
|
||||||
|
|
||||||
|
/* =====================
|
||||||
|
* Sessions
|
||||||
|
* ===================== */
|
||||||
|
|
||||||
|
/* Accounts can be protected with an OTP (One Time Password) system
|
||||||
|
* to add a second authentication layer. Such accounts use a session
|
||||||
|
* with a given lifetime after which they are logged out and need
|
||||||
|
* to be re-authenticated. You can configure the lifetime of these
|
||||||
|
* sessions here.
|
||||||
|
*
|
||||||
|
* defaults to 7 days
|
||||||
|
*/
|
||||||
|
//otpSessionExpiration: 7*24, // hours
|
||||||
|
|
||||||
|
/* Registered users can be forced to protect their account
|
||||||
|
* with a Multi-factor Authentication (MFA) tool like a TOTP
|
||||||
|
* authenticator application.
|
||||||
|
*
|
||||||
|
* defaults to false
|
||||||
|
*/
|
||||||
|
//enforceMFA: false,
|
||||||
|
|
||||||
|
/* =====================
|
||||||
|
* Privacy
|
||||||
|
* ===================== */
|
||||||
|
|
||||||
|
/* Depending on where your instance is hosted, you may be required to log IP
|
||||||
|
* addresses of the users who make a change to a document. This setting allows you
|
||||||
|
* to do so. You can configure the logging system below in this config file.
|
||||||
|
* Setting this value to true will include a log for each websocket connection
|
||||||
|
* including this connection's unique ID, the user public key and the IP.
|
||||||
|
* NOTE: this option requires a log level of "info" or below.
|
||||||
|
*
|
||||||
|
* defaults to false
|
||||||
|
*/
|
||||||
|
//logIP: false,
|
||||||
|
|
||||||
/* =====================
|
/* =====================
|
||||||
* Admin
|
* Admin
|
||||||
* ===================== */
|
* ===================== */
|
||||||
|
@ -115,52 +164,15 @@ module.exports = {
|
||||||
* To give access to the admin panel to a user account, just add their public signing
|
* To give access to the admin panel to a user account, just add their public signing
|
||||||
* key, which can be found on the settings page for registered users.
|
* key, which can be found on the settings page for registered users.
|
||||||
* Entries should be strings separated by a comma.
|
* Entries should be strings separated by a comma.
|
||||||
|
* adminKeys: [
|
||||||
|
* "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
|
||||||
|
* "[cryptpad-user2@my.awesome.website/jA-9c5iNuG7SyxzGCjwJXVnk5NPfAOO8fQuQ0dC83RE=]",
|
||||||
|
* ]
|
||||||
|
*
|
||||||
*/
|
*/
|
||||||
/*
|
|
||||||
adminKeys: [
|
adminKeys: [
|
||||||
"[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
|
|
||||||
],
|
],
|
||||||
*/
|
|
||||||
|
|
||||||
/* CryptPad's administration panel includes a "support" tab
|
|
||||||
* wherein administrators with a secret key can view messages
|
|
||||||
* sent from users via the encrypted forms on the /support/ page
|
|
||||||
*
|
|
||||||
* To enable this functionality:
|
|
||||||
* run `node ./scripts/generate-admin-keys.js`
|
|
||||||
* save the public key in your config in the value below
|
|
||||||
* add the private key via the admin panel
|
|
||||||
* and back it up in a secure manner
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
supportMailboxPublicKey: '',
|
|
||||||
|
|
||||||
/* CryptPad will display a point of contact for your instance on its contact page
|
|
||||||
* (/contact.html) if you provide it below.
|
|
||||||
*/
|
|
||||||
adminEmail: '__EMAIL__',
|
|
||||||
|
|
||||||
/* We're very proud that CryptPad is available to the public as free software!
|
|
||||||
* We do, however, still need to pay our bills as we develop the platform.
|
|
||||||
*
|
|
||||||
* By default CryptPad will prompt users to consider donating to
|
|
||||||
* our OpenCollective campaign. We publish the state of our finances periodically
|
|
||||||
* so you can decide for yourself whether our expenses are reasonable.
|
|
||||||
*
|
|
||||||
* You can disable any solicitations for donations by setting 'removeDonateButton' to true,
|
|
||||||
* but we'd appreciate it if you didn't!
|
|
||||||
*/
|
|
||||||
removeDonateButton: true,
|
|
||||||
|
|
||||||
/*
|
|
||||||
* By default, CryptPad contacts one of our servers once a day.
|
|
||||||
* This check-in will also send some very basic information about your instance including its
|
|
||||||
* version and the adminEmail so we can reach you if we are aware of a serious problem.
|
|
||||||
* We will never sell it or send you marketing mail.
|
|
||||||
*
|
|
||||||
* If you want to block this check-in and remain set 'blockDailyCheck' to true.
|
|
||||||
*/
|
|
||||||
blockDailyCheck: true,
|
|
||||||
|
|
||||||
/* =====================
|
/* =====================
|
||||||
* STORAGE
|
* STORAGE
|
||||||
|
@ -180,7 +192,7 @@ module.exports = {
|
||||||
* This archived data still takes up space and so you'll probably still want to
|
* This archived data still takes up space and so you'll probably still want to
|
||||||
* remove these files after a brief period.
|
* remove these files after a brief period.
|
||||||
*
|
*
|
||||||
* cryptpad/scripts/evict-inactive.js is intended to be run daily
|
* cryptpad/scripts/evict-archived.js is intended to be run daily
|
||||||
* from a crontab or similar scheduling service.
|
* from a crontab or similar scheduling service.
|
||||||
*
|
*
|
||||||
* The intent with this feature is to provide a safety net in case of accidental
|
* The intent with this feature is to provide a safety net in case of accidental
|
||||||
|
|
|
@ -1,91 +1,22 @@
|
||||||
set $main_domain "__DOMAIN__";
|
location / {
|
||||||
set $sandbox_domain "__SANDBOXDOMAIN__";
|
|
||||||
set $allowed_origins "https://${sandbox_domain}";
|
|
||||||
set $api_domain "__DOMAIN__";
|
|
||||||
set $files_domain "__DOMAIN__";
|
|
||||||
ssl_ecdh_curve secp384r1;
|
|
||||||
more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'";
|
|
||||||
more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
|
|
||||||
more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
|
|
||||||
root __INSTALL_DIR__/;
|
|
||||||
index index.html;
|
|
||||||
error_page 404 /customize.dist/404.html;
|
|
||||||
if ($uri ~ ^(\/|.*\/|.*\.html)$) {
|
|
||||||
set $cacheControl no-cache;
|
|
||||||
}
|
|
||||||
if ($args ~ ver=) {
|
|
||||||
set $cacheControl max-age=31536000;
|
|
||||||
}
|
|
||||||
more_set_headers "Cache-Control: $cacheControl";
|
|
||||||
set $styleSrc "'unsafe-inline' 'self' https://${main_domain}";
|
|
||||||
set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}";
|
|
||||||
set $fontSrc "'self' data: https://${main_domain}";
|
|
||||||
set $imgSrc "'self' data: blob: https://${main_domain}";
|
|
||||||
set $frameSrc "'self' https://${sandbox_domain} blob:";
|
|
||||||
set $mediaSrc "blob:";
|
|
||||||
set $childSrc "https://${main_domain}";
|
|
||||||
set $workerSrc "'self'";
|
|
||||||
set $scriptSrc "'self' resource: https://${main_domain}";
|
|
||||||
set $frameAncestors "'self' https://${main_domain}";
|
|
||||||
set $unsafe 0;
|
|
||||||
if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
|
|
||||||
if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
|
|
||||||
if ($host != $sandbox_domain) { set $unsafe 0; }
|
|
||||||
if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
|
|
||||||
if ($unsafe) {
|
|
||||||
set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
|
|
||||||
}
|
|
||||||
more_set_headers "Content-Security-Policy: default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";
|
|
||||||
location ^~ /cryptpad_websocket {
|
|
||||||
proxy_pass http://127.0.0.1:__PORT__;
|
proxy_pass http://127.0.0.1:__PORT__;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
client_max_body_size 150m;
|
||||||
|
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection upgrade;
|
proxy_set_header Connection upgrade;
|
||||||
}
|
}
|
||||||
location ^~ /customize.dist/ {
|
|
||||||
# This is needed in order to prevent infinite recursion between /customize/ and the root
|
location ^~ /cryptpad_websocket {
|
||||||
}
|
proxy_pass http://127.0.0.1:__PORT_SOCKET__;
|
||||||
location ^~ /customize/ {
|
|
||||||
rewrite ^/customize/(.*)$ $1 break;
|
|
||||||
try_files /customize/$uri /customize.dist/$uri;
|
|
||||||
}
|
|
||||||
location ~ ^/api/.*$ {
|
|
||||||
proxy_pass http://127.0.0.1:__PORT__;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_hide_header Cross-Origin-Resource-Policy;
|
|
||||||
more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
|
proxy_http_version 1.1;
|
||||||
proxy_hide_header Cross-Origin-Embedder-Policy;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
|
proxy_set_header Connection upgrade;
|
||||||
}
|
|
||||||
location ^~ /blob/ {
|
|
||||||
if ($request_method = 'OPTIONS') {
|
|
||||||
more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}";
|
|
||||||
more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
|
|
||||||
more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range";
|
|
||||||
more_set_headers "Access-Control-Max-Age: 1728000";
|
|
||||||
more_set_headers "Content-Type: 'application/octet-stream; charset=utf-8'";
|
|
||||||
more_set_headers "Content-Length: 0";
|
|
||||||
return 204;
|
|
||||||
}
|
}
|
||||||
more_set_headers "X-Content-Type-Options: nosniff";
|
|
||||||
more_set_headers "Cache-Control: max-age=31536000'";
|
|
||||||
more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}";
|
|
||||||
more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
|
|
||||||
more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length";
|
|
||||||
more_set_headers "Access-Control-Expose-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length";
|
|
||||||
try_files $uri =404;
|
|
||||||
}
|
|
||||||
location ^~ /block/ {
|
|
||||||
more_set_headers "X-Content-Type-Options: nosniff";
|
|
||||||
more_set_headers "Cache-Control: max-age=0";
|
|
||||||
try_files $uri =404;
|
|
||||||
}
|
|
||||||
location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ {
|
|
||||||
rewrite ^(.*)$ $1/ redirect;
|
|
||||||
}
|
|
||||||
try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri;
|
|
||||||
|
|
91
conf/old.nginx.conf
Normal file
91
conf/old.nginx.conf
Normal file
|
@ -0,0 +1,91 @@
|
||||||
|
set $main_domain "__DOMAIN__";
|
||||||
|
set $sandbox_domain "__SANDBOXDOMAIN__";
|
||||||
|
set $allowed_origins "https://${sandbox_domain}";
|
||||||
|
set $api_domain "__DOMAIN__";
|
||||||
|
set $files_domain "__DOMAIN__";
|
||||||
|
ssl_ecdh_curve secp384r1;
|
||||||
|
more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'";
|
||||||
|
more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
|
||||||
|
more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
|
||||||
|
root __INSTALL_DIR__/;
|
||||||
|
index index.html;
|
||||||
|
error_page 404 /customize.dist/404.html;
|
||||||
|
if ($uri ~ ^(\/|.*\/|.*\.html)$) {
|
||||||
|
set $cacheControl no-cache;
|
||||||
|
}
|
||||||
|
if ($args ~ ver=) {
|
||||||
|
set $cacheControl max-age=31536000;
|
||||||
|
}
|
||||||
|
more_set_headers "Cache-Control: $cacheControl";
|
||||||
|
set $styleSrc "'unsafe-inline' 'self' https://${main_domain}";
|
||||||
|
set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}";
|
||||||
|
set $fontSrc "'self' data: https://${main_domain}";
|
||||||
|
set $imgSrc "'self' data: blob: https://${main_domain}";
|
||||||
|
set $frameSrc "'self' https://${sandbox_domain} blob:";
|
||||||
|
set $mediaSrc "blob:";
|
||||||
|
set $childSrc "https://${main_domain}";
|
||||||
|
set $workerSrc "'self'";
|
||||||
|
set $scriptSrc "'self' resource: https://${main_domain}";
|
||||||
|
set $frameAncestors "'self' https://${main_domain}";
|
||||||
|
set $unsafe 0;
|
||||||
|
if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
|
||||||
|
if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
|
||||||
|
if ($host != $sandbox_domain) { set $unsafe 0; }
|
||||||
|
if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
|
||||||
|
if ($unsafe) {
|
||||||
|
set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
|
||||||
|
}
|
||||||
|
more_set_headers "Content-Security-Policy: default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";
|
||||||
|
location ^~ /cryptpad_websocket {
|
||||||
|
proxy_pass http://127.0.0.1:__PORT__;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection upgrade;
|
||||||
|
}
|
||||||
|
location ^~ /customize.dist/ {
|
||||||
|
# This is needed in order to prevent infinite recursion between /customize/ and the root
|
||||||
|
}
|
||||||
|
location ^~ /customize/ {
|
||||||
|
rewrite ^/customize/(.*)$ $1 break;
|
||||||
|
try_files /customize/$uri /customize.dist/$uri;
|
||||||
|
}
|
||||||
|
location ~ ^/api/.*$ {
|
||||||
|
proxy_pass http://127.0.0.1:__PORT__;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_hide_header Cross-Origin-Resource-Policy;
|
||||||
|
more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
|
||||||
|
proxy_hide_header Cross-Origin-Embedder-Policy;
|
||||||
|
more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
|
||||||
|
}
|
||||||
|
location ^~ /blob/ {
|
||||||
|
if ($request_method = 'OPTIONS') {
|
||||||
|
more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}";
|
||||||
|
more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
|
||||||
|
more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range";
|
||||||
|
more_set_headers "Access-Control-Max-Age: 1728000";
|
||||||
|
more_set_headers "Content-Type: 'application/octet-stream; charset=utf-8'";
|
||||||
|
more_set_headers "Content-Length: 0";
|
||||||
|
return 204;
|
||||||
|
}
|
||||||
|
more_set_headers "X-Content-Type-Options: nosniff";
|
||||||
|
more_set_headers "Cache-Control: max-age=31536000'";
|
||||||
|
more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}";
|
||||||
|
more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
|
||||||
|
more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length";
|
||||||
|
more_set_headers "Access-Control-Expose-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length";
|
||||||
|
try_files $uri =404;
|
||||||
|
}
|
||||||
|
location ^~ /block/ {
|
||||||
|
more_set_headers "X-Content-Type-Options: nosniff";
|
||||||
|
more_set_headers "Cache-Control: max-age=0";
|
||||||
|
try_files $uri =404;
|
||||||
|
}
|
||||||
|
location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ {
|
||||||
|
rewrite ^(.*)$ $1/ redirect;
|
||||||
|
}
|
||||||
|
try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri;
|
|
@ -52,6 +52,7 @@ ram.runtime = "50M"
|
||||||
[resources.ports]
|
[resources.ports]
|
||||||
main.default = 3000
|
main.default = 3000
|
||||||
porti.default = 3001
|
porti.default = 3001
|
||||||
|
socket.default = 3003
|
||||||
|
|
||||||
[resources.system_user]
|
[resources.system_user]
|
||||||
|
|
||||||
|
|
|
@ -78,7 +78,7 @@ yunohost service add $app --description="Zero Knowledge realtime collaborative e
|
||||||
#=================================================
|
#=================================================
|
||||||
ynh_script_progression --message="Adding a configuration file..."
|
ynh_script_progression --message="Adding a configuration file..."
|
||||||
|
|
||||||
ynh_add_config --template="../conf/config.js" --destination="$install_dir/config/config.js"
|
ynh_add_config --template="config.js" --destination="$install_dir/config/config.js"
|
||||||
|
|
||||||
chmod 600 "$install_dir/config/config.js"
|
chmod 600 "$install_dir/config/config.js"
|
||||||
chown $app "$install_dir/config/config.js"
|
chown $app "$install_dir/config/config.js"
|
||||||
|
|
Loading…
Reference in a new issue