From e43e0376959fbbe1e4fffd32a050c8b1d5b9bf02 Mon Sep 17 00:00:00 2001 From: liberodark Date: Tue, 6 Nov 2018 07:44:28 +0100 Subject: [PATCH] Add SSL Config --- conf/onlyoffice-documentserver.conf | 70 +++++++++++++++++++++++++++++ scripts/install | 17 +++---- 2 files changed, 79 insertions(+), 8 deletions(-) create mode 100644 conf/onlyoffice-documentserver.conf diff --git a/conf/onlyoffice-documentserver.conf b/conf/onlyoffice-documentserver.conf new file mode 100644 index 0000000..153d2f7 --- /dev/null +++ b/conf/onlyoffice-documentserver.conf @@ -0,0 +1,70 @@ +include /etc/nginx/includes/onlyoffice-http.conf; + +## Normal HTTP host +server { + listen 0.0.0.0:80; + listen [::]:80 default_server; + server_name _; + server_tokens off; + + ## Redirects all traffic to the HTTPS host + root /nowhere; ## root doesn't have to be a valid path since we are redirecting + rewrite ^ https://$host$request_uri? permanent; +} + +#HTTP host for internal services +server { + listen 127.0.0.1:80; + listen [::1]:80; + server_name localhost; + server_tokens off; + + include /etc/nginx/includes/onlyoffice-documentserver-common.conf; + include /etc/nginx/includes/onlyoffice-documentserver-docservice.conf; +} + +## HTTPS host +server { + listen 0.0.0.0:443 ssl; + listen [::]:443 ssl default_server; + server_tokens off; + root /usr/share/nginx/html; + + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl on; + ssl_certificate {{SSL_CERTIFICATE_PATH}}; + ssl_certificate_key {{SSL_KEY_PATH}}; + ssl_verify_client off; + + ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_session_cache builtin:1000 shared:SSL:10m; + + ssl_prefer_server_ciphers on; + + add_header Strict-Transport-Security max-age=31536000; + # add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + + ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. + ## Replace with your ssl_trusted_certificate. For more info see: + ## - https://medium.com/devops-programming/4445f4862461 + ## - https://www.ruby-forum.com/topic/4419319 + ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx + # ssl_stapling on; + # ssl_stapling_verify on; + # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; + # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired + # resolver_timeout 10s; + + ## [Optional] Generate a stronger DHE parameter: + ## cd /etc/ssl/certs + ## sudo openssl dhparam -out dhparam.pem 4096 + ## + # ssl_dhparam /etc/ssl/certs/dhparam.pem; + + include /etc/nginx/includes/onlyoffice-documentserver-*.conf; + +} diff --git a/scripts/install b/scripts/install index 5863ccc..09ae05f 100644 --- a/scripts/install +++ b/scripts/install @@ -153,10 +153,11 @@ ynh_system_user_create $app #================================================= # MODIFY A CONFIG FILE #================================================= -cp -a ../conf/loolwsd.xml /etc/loolwsd -ynh_replace_string "__NEXTCLOUDDOMAIN__" "$nextcloud_domain" "/etc/loolwsd/loolwsd.xml" -ynh_replace_string "__PASSWORD__" "$password" "/etc/loolwsd/loolwsd.xml" -systemctl start loolwsd +systemctl stop nginx +cp -a ../conf/onlyoffice-documentserver.conf /etc/onlyoffice/documentserver/nginx/onlyoffice-documentserver.conf +#ynh_replace_string "__NEXTCLOUDDOMAIN__" "$nextcloud_domain" "/etc/loolwsd/loolwsd.xml" +#ynh_replace_string "__PASSWORD__" "$password" "/etc/loolwsd/loolwsd.xml" +#systemctl start loolwsd #================================================= @@ -168,7 +169,7 @@ systemctl start loolwsd ### you can make a backup of this file before modifying it again if the admin had modified it. # Calculate and store the config file checksum into the app settings -ynh_store_file_checksum "/etc/loolwsd/loolwsd.xml" +ynh_store_file_checksum "/etc/onlyoffice/documentserver/nginx/onlyoffice-documentserver.conf" #================================================= @@ -182,7 +183,7 @@ ynh_store_file_checksum "/etc/loolwsd/loolwsd.xml" ### that really need such authorization. # Set permissions to app files -chown -R root: /etc/loolwsd +#chown -R root: /etc/loolwsd #================================================= @@ -193,6 +194,6 @@ chown -R root: /etc/loolwsd ynh_app_setting_set $app unprotected_uris "/" # Reload services -systemctl restart loolwsd -systemctl reload nginx +#systemctl restart loolwsd +systemctl start nginx