YunoHost-Apps/cryptpad_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/cryptpad_ynh.git synced 2024-09-03 18:26:14 +02:00
Code Issues Activity Actions

set basic NGINX

Browse source
This commit is contained in:
Éric Gaspar 2024-05-24 09:26:32 +02:00
parent d3bb1fd7b9
commit 3dfab40f3f
5 changed files with 183 additions and 148 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

126
conf/config.js
View file

@ -1,3 +1,7 @@
// SPDX-FileCopyrightText: 2023 XWiki CryptPad Team <contact@cryptpad.org> and contributors
//
// SPDX-License-Identifier: AGPL-3.0-or-later
/* globals module */ /* globals module */
/* DISCLAIMER: /* DISCLAIMER:
@ -11,7 +15,7 @@
Support requests for such setups should be directed to their authors. Support requests for such setups should be directed to their authors.
If you're having difficulty difficulty configuring your instance If you're having difficulty difficulty configuring your instance
we suggest that you join the project's IRC/Matrix channel. we suggest that you join the project's Matrix channel.
If you don't have any difficulty configuring your instance and you'd like to If you don't have any difficulty configuring your instance and you'd like to
support us for the work that went into making it pain-free we are quite happy support us for the work that went into making it pain-free we are quite happy
@ -45,21 +49,13 @@ module.exports = {
* In such a case this should be also handled by NGINX, as documented in * In such a case this should be also handled by NGINX, as documented in
* cryptpad/docs/example.nginx.conf (see the $main_domain variable) * cryptpad/docs/example.nginx.conf (see the $main_domain variable)
* *
* Note: you may provide multiple origins for the purpose of accessing
* a development instance via different URLs, like so:
* httpUnsafeOrigin: 'http://127.0.0.1:3000/ http://localhost:3000/',
*
* Such configuration is not recommended for production instances,
* as the development team does not actively test such configuration
* and it may have unintended consequences in practice.
*
*/ */
httpUnsafeOrigin: 'https://__DOMAIN__', httpUnsafeOrigin: 'https://__DOMAIN__',
/* httpSafeOrigin is the URL that is used for the 'sandbox' described above. /* httpSafeOrigin is the URL that is used for the 'sandbox' described above.
* If you're testing or developing with CryptPad on your local machine then * If you're testing or developing with CryptPad on your local machine then
* it is appropriate to leave this blank. The default behaviour is to serve * it is appropriate to leave this blank. The default behaviour is to serve
* the main domain over port 3000 and to serve the content over port 3001. * the main domain over port 3000 and to serve the sandbox content over port 3001.
* *
* This is not appropriate in a production environment where invasive networks * This is not appropriate in a production environment where invasive networks
* may filter traffic going over abnormal ports. * may filter traffic going over abnormal ports.
@ -70,14 +66,17 @@ module.exports = {
* This value corresponds to the $sandbox_domain variable * This value corresponds to the $sandbox_domain variable
* in the example nginx file. * in the example nginx file.
* *
* Note that in order for the sandboxing system to be effective
* httpSafeOrigin must be different from httpUnsafeOrigin.
*
* CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS. * CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
*/ */
httpSafeOrigin: "https://__SANDBOXDOMAIN__", httpSafeOrigin: "https://__SANDBOXDOMAIN__",
/* httpAddress specifies the address on which the nodejs server /* httpAddress specifies the address on which the nodejs server
* should be accessible. By default it will listen on 127.0.0.1 * should be accessible. By default it will listen on localhost
* (IPv4 localhost on most systems). If you want it to listen on * (IPv4 & IPv6 if enabled). If you want it to listen on
* all addresses, including IPv6, set this to '::'. * a specific address, specify it here. e.g '192.168.0.1'
* *
*/ */
httpAddress: '::', httpAddress: '::',
@ -97,6 +96,19 @@ module.exports = {
*/ */
httpSafePort: __PORT_PORTI__, httpSafePort: __PORT_PORTI__,
/* Websockets need to be exposed on a separate port from the rest of
* the platform's HTTP traffic. Port 3003 is used by default.
* You can change this to a different port if it is in use by a
* different service, but under most circumstances you can leave this
* commented and it will work.
*
* In production environments, your reverse proxy (usually NGINX)
* will need to forward websocket traffic (/cryptpad_websocket)
* to this port.
*
*/
websocketPort: __PORT_SOCKET__,
/* CryptPad will launch a child process for every core available /* CryptPad will launch a child process for every core available
* in order to perform CPU-intensive tasks in parallel. * in order to perform CPU-intensive tasks in parallel.
* Some host environments may have a very large number of cores available * Some host environments may have a very large number of cores available
@ -105,6 +117,43 @@ module.exports = {
*/ */
// maxWorkers: 4, // maxWorkers: 4,
/* =====================
* Sessions
* ===================== */
/* Accounts can be protected with an OTP (One Time Password) system
* to add a second authentication layer. Such accounts use a session
* with a given lifetime after which they are logged out and need
* to be re-authenticated. You can configure the lifetime of these
* sessions here.
*
* defaults to 7 days
*/
//otpSessionExpiration: 7*24, // hours
/* Registered users can be forced to protect their account
* with a Multi-factor Authentication (MFA) tool like a TOTP
* authenticator application.
*
* defaults to false
*/
//enforceMFA: false,
/* =====================
* Privacy
* ===================== */
/* Depending on where your instance is hosted, you may be required to log IP
* addresses of the users who make a change to a document. This setting allows you
* to do so. You can configure the logging system below in this config file.
* Setting this value to true will include a log for each websocket connection
* including this connection's unique ID, the user public key and the IP.
* NOTE: this option requires a log level of "info" or below.
*
* defaults to false
*/
//logIP: false,
/* ===================== /* =====================
* Admin * Admin
* ===================== */ * ===================== */
@ -115,52 +164,15 @@ module.exports = {
* To give access to the admin panel to a user account, just add their public signing * To give access to the admin panel to a user account, just add their public signing
* key, which can be found on the settings page for registered users. * key, which can be found on the settings page for registered users.
* Entries should be strings separated by a comma. * Entries should be strings separated by a comma.
* adminKeys: [
* "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
* "[cryptpad-user2@my.awesome.website/jA-9c5iNuG7SyxzGCjwJXVnk5NPfAOO8fQuQ0dC83RE=]",
* ]
*
*/ */
/*
adminKeys: [ adminKeys: [
"[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
], ],
*/
/* CryptPad's administration panel includes a "support" tab
* wherein administrators with a secret key can view messages
* sent from users via the encrypted forms on the /support/ page
*
* To enable this functionality:
* run `node ./scripts/generate-admin-keys.js`
* save the public key in your config in the value below
* add the private key via the admin panel
* and back it up in a secure manner
*
*/
supportMailboxPublicKey: '',
/* CryptPad will display a point of contact for your instance on its contact page
* (/contact.html) if you provide it below.
*/
adminEmail: '__EMAIL__',
/* We're very proud that CryptPad is available to the public as free software!
* We do, however, still need to pay our bills as we develop the platform.
*
* By default CryptPad will prompt users to consider donating to
* our OpenCollective campaign. We publish the state of our finances periodically
* so you can decide for yourself whether our expenses are reasonable.
*
* You can disable any solicitations for donations by setting 'removeDonateButton' to true,
* but we'd appreciate it if you didn't!
*/
removeDonateButton: true,
/*
* By default, CryptPad contacts one of our servers once a day.
* This check-in will also send some very basic information about your instance including its
* version and the adminEmail so we can reach you if we are aware of a serious problem.
* We will never sell it or send you marketing mail.
*
* If you want to block this check-in and remain set 'blockDailyCheck' to true.
*/
blockDailyCheck: true,
/* ===================== /* =====================
* STORAGE * STORAGE
@ -180,7 +192,7 @@ module.exports = {
* This archived data still takes up space and so you'll probably still want to * This archived data still takes up space and so you'll probably still want to
* remove these files after a brief period. * remove these files after a brief period.
* *
* cryptpad/scripts/evict-inactive.js is intended to be run daily * cryptpad/scripts/evict-archived.js is intended to be run daily
* from a crontab or similar scheduling service. * from a crontab or similar scheduling service.
* *
* The intent with this feature is to provide a safety net in case of accidental * The intent with this feature is to provide a safety net in case of accidental

111
conf/nginx.conf
View file

@ -1,91 +1,22 @@
set $main_domain "__DOMAIN__"; location / {
set $sandbox_domain "__SANDBOXDOMAIN__"; proxy_pass http://127.0.0.1:__PORT__;
set $allowed_origins "https://${sandbox_domain}"; proxy_set_header X-Real-IP $remote_addr;
set $api_domain "__DOMAIN__"; proxy_set_header Host $host;
set $files_domain "__DOMAIN__"; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
ssl_ecdh_curve secp384r1; client_max_body_size 150m;
more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'";
more_set_headers "Cross-Origin-Resource-Policy: cross-origin"; proxy_http_version 1.1;
more_set_headers "Cross-Origin-Embedder-Policy: require-corp"; proxy_set_header Upgrade $http_upgrade;
root __INSTALL_DIR__/; proxy_set_header Connection upgrade;
index index.html; }
error_page 404 /customize.dist/404.html;
if ($uri ~ ^(\/|.*\/|.*\.html)$) { location ^~ /cryptpad_websocket {
set $cacheControl no-cache; proxy_pass http://127.0.0.1:__PORT_SOCKET__;
} proxy_set_header X-Real-IP $remote_addr;
if ($args ~ ver=) { proxy_set_header Host $host;
set $cacheControl max-age=31536000; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
more_set_headers "Cache-Control: $cacheControl"; proxy_http_version 1.1;
set $styleSrc "'unsafe-inline' 'self' https://${main_domain}"; proxy_set_header Upgrade $http_upgrade;
set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}"; proxy_set_header Connection upgrade;
set $fontSrc "'self' data: https://${main_domain}";
set $imgSrc "'self' data: blob: https://${main_domain}";
set $frameSrc "'self' https://${sandbox_domain} blob:";
set $mediaSrc "blob:";
set $childSrc "https://${main_domain}";
set $workerSrc "'self'";
set $scriptSrc "'self' resource: https://${main_domain}";
set $frameAncestors "'self' https://${main_domain}";
set $unsafe 0;
if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
if ($host != $sandbox_domain) { set $unsafe 0; }
if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
if ($unsafe) {
set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
}
more_set_headers "Content-Security-Policy: default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";
location ^~ /cryptpad_websocket {
proxy_pass http://127.0.0.1:__PORT__;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
}
location ^~ /customize.dist/ {
# This is needed in order to prevent infinite recursion between /customize/ and the root
}
location ^~ /customize/ {
rewrite ^/customize/(.*)$ $1 break;
try_files /customize/$uri /customize.dist/$uri;
}
location ~ ^/api/.*$ {
proxy_pass http://127.0.0.1:__PORT__;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_hide_header Cross-Origin-Resource-Policy;
more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
proxy_hide_header Cross-Origin-Embedder-Policy;
more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
}
location ^~ /blob/ {
if ($request_method = 'OPTIONS') {
more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}";
more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range";
more_set_headers "Access-Control-Max-Age: 1728000";
more_set_headers "Content-Type: 'application/octet-stream; charset=utf-8'";
more_set_headers "Content-Length: 0";
return 204;
} }
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "Cache-Control: max-age=31536000'";
more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}";
more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length";
more_set_headers "Access-Control-Expose-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length";
try_files $uri =404;
}
location ^~ /block/ {
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "Cache-Control: max-age=0";
try_files $uri =404;
}
location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ {
rewrite ^(.*)$ $1/ redirect;
}
try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri;

91
conf/old.nginx.conf Normal file
View file

@ -0,0 +1,91 @@
set $main_domain "__DOMAIN__";
set $sandbox_domain "__SANDBOXDOMAIN__";
set $allowed_origins "https://${sandbox_domain}";
set $api_domain "__DOMAIN__";
set $files_domain "__DOMAIN__";
ssl_ecdh_curve secp384r1;
more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'";
more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
root __INSTALL_DIR__/;
index index.html;
error_page 404 /customize.dist/404.html;
if ($uri ~ ^(\/|.*\/|.*\.html)$) {
set $cacheControl no-cache;
}
if ($args ~ ver=) {
set $cacheControl max-age=31536000;
}
more_set_headers "Cache-Control: $cacheControl";
set $styleSrc "'unsafe-inline' 'self' https://${main_domain}";
set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}";
set $fontSrc "'self' data: https://${main_domain}";
set $imgSrc "'self' data: blob: https://${main_domain}";
set $frameSrc "'self' https://${sandbox_domain} blob:";
set $mediaSrc "blob:";
set $childSrc "https://${main_domain}";
set $workerSrc "'self'";
set $scriptSrc "'self' resource: https://${main_domain}";
set $frameAncestors "'self' https://${main_domain}";
set $unsafe 0;
if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
if ($host != $sandbox_domain) { set $unsafe 0; }
if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
if ($unsafe) {
set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
}
more_set_headers "Content-Security-Policy: default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";
location ^~ /cryptpad_websocket {
proxy_pass http://127.0.0.1:__PORT__;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
}
location ^~ /customize.dist/ {
# This is needed in order to prevent infinite recursion between /customize/ and the root
}
location ^~ /customize/ {
rewrite ^/customize/(.*)$ $1 break;
try_files /customize/$uri /customize.dist/$uri;
}
location ~ ^/api/.*$ {
proxy_pass http://127.0.0.1:__PORT__;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_hide_header Cross-Origin-Resource-Policy;
more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
proxy_hide_header Cross-Origin-Embedder-Policy;
more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
}
location ^~ /blob/ {
if ($request_method = 'OPTIONS') {
more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}";
more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range";
more_set_headers "Access-Control-Max-Age: 1728000";
more_set_headers "Content-Type: 'application/octet-stream; charset=utf-8'";
more_set_headers "Content-Length: 0";
return 204;
}
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "Cache-Control: max-age=31536000'";
more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}";
more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length";
more_set_headers "Access-Control-Expose-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length";
try_files $uri =404;
}
location ^~ /block/ {
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "Cache-Control: max-age=0";
try_files $uri =404;
}
location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ {
rewrite ^(.*)$ $1/ redirect;
}
try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri;

1
manifest.toml
View file

@ -52,6 +52,7 @@ ram.runtime = "50M"
[resources.ports] [resources.ports]
main.default = 3000 main.default = 3000
porti.default = 3001 porti.default = 3001
socket.default = 3003
[resources.system_user] [resources.system_user]

2
scripts/install
View file

@ -78,7 +78,7 @@ yunohost service add $app --description="Zero Knowledge realtime collaborative e
#================================================= #=================================================
ynh_script_progression --message="Adding a configuration file..." ynh_script_progression --message="Adding a configuration file..."
ynh_add_config --template="../conf/config.js" --destination="$install_dir/config/config.js" ynh_add_config --template="config.js" --destination="$install_dir/config/config.js"
chmod 600 "$install_dir/config/config.js" chmod 600 "$install_dir/config/config.js"
chown $app "$install_dir/config/config.js" chown $app "$install_dir/config/config.js"