From d347660a9b57bd0051e1b322eef616bfe4b8b330 Mon Sep 17 00:00:00 2001 From: DDATAA <45762540+Ddataa@users.noreply.github.com> Date: Fri, 14 Oct 2022 20:53:13 +0000 Subject: [PATCH 1/5] Update install --- scripts/install | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/scripts/install b/scripts/install index 77ad500..c405420 100644 --- a/scripts/install +++ b/scripts/install @@ -66,6 +66,12 @@ ynh_app_setting_set --app=$app --key=port --value=$port porti=$(ynh_find_port --port=$(($port + 1))) ynh_app_setting_set --app=$app --key=porti --value=$porti +#================================================= +# CREATE A SANDBOX DOMAIN +#================================================= +sandboxdomain=sandbox-$domain +yunohost domain add $sandboxdomain + #================================================= # INSTALL DEPENDENCIES #================================================= @@ -155,12 +161,22 @@ ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --l #================================================= ynh_script_progression --message="Configuring permissions..." --weight=1 +ynh_permission_url --permission="main" --add_url=$sandboxdomain --auth_header=true + # Make app public if necessary if [ $is_public -eq 1 ] then ynh_permission_update --permission="main" --add="visitors" fi +#================================================= +# APPLY FOLDER RIGHTS +#================================================= +chgrp -R www-data $final_path +#================================================= +# COPY NGINX CONF IN SANDBOX DOMAIN +#================================================= +ynh_add_config --template="/etc/nginx/conf.d/$domain.d/cryptpad.conf" --destination="/etc/nginx/conf.d/$sandboxdomain.d/cryptpad.conf" #================================================= # RELOAD NGINX #================================================= @@ -175,9 +191,14 @@ ynh_script_progression --message="Sending a readme for the admin..." --weight=1 message="CryptPad was successfully installed :) -Please open your $app domain: https://$domain$path_url +We have created for you the mandatory sandbox domain at $sandboxdomain. -Once CryptPad is installed, create an account via the Register button on the home page. To make this account an instance administrator: +You still need to install the certificate for it. +So first, hit the diagnosis page so we make sure your DNS configuration is correct. +Then, go into your domain SSL configuration to generate your Let's Encrypt certificate. + +Please open your $app domain: https://$domain$path_url +Create an account via the Register button on the home page. To make this account an instance administrator: 1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key 2. Paste this key in /var/www/cryptpad/config/config.js in the following array (uncomment and replace the placeholder): From 71e2d2591aa42abaa5b7dd6f0435488ce5a25679 Mon Sep 17 00:00:00 2001 From: DDATAA <45762540+Ddataa@users.noreply.github.com> Date: Fri, 14 Oct 2022 20:54:08 +0000 Subject: [PATCH 2/5] Update remove --- scripts/remove | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/remove b/scripts/remove index e201fda..5bcaa1b 100644 --- a/scripts/remove +++ b/scripts/remove @@ -64,6 +64,12 @@ ynh_script_progression --message="Removing dependencies..." --weight=3 ynh_remove_nodejs +#================================================= +# REMOVE SANDBOX DOMAIN +#================================================= +sandboxdomain=sandbox-$domain +yunohost domain remove $sandboxdomain + #================================================= # GENERIC FINALIZATION #================================================= From 2333da82a721e94df1e8503540c1013f1b9de864 Mon Sep 17 00:00:00 2001 From: DDATAA <45762540+Ddataa@users.noreply.github.com> Date: Fri, 14 Oct 2022 20:55:07 +0000 Subject: [PATCH 3/5] Update nginx.conf --- conf/nginx.conf | 111 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 93 insertions(+), 18 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index c46b37c..4b3a779 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,19 +1,94 @@ -#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; -location __PATH__/ { - - proxy_pass http://127.0.0.1:__PORT__; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $server_name; - - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - # Include SSOWAT user panel. - include conf.d/yunohost_panel.conf.inc; - more_clear_input_headers 'Accept-Encoding'; +set $main_domain "__DOMAIN__"; +set $sandbox_domain "sandbox-__DOMAIN__"; +set $allowed_origins "https://${sandbox_domain}"; +set $api_domain "api.__DOMAIN__"; +set $files_domain "files.__DOMAIN__"; +ssl_ecdh_curve secp384r1; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; +add_header X-XSS-Protection "1; mode=block"; +add_header X-Content-Type-Options nosniff; +add_header Access-Control-Allow-Origin "${allowed_origins}"; +add_header Cross-Origin-Resource-Policy cross-origin; +add_header Cross-Origin-Embedder-Policy require-corp; +root /var/www/cryptpad; +index index.html; +error_page 404 /customize.dist/404.html; +if ($uri ~ ^(\/|.*\/|.*\.html)$) { + set $cacheControl no-cache; } +if ($args ~ ver=) { + set $cacheControl max-age=31536000; +} +add_header Cache-Control $cacheControl; +set $styleSrc "'unsafe-inline' 'self' https://${main_domain}"; +set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}"; +set $fontSrc "'self' data: https://${main_domain}"; +set $imgSrc "'self' data: blob: https://${main_domain}"; +set $frameSrc "'self' https://${sandbox_domain} blob:"; +set $mediaSrc "blob:"; +set $childSrc "https://${main_domain}"; +set $workerSrc "'self'"; +set $scriptSrc "'self' resource: https://${main_domain}"; +set $frameAncestors "'self' https://${main_domain}"; +set $unsafe 0; +if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; } +if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; } +if ($host != $sandbox_domain) { set $unsafe 0; } +if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; } +if ($unsafe) { + set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}"; +} +add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors"; +location ^~ /cryptpad_websocket { + proxy_pass http://localhost:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; +} +location ^~ /customize.dist/ { + # This is needed in order to prevent infinite recursion between /customize/ and the root +} +location ^~ /customize/ { + rewrite ^/customize/(.*)$ $1 break; + try_files /customize/$uri /customize.dist/$uri; +} +location ~ ^/api/.*$ { + proxy_pass http://localhost:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_hide_header Cross-Origin-Resource-Policy; + add_header Cross-Origin-Resource-Policy cross-origin; + proxy_hide_header Cross-Origin-Embedder-Policy; + add_header Cross-Origin-Embedder-Policy require-corp; +} +location ^~ /blob/ { + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' "${allowed_origins}"; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'application/octet-stream; charset=utf-8'; + add_header 'Content-Length' 0; + return 204; + } + add_header X-Content-Type-Options nosniff; + add_header Cache-Control max-age=31536000; + add_header 'Access-Control-Allow-Origin' "${allowed_origins}"; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'; + add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'; + try_files $uri =404; +} +location ^~ /block/ { + add_header X-Content-Type-Options nosniff; + add_header Cache-Control max-age=0; + try_files $uri =404; +} +location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ { + rewrite ^(.*)$ $1/ redirect; +} +try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri; From 33c792717190fe77bb9b13781fea2ee4a46868ec Mon Sep 17 00:00:00 2001 From: DDATAA <45762540+Ddataa@users.noreply.github.com> Date: Fri, 14 Oct 2022 20:55:47 +0000 Subject: [PATCH 4/5] Update config.js --- conf/config.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/config.js b/conf/config.js index e3dd5ad..41b1075 100644 --- a/conf/config.js +++ b/conf/config.js @@ -72,7 +72,7 @@ module.exports = { * * CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS. */ - // httpSafeOrigin: "https://some-other-domain.xyz", + httpSafeOrigin: "https://sandbox-__DOMAIN__", /* httpAddress specifies the address on which the nodejs server * should be accessible. By default it will listen on 127.0.0.1 @@ -325,4 +325,4 @@ module.exports = { * */ installMethod: 'unspecified', -}; \ No newline at end of file +}; From ce96285397502d20181ea8a934a19148b4975173 Mon Sep 17 00:00:00 2001 From: DDATAA <45762540+Ddataa@users.noreply.github.com> Date: Fri, 14 Oct 2022 20:57:41 +0000 Subject: [PATCH 5/5] Update README.md --- README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e861781..f59e30d 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,14 @@ CryptPad is a collaboration suite that is end-to-end-encrypted and open-source. ## Configuration -Once CryptPad is installed, create an account via the Register button on the home page. To make this account an instance administrator: +Once CryptPad is installed. + +We have created for you the mandatory sandbox domain. +You still need to install the certificate for it. +So first, hit the diagnosis page so we make sure your DNS configuration is correct. +Then, go into your domain SSL configuration to generate your Let's Encrypt certificate. + +Create an account via the Register button on the home page. To make this account an instance administrator: 1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key 2. Paste this key in `/var/www/cryptpad/config/config.js` in the following array (uncomment and replace the placeholder):