cryptpad_ynh/conf/nginx.conf

    set $main_domain "__DOMAIN__";
    set $sandbox_domain "__SANDBOX_DOMAIN__";

    set $allowed_origins "*";
    # set $allowed_origins "https://${sandbox_domain}";

    set $api_domain "api.__DOMAIN__";
    set $files_domain "files.__DOMAIN__";

    server_name __DOMAIN__ __SANDBOX_DOMAIN__;


    # https://cipherli.st/
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Access-Control-Allow-Origin "${allowed_origins}";
    # add_header X-Frame-Options "SAMEORIGIN";

    # Enable SharedArrayBuffer in Firefox (for .xlsx export)
    add_header Cross-Origin-Resource-Policy cross-origin;
    add_header Cross-Origin-Embedder-Policy require-corp;

    # Insert the path to your CryptPad repository root here
    root /home/cryptpad/cryptpad;
    index index.html;
    error_page 404 /customize.dist/404.html;

    # any static assets loaded with "ver=" in their URL will be cached for a year
    if ($args ~ ver=) {
        set $cacheControl max-age=31536000;
    }
    if ($uri ~ ^/.*(\/|\.html)$) {
        set $cacheControl no-cache;
    }
    # Will not set any header if it is emptystring
    add_header Cache-Control $cacheControl;

    set $styleSrc   "'unsafe-inline' 'self' https://${main_domain}";
    set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}";
    set $fontSrc    "'self' data: https://${main_domain}";
    set $imgSrc     "'self' data: blob: https://${main_domain}";
    set $frameSrc   "'self' https://${sandbox_domain} blob:";
    set $mediaSrc   "blob:";
    set $childSrc   "https://${main_domain}";
    set $workerSrc  "'self'";
    set $scriptSrc  "'self' resource: https://${main_domain}";


    set $frameAncestors "'self' https://${main_domain}";
    # set $frameAncestors "'self' https: vector:";

    set $unsafe 0;

    if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
    if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
    if ($host != $sandbox_domain) { set $unsafe 0; }
    if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
    if ($unsafe) {
        set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
    }

location ^~ / {

    proxy_pass http://127.0.0.1:__PORT__;
    proxy_redirect    off;
    proxy_set_header  Host $host;
    proxy_set_header  X-Real-IP $remote_addr;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Host $server_name;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    # Include SSOWAT user panel.
    include conf.d/yunohost_panel.conf.inc;
    more_clear_input_headers 'Accept-Encoding';
}

    location ^~ /cryptpad_websocket {
        proxy_pass http://localhost:__PORT__;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # WebSocket support (nginx 1.4)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection upgrade;
    }