From 77bc626b40eedf492107840d9fa552bd7f700380 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sun, 3 Nov 2019 02:58:08 +0100 Subject: [PATCH] Initial commit --- README.copy-userdata-to-new-installation | 9 + README.install | 363 +++++++++++++++++++++++ README.upgrade | 49 +++ nginx_cryptpad.conf.tmpl | 149 ++++++++++ 4 files changed, 570 insertions(+) create mode 100644 README.copy-userdata-to-new-installation create mode 100644 README.install create mode 100644 README.upgrade create mode 100644 nginx_cryptpad.conf.tmpl diff --git a/README.copy-userdata-to-new-installation b/README.copy-userdata-to-new-installation new file mode 100644 index 0000000..bb157a5 --- /dev/null +++ b/README.copy-userdata-to-new-installation @@ -0,0 +1,9 @@ +# ================= +# Copy existing user data to new pad +# ================= + + +backup_date="2019-11-03-0036" + + +cp -a /var/www/cryptpad.BAK.${backup_date}/{blob,blobstage,block,datastore} /var/www/cryptpad/ diff --git a/README.install b/README.install new file mode 100644 index 0000000..645387c --- /dev/null +++ b/README.install @@ -0,0 +1,363 @@ +# ================= +# - Install Cryptad on Debian 9 (stretch) +# ================= + +# - See: +# - https://blog.cavebeat.org/2017/07/cryptpad-installation-on-debian-stretch/ +# - +# - See also: +# - git repository: https://github.com/xwiki-labs/cryptpad +# - installation guide: https://github.com/xwiki-labs/cryptpad/wiki/Installation-guide +# - + + +# ---------- +# - Pre-requisites +# ---------- + +# - Install curl, git +# - +apt-get install curl git-core + +# - Install Python +# - +apt-get install python-minimal python + +# - Install compiler stuff +# - +# - apt-get install -y g++ g++-multilib gcc gcc-multilib cpp \ +# - make automake autoconf libtool flex bison \ +# - gettext pkg-config gnu-standards \ +# - libssl-dev libreadline-dev libncurses-dev +# - +apt-get install gcc g++ make + + +# --- +# - Install Nginx webservice +# --- + +apt-get install nginx + +# - Generate Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits +# - +mkdir /etc/nginx/ssl +openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 + +# - Create nginx configuration for CryptPad +# - +cryptpad_url=cpad-01.oopen.de + +cat < cpad-01.oopen.de.conf +# -- $cryptpad_url + +server { + listen 80; + listen [::]:80; + server_name $cryptpad_url; + return 301 https://\$server_name\$request_uri; +} + +server { + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name $cryptpad_url; + + ssl_certificate /var/lib/dehydrated/certs/$cryptpad_url/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/$cryptpad_url/privkey.pem; + #ssl_trusted_certificate /var/lib/dehydrated/certs/$cryptpad_url/fullchain.pem; + + # - Needed for (automated) updating certificate + # - + include snippets/letsencrypt-acme-challenge.conf; + + + # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + # + # To generate a dhparam.pem file, run in a terminal + # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 + # + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + + # Eable session resumption to improve https performance + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 10m; + ssl_session_tickets off; + + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE + + # ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES) + # Everything better than SHA1 (deprecated) + # + ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'; + ssl_prefer_server_ciphers on; + + add_header Strict-Transport-Security "max-age=31536000" always; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + #add_header X-Frame-Options "SAMEORIGIN"; + + root /var/www/cryptpad; + index index.html; + error_page 404 /customize.dist/404.html; + + if (\$args ~ ver=) { + set \$cacheControl max-age=31536000; + } + # Will not set any header if it is emptystring + # + add_header Cache-Control \$cacheControl; + + + # - Does not work with CKEditor and OnlyOffice + # - + #set \$styleSrc "'unsafe-inline' 'self' $cryptpad_url"; + #set \$scriptSrc "'self' $cryptpad_url"; + #set \$connectSrc "'self' https://$cryptpad_url wss://$cryptpad_url $cryptpad_url https://api.$cryptpad_url blob: $cryptpad_url"; + #set \$fontSrc "'self' data: $cryptpad_url"; + #set \$imgSrc "'self' data: * blob: $cryptpad_url"; + #set \$frameSrc "'self' $cryptpad_url blob: $cryptpad_url"; + #set \$mediaSrc "'self' data: * blob: $cryptpad_url"; + #set \$childSrc "https://$cryptpad_url"; + #set \$workerSrc "https://$cryptpad_url"; + # + #set \$unsafe 0; + #if (\$uri = "/pad/inner.html") { set \$unsafe 1; } + #if (\$uri = "/sheet/inner.html") { set \$unsafe 1; } + #if (\$uri = "/common/onlyoffice/web-apps/apps/spreadsheeteditor/main/index.html") { set \$unsafe 1; } + #if (\$host != sandbox.cryptpad.info) { set \$unsafe 0; } + #if (\$unsafe) { + # set \$scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' $cryptpad_url"; + #} + + + # - Make CKEditor and OnlyOffice working + # - + # - See /var/www/cryptpad/config.js (contentSecurity,padContentSecurity, ooContentSecurity) + # - + set \$styleSrc "'unsafe-inline' 'self' $cryptpad_url"; + set \$scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' $cryptpad_url"; + set \$connectSrc "'self' ws: wss: $cryptpad_url"; + set \$fontSrc "'self' data: $cryptpad_url"; + set \$imgSrc " * blob:"; + set \$frameSrc "*"; + set \$mediaSrc "'self' data: * blob: $cryptpad_url"; + set \$childSrc *; + set \$workerSrc "https://$cryptpad_url"; + + add_header Content-Security-Policy "default-src 'none'; child-src \$childSrc; worker-src \$workerSrc; media-src \$mediaSrc; style-src \$styleSrc; script-src \$scriptSrc; connect-src \$connectSrc; font-src \$fontSrc; img-src \$imgSrc; frame-src \$frameSrc;"; + + location ^~ /cryptpad_websocket { + proxy_pass http://localhost:3000; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header Host \$host; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + + # WebSocket support (nginx 1.4) + proxy_http_version 1.1; + proxy_set_header Upgrade \$http_upgrade; + proxy_set_header Connection upgrade; + } + + location ^~ /customize.dist/ { + # This is needed in order to prevent infinite recursion between /customize/ and the root + } + location ^~ /customize/ { + rewrite ^/customize/(.*)\$ \$1 break; + try_files /customize/\$uri /customize.dist/\$uri; + } + + location = /api/config { + proxy_pass http://localhost:3000; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header Host \$host; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + } + + location ^~ /blob/ { + add_header Cache-Control max-age=31536000; + try_files \$uri =404; + } + + location ^~ /block/ { + add_header Cache-Control max-age=0; + try_files \$uri =404; + } + + location ^~ /datastore/ { + add_header Cache-Control max-age=0; + try_files \$uri =404; + } + + location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet)\$ { + rewrite ^(.*)\$ \$1/ redirect; + } + + try_files /www/\$uri /www/\$uri/index.html /customize/\$uri; + +} +EOF + + +# --- +# - Install NodeJS v6.x on Debian 9 Stretch +# --- + +# - Creates the apt sources list file '/etc/apt/sources.list.d/nodesource.list' for +# - the NodeSource Node.js v6.x and also adds the NodeSource signing key to your keyring +# - +curl -sL https://deb.nodesource.com/setup_6.x | bash - +apt-get update + +# - Install nodejs version 6.x from repository 'deb.nodesource.com' +# - + +# - Tell the apt system to install nodejs from repository deb.nodesource.com +# - +# - You should pin the external source using the origin option to assign a high +# - priority to "the external source" instead of using the release name. +# - +# - e,g: Add the following lines to your /etc/apt/preferences.d/preferences: +# - +# - Package: * +# - Pin: origin deb.nodesource.com +# - Pin-Priority: 1001 +# - +if ! $(grep -E -q "^\s*Pin:\s+origin\s+deb.nodesource.com" /etc/apt/preferences.d/preferences) ; then + cat <> /etc/apt/preferences.d/preferences +Package: * +Pin: origin deb.nodesource.com +Pin-Priority: 1001 +EOF +fi + +# - Install nodejs.. +# - +apt-get install nodejs + +# - An alternative possibility: +# - +# - 1. Show versions for nodejs +# - +# - # aptitude versions nodejs +# - +# - output may looks like: +# - +# - i 6.14.4-1nodesource1 500 +# - p 10.15.2~dfsg-2 stable 500 +# - +# - 2. install nodejs 6.14.4-1nodesource1 +# - +# - apt-get install nodejs=6.14.4-1nodesource1 +# - ^^^^^^^^^^^^^^^^^^^^^^^^^^ +# - + +# - Test if installation was successfully +# - +node -v +npm -v + + +# --- +# - Install bower +# --- + +# - Install bower (global) +# - +npm install -g bower + + +# --- +# - Install cryptpad +# --- + +cd /var/www + +# - Create needed folders +# - +mkdir /var/www/{.cache,.config,.local,.node-gyp,.npm} +chown www-data:www-data /var/www/{.cache,.config,.local,.node-gyp,.npm} + +# - Get cryptpad +# - +git clone https://github.com/xwiki-labs/cryptpad +chown -R www-data:www-data cryptpad +cd cryptpad + +# - Complete Installation of cryptpad +# - +su www-data -s /bin/bash -c "npm install" + +su www-data -s /bin/bash -c "bower install" + + +# --- +# - Configure CryptPad +# --- + +# - Create configuration file 'config.js'. (Copy the example file) +# - +# - The defaults should be good enough for most cases, but you may want to edit +# - them. We recommend you read over the example file and change the values to +# - fit your needs. +cp -a config/config.example.js config/config.js + +# - Some base configuration +# - +# - adminEmail: 'admin.de', +# - ... +# - myDomain: oopen.de, +# - +perl -i -n -p -e"s#(\s*)(adminEmail:.*)#\1// \2\n\1adminEmail: 'admin@oopen.de',#" /var/www/cryptpad/config/config.js +perl -i -n -p -e"s#(\s*)(myDomain:.*)#\1// \2\n\1myDomain: oopen.de,#" /var/www/cryptpad/config/config.js + + +# - Customizing CryptPad +# - +# - In order allow a variety of features to be changed and to allow site-specific +# - changes to CryptPad apps while still keeping the git repository pristine, this +# - directory exists to allow a set of hooks to be run. +# - +# - The server is configured to load files from the '/customize/' path +# - preferentially from 'cryptpad/customize/', and to fall back to +# - 'cryptpad/customize.dist/' if they are not found. +# - +# - If you wish to customize cryptpad, please **copy** +# - '/customize.dist/' to '/customize' and then edit it there, this way you will +# - still be able to pull from (and make pull requests to (!) the git repository. +# - +cp -a /var/www/cryptpad/customize.dist /var/www/cryptpad/customize + +# - Copy 'favicon.ico' to '/var/www/cryptpad/customize/main-favicon.png' +# - +cp ~chris/favicon.ico /var/www/cryptpad/customize/main-favicon.png + +# - Run as daemon using systemd +# - +cat << EOF > /etc/systemd/system/cryptpad.service +[Unit] +Description=CryptPad service + +[Service] +User=www-data +Group=www-data + +ExecStart=/usr/bin/node /var/www/cryptpad/server.js +WorkingDirectory=/var/www/cryptpad +Restart=always + +[Install] +WantedBy=multi-user.target +EOF + +systemctl daemon-reload +systemctl enable cryptpad + +# - Start cryptpad +# - +systemctl start cryptpad + diff --git a/README.upgrade b/README.upgrade new file mode 100644 index 0000000..93fd4da --- /dev/null +++ b/README.upgrade @@ -0,0 +1,49 @@ + +# ==================== +# - Upgrading CryptPad +# ==================== + +# - Note! +# - +# - Always read the release notes before upgrading, as there may be changes +# - that require special consideration. + +# - Stop cryptpad +# - +systemctl stop cryptpadsystemctl stop cryptpad + + +# - Backup existing installation +# - +cp -a /var/www/cryptpad /var/www/cryptpad.BAK.$(date +%Y-%m-%d-%H%M) + +# - Change into installation directory +# - +cd /var/www/cryptpad + +# - Update Git repository +# - +su www-data -s /bin/bash -c "git pull" + +# - Update 'npm' +# - +su www-data -s /bin/bash -c "npm update" + +# - Update 'bower' +# - +su www-data -s /bin/bash -c "bower update" + +# - Maybe more updates +# - + ╭─────────────────────────────────────╮ + │ │ + │ Update available 1.8.4 → 1.8.8 │ + │ Run npm i -g bower to update │ + │ │ + ╰─────────────────────────────────────╯ + + +# - Start cryptpad +# - +systemctl start cryptpad + diff --git a/nginx_cryptpad.conf.tmpl b/nginx_cryptpad.conf.tmpl new file mode 100644 index 0000000..cf0d752 --- /dev/null +++ b/nginx_cryptpad.conf.tmpl @@ -0,0 +1,149 @@ +server { + listen 80; + listen [::]:80; + server_name @cryptpad-url@; + return 301 https://$server_name$request_uri; +} + +server { + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name @cryptpad-url@; + + ssl_certificate /var/lib/dehydrated/certs/@cryptpad-url@/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/@cryptpad-url@/privkey.pem; + #ssl_trusted_certificate /var/lib/dehydrated/certs/@cryptpad-url@/fullchain.pem; + + # - Needed for (automated) updating certificate + # - + include snippets/letsencrypt-acme-challenge.conf; + + + # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + # + # To generate a dhparam.pem file, run in a terminal + # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 + # + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + + # Eable session resumption to improve https performance + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 10m; + ssl_session_tickets off; + + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE + + # ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES) + # Everything better than SHA1 (deprecated) + # + ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'; + ssl_prefer_server_ciphers on; + + add_header Strict-Transport-Security "max-age=31536000" always; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + #add_header X-Frame-Options "SAMEORIGIN"; + + root /var/www/cryptpad; + index index.html; + error_page 404 /customize.dist/404.html; + + if ($args ~ ver=) { + set $cacheControl max-age=31536000; + } + # Will not set any header if it is emptystring + # + add_header Cache-Control $cacheControl; + + + # - Does not work with CKEditor and OnlyOffice + # - + #set $styleSrc "'unsafe-inline' 'self'"; + #set $scriptSrc "'self' @cryptpad-url@"; + #set $connectSrc "'self' https://@cryptpad-url@ wss://@cryptpad-url@ @cryptpad-url@ https://api.@cryptpad-url@ blob: @cryptpad-url@"; + #set $fontSrc "'self' data: @cryptpad-url@"; + #set $imgSrc "'self' data: * blob: @cryptpad-url@"; + #set $frameSrc "'self' @cryptpad-url@ blob: @cryptpad-url@"; + #set $mediaSrc "'self' data: * blob: @cryptpad-url@"; + #set $childSrc "https://@cryptpad-url@"; + #set $workerSrc "https://@cryptpad-url@"; + # + #set $unsafe 0; + #if ($uri = "/pad/inner.html") { set $unsafe 1; } + #if ($uri = "/sheet/inner.html") { set $unsafe 1; } + #if ($uri = "/common/onlyoffice/web-apps/apps/spreadsheeteditor/main/index.html") { set $unsafe 1; } + #if ($host != sandbox.cryptpad.info) { set $unsafe 0; } + #if ($unsafe) { + # set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' @cryptpad-url@"; + #} + + + # - Make CKEditor and OnlyOffice working + # - + # - See /var/www/cryptpad/config.js (contentSecurity,padContentSecurity, ooContentSecurity) + # - + set $styleSrc "'unsafe-inline' 'self' @cryptpad-url@"; + set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' @cryptpad-url@"; + set $connectSrc "'self' ws: wss: @cryptpad-url@"; + set $fontSrc "'self' data: @cryptpad-url@"; + set $imgSrc " * blob:"; + set $frameSrc "*"; + set $mediaSrc "'self' data: * blob: @cryptpad-url@"; + set $childSrc *; + set $workerSrc "https://@cryptpad-url@"; + + add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc;"; + + location ^~ /cryptpad_websocket { + proxy_pass http://localhost:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # WebSocket support (nginx 1.4) + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; + } + + location ^~ /customize.dist/ { + # This is needed in order to prevent infinite recursion between /customize/ and the root + } + location ^~ /customize/ { + rewrite ^/customize/(.*)$ $1 break; + try_files /customize/$uri /customize.dist/$uri; + } + + location = /api/config { + proxy_pass http://localhost:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location ^~ /blob/ { + add_header Cache-Control max-age=31536000; + try_files $uri =404; + } + + location ^~ /block/ { + add_header Cache-Control max-age=0; + try_files $uri =404; + } + + location ^~ /datastore/ { + add_header Cache-Control max-age=0; + try_files $uri =404; + } + + location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet)$ { + rewrite ^(.*)$ $1/ redirect; + } + + try_files /www/$uri /www/$uri/index.html /customize/$uri; + +}