From cffe6dd69e06fc64b68558f14c23e35d6f4e597b Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 22 Sep 2022 14:32:29 +0200 Subject: [PATCH] update documentation.. --- .nginx_cryptpad.conf.tmpl.swp | Bin 0 -> 16384 bytes README.copy-userdata-to-new-installation | 2 +- README.install | 309 +----------------- nginx_cryptpad.conf.tmpl | 390 ++++++++++++++++------- nginx_cryptpad.conf.tmpl.00 | 149 +++++++++ 5 files changed, 440 insertions(+), 410 deletions(-) create mode 100644 .nginx_cryptpad.conf.tmpl.swp create mode 100644 nginx_cryptpad.conf.tmpl.00 diff --git a/.nginx_cryptpad.conf.tmpl.swp b/.nginx_cryptpad.conf.tmpl.swp new file mode 100644 index 0000000000000000000000000000000000000000..e6e3ccd03f820f5e96d7ee7fd478fdc40bb6d99e GIT binary patch literal 16384 zcmeHOTZklA87`A(jOIqXK!hY`yPM4H+C4pcFf5@z zqavtO!#6!$b*|rkKV98k{K)bNc5q>zhu4js_qU^U|HYdQUh(yZJWolP(dEm%{Is#S z_i~MJznN>*jHJ(_rdEE_SA#T5dC*L{VY1ySJ}&q&=`3V%8tq`nvPsE6$-qt+$g@u4 z;B}k(_w8Mz=GDqB_O6>Ycha+LQ!-F8P%=<5P%=<5P%=<5P%=<5@PEQUmR{w30(-f_ z?PtZkzh&nAP50vN`s&R6H{AVu-1TqG+`rO&KIY#4I&>N(M>>N(M>> zN(M>>N(M>>N(M>>N(TM|4Di774q@CcP{EJy|BL$nPd9kpAAv6cPXXJ&oxm&Cd)}{s zUjaV@ehfShJOQ+Thk=KHYk?nJ=XnWmEAZmAXbb!Zcn0_^@EPEK;A-G|@ASM+19t$| z0N;3r=e2>Gf!D7=Kj4Qz7kDr5lec@`7lF?M9|EofUc1`!o&%l*eBeglg|~TL3hV;D z`&Q43fuq1}z^%XwS9#v2fKLJ+1pa`7ipPNi!0&J<@)h8IU>P_FybpLc@GAIv1$YK{ z8h8RA4(a{hcrm=HtTB3d=7RYfCVrF$g6SkoQ<3Rrgg+uNk4-eVAB%?H<547%t}u^K z+%?g+%2tF3M8G;yv3Z_nGUk~GcC$PUcorsI<_ndDozTbSseZe5u`toNiO%f-^Uvk& zobB3W+e|LhT+upeWh&Qb-I^GYHMcmP{0Q64K=cNIqPd%NUpMbA9{XtID!RLgEriKJ zDq_2O8gF8p);TfQ`Bbt5pI1k7C2_^&Ou-SyoIY)Lbn`@K5d zo{J)uK&~`)S0sXXWt?fu7YVk$e*8kIvgH$Nt0y;>RyGb{1EFU0uua%y_%BQ{k&upH zGzfePLum~aGn>FxBf)jXvc4>~=~n;I>4mHdH0lYKau9-{%r+)usLkde7tMM?3D4>c z&8J!kj|H37i1Ejkp~nb|iG2X|t*k zbv>>EU&6A?QVSVQE-quWPKd58dy`da=Sf=b<6{-4teCaN)9})*stklNpC_ynLdu{@ zi}B)^5*@IT_+)M(l6}%8qEm@TZ1E&xX~cb@9rw!}v)@40sS(T*!?q!~faGX2%@=7F zO6Vj+!IJ?~IrhQ&z0mKmHlD>gM;eeo9g9Xv#1d-cXed;4G!fC9W5t-jIE$cYNh=_I zvMZn^Ymz1wQJdh(tvj^qb__tdMp_$lANC?>oJ3}<2mOaG!>=)E`Y4)R>0({v&n$&$ zu2QM7H?);~ZFs?+V+ln@i`WnVtw^~slVTn-cLc*x44%;WzG4@~3<8EB)VOEC4BI3_ zyO0Prk2UGM?b_{jTRuWhyRGqHPP1SDMGt*q9wwKu`Mzjth=MFf@eaJOu@UFnNfRR3 z*1N5#RE>7m%r4<&r3&%%oMx3?mZkbovspV|*oj@hw006VlfCvh-K|2wjNEmYfy0iH zvGZ*vIJkwH%f?C!GsMOFD#yrN#3s<51|ap)OlDCZHRpE8N8C^>wzDM-;c(VH9Qq z@^!_2VJ6@($r^}BkX2AnxH01|3jqgV$2d--P8mN(PLTX1?+RM!#ITMi5?dzxUJ^c< z6O#b443ilTqjoDu`?x;a{V_-Ed*)q|=)xJ$&fEf&C20A0w}}&xTibd*+U3JrO(aRUtrZDpfMbO*k`7 zREbCPP{9Ex*&+Ru36J2N(^M*orO0UzYamAMBW2)-jU&5R=qNWP_7EXNke1KWg6!TD zc>t2)3bgYPlC>lYK#t~uCC9Y6i4g@UW;_xT-7*SL1YW494WA|*%MqezHcC1e?@~@l zA(C7lsqNHoFgD{7`yukJ;?4pyzN_%crk75Z5;AeDmU7UN>oJ$U&QdVafbk028XWv)cvd5@81E0N_Y zVfz>N8flssWrb$)y&6df%RpKe8bMFo8z+CpE1BDqT5@o4@)CU-X@ggN%R3-Et!cr_*yJ9Od8E3(rugJ7J|%MLj1 zj5Z8~SFh3LI`qA2%u`k)ZEE!-gixbz70fE$1{ z)b&rIj@Lj8M8GY;&r!#3180Eu18<_1e-(HIcp3OIa1^)&cmp;4OTf2*XMt}50(cMb z7u5Gx0KY+P|4ZN(z*9gCr~Q!5fCj*2C%33G~Yg1h#wnyb%AgMCzQh-es z?2@e%XbVd8k)8;4W`1GM?i#D@ZQ@dZu;^!YGWt=D@hXqAGtGG=x)h4lFp}`>L!_5< zM5KpA)KM6SAth)-B>S0YOH|WC66r9;6nsd5mp-{5tB08kq-l_b zlpziS(ayWWb3AEt%+(Vj8@l*BPv3c^qk2h*YwP zP21Ga#!8X`QVq@yEFN&7R)?s6pm{-n2uWoeGFr6K5!XF8=LY1K*j&MdsUE_qmZ*~3 zc^G9442jkEK_GRtl{yycl1M95gf-d$y{coKG)j0FtFhuVcd?X~%|qD{6xE_}1Zj?v z5%R(91`@)qte0!7ABl*qbtwID5wJ-9Ox)~; zNU0>5q1mO)c1IPiql*$x83{DPjxh{Wz!XwN6<_zv9&8$8&ncitThKL=fba?0WzmOqi%tRb%8dPG|2rkLiPRXKGO|(62NX2B04Mgt7syk~*Bo1jiof+FAdd*g* zskONvaf@1ks!Yf#AezKr4r!u}!8a3$%)2;GGiQ$3=)eoL7l^1EWklZMBbzN`0WSeL zq|a za5Rmv@-QJW7`HpejIW?NME|P-nOicYWud=~d$;MJr*X{ISaWRdo|TO{Bw^gLy;^@j zh_ta3K|ku7P{YO&&POveI%$(l5j0LAU#>5A8Yd)5#}F6R5fVgw%2euPGKF+UA5Nm^ z7j^r$XmA|I?pbecY@&em4f@ppA?V|jID{hy&> z)tq0=(UGe2E5(skad0(ba#I2t`Lg|cKd}Ff#YN}RX1eUeN~z1(wbCb7x9ppAs&su) zvNPgm6Z2oJDLD$THW6@|5>-eB+foQ^chRAeLdZRAey}$|G#>NELVK!Ij{caaCry?pmXM61N$3By; zTfZE}&f%I9i%~qVk-&ca!Ulq?SqD0yiAR*wx?wlbxR*{2asJe>$5GH^a|Y7zrAo&h z3h{J%(CQ(ij?#on3^ML_u~|`2dtYYOnL)<=+|iuNMNJNDzF#O# z+9*juFhfd!&=ce~n-lhX5>kLF1ylsYBAG3+D*MIV%F*SO(}sNtc1vr^HpDr`slQz} zdKYA!Zr}igay5hw{Ksmx1+lZ;a%mh++VS6b6Bi6}%#{9g0C0&$6t#HNSYBgLJvyXs mVUi0*rIN`Uu;4oY(!YpCJ+y!12}U|eDL%fXYA)=dbolQRqS{9Q literal 0 HcmV?d00001 diff --git a/README.copy-userdata-to-new-installation b/README.copy-userdata-to-new-installation index bb157a5..e9719cb 100644 --- a/README.copy-userdata-to-new-installation +++ b/README.copy-userdata-to-new-installation @@ -3,7 +3,7 @@ # ================= -backup_date="2019-11-03-0036" +backup_date="2022-09-22-1001" cp -a /var/www/cryptpad.BAK.${backup_date}/{blob,blobstage,block,datastore} /var/www/cryptpad/ diff --git a/README.install b/README.install index 2f43241..78bf6c4 100644 --- a/README.install +++ b/README.install @@ -61,305 +61,13 @@ apt-get install nginx mkdir /etc/nginx/ssl openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 + +# ---------- # - Create nginx configuration for CryptPad # - - -cat < /etc/nginx/sites-available/${vhost_config_file} - -# we want restrict authentication to cryptpad sandbox urls "$cryptpad_sandbox_url" -# -#map \$http_host \$auth_type { -# default "off"; #This will turn off auth-basic -# $cryptpad_sandbox_url "Restricted"; #This or any other string will turn it back on -#} - -server { - listen 80; - listen [::]:80; - server_name $cryptpad_url; - return 301 https://\$server_name\$request_uri; -} - -server { - - listen 443 ssl http2; - listen [::]:443 ssl http2; - - # CryptPad serves static assets over these two domains. - # \`main_domain\` is what users will enter in their address bar. - # Privileged computation such as key management is handled in this scope - # UI content is loaded via the \`sandbox_domain\`. - # "Content Security Policy" headers prevent content loaded via the sandbox - # from accessing privileged information. - # These variables must be different to take advantage of CryptPad's sandboxing techniques. - # In the event of an XSS vulnerability in CryptPad's front-end code - # this will limit the amount of information accessible to attackers. - set \$main_domain "$cryptpad_url"; - set \$sandbox_domain "$cryptpad_sandbox_url"; - - # CryptPad's dynamic content (websocket traffic and encrypted blobs) - # can be served over separate domains. Using dedicated domains (or subdomains) - # for these purposes allows you to move them to a separate machine at a later date - # if you find that a single machine cannot handle all of your users. - # If you don't use dedicated domains, this can be the same as $main_domain - # If you do, they'll be added as exceptions to any rules which block connections to remote domains. - set \$api_domain "$cryptpad_url"; - set \$files_domain "$cryptpad_url"; -EOF - -if [[ "$cryptpad_url" = "$cryptpad_sandbox_url" ]]; then - cat <> /etc/nginx/sites-available/${vhost_config_file} - - server_name $cryptpad_url; -EOF -else - cat <> /etc/nginx/sites-available/${vhost_config_file} - - server_name $cryptpad_url $cryptpad_sandbox_url; -EOF -fi - -cat <> /etc/nginx/sites-available/${vhost_config_file} - - ssl_certificate /var/lib/dehydrated/certs/$cryptpad_url/fullchain.pem; - ssl_certificate_key /var/lib/dehydrated/certs/$cryptpad_url/privkey.pem; - ssl_trusted_certificate /var/lib/dehydrated/certs/$cryptpad_url/chain.pem; - - # - Needed for (automated) updating certificate - # - - include snippets/letsencrypt-acme-challenge.conf; - - - # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits - # - # To generate a dhparam.pem file, run in a terminal - # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 - # - ssl_dhparam /etc/nginx/ssl/dhparam.pem; - - # Speeds things up a little bit when resuming a session - ssl_session_timeout 5m; - ssl_session_cache shared:SSL_CP:5m; - - # You'll need nginx 1.13.0 or better to support TLSv1.3 - ssl_protocols TLSv1.2 TLSv1.3; - - ssl_ciphers EECDH+AESGCM:EDH+AESGCM; - - ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Content-Type-Options nosniff; - add_header Access-Control-Allow-Origin "*"; - # add_header X-Frame-Options "SAMEORIGIN"; - - # Nginx Bad Bot Blocker Includes - #include /etc/nginx/bots.d/ddos.conf; - #include /etc/nginx/bots.d/blockbots.conf; - - #if (\$allowed_country = no) { - # set \$blockreason '[geo_blocked]'; - # return 403; - #} - - #if ( \$bad_querystring !~* "\[OK\]" ) { - # set \$blockreason \$bad_querystring; - # return 403; - #} - - #if ( \$bad_request !~* "\[OK\]" ) { - # set \$blockreason \$bad_request; - # return 403; - #} - - #if ( \$bad_request_method !~* "\[OK\]" ) { - # set \$blockreason \$bad_request_method; - # return 403; - #} - # End Bad Bot Blocker Includes - - # Opt out of Google's FLoC Network - add_header Permissions-Policy interest-cohort=(); -EOF - -cat <> /etc/nginx/sites-available/${vhost_config_file} - - set \$coop ''; - #if (\$uri ~ ^\/(sheet|presentation|doc|convert)\/.*\$) { set \$coop 'same-origin'; } - - # Enable SharedArrayBuffer in Firefox (for .xlsx export) - add_header Cross-Origin-Resource-Policy cross-origin; - add_header Cross-Origin-Opener-Policy \$coop; - add_header Cross-Origin-Embedder-Policy require-corp; - - # Insert the path to your CryptPad repository root here - root /var/www/cryptpad; - index index.html; - error_page 404 /customize.dist/404.html; - - # any static assets loaded with "ver=" in their URL will be cached for a year - if (\$args ~ ver=) { - set \$cacheControl max-age=31536000; - } - if (\$uri ~ ^/.*(\/|\.html)\$) { - set \$cacheControl no-cache; - } - # Will not set any header if it is emptystring - add_header Cache-Control \$cacheControl; - - # CSS can be dynamically set inline, loaded from the same domain, or from \$main_domain - set \$styleSrc "'unsafe-inline' 'self' \${main_domain}"; - - # connect-src restricts URLs which can be loaded using script interfaces - set \$connectSrc "'self' https://\${main_domain} \${main_domain} https://\${api_domain} blob: wss://\${api_domain} \${api_domain} \${files_domain} https://\${sandbox_domain}"; - - # fonts can be loaded from data-URLs or the main domain - set \$fontSrc "'self' data: \${main_domain}"; - - # images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking - set \$imgSrc "'self' data: * blob: \${main_domain}"; - - # frame-src specifies valid sources for nested browsing contexts. - # this prevents loading any iframes from anywhere other than the sandbox domain - set \$frameSrc "'self' \${sandbox_domain} blob:"; - - # specifies valid sources for loading media using video or audio - set \$mediaSrc "'self' data: * blob: \${main_domain}"; - - # defines valid sources for webworkers and nested browser contexts - # deprecated in favour of worker-src and frame-src - set \$childSrc "https://\${main_domain}"; - - # specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. - # supercedes child-src but is unfortunately not yet universally supported. - set \$workerSrc "https://\${main_domain}"; - - # script-src specifies valid sources for javascript, including inline handlers - set \$scriptSrc "'self' resource: \${main_domain}"; - - set \$unsafe 0; - # the following assets are loaded via the sandbox domain - # they unfortunately still require exceptions to the sandboxing to work correctly. - if (\$uri ~ ^\/(sheet|doc|presentation)\/inner.html.*\$) { set \$unsafe 1; } - if (\$uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*\$) { set \$unsafe 1; } - - # everything except the sandbox domain is a privileged scope, as they might be used to handle keys - if (\$host != \$sandbox_domain) { set \$unsafe 0; } - # this iframe is an exception. Office file formats are converted outside of the sandboxed scope - # because of bugs in Chromium-based browsers that incorrectly ignore headers that are supposed to enable - # the use of some modern APIs that we require when javascript is run in a cross-origin context. - # We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope - if (\$uri ~ ^\/unsafeiframe\/inner\.html.*\$) { set \$unsafe 1; } -EOF - -cat <> /etc/nginx/sites-available/${vhost_config_file} - - # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied - if (\$unsafe) { - set \$scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: \${main_domain}"; - } - - # Finally, set all the rules you composed above. - add_header Content-Security-Policy "default-src 'none'; child-src \$childSrc; worker-src \$workerSrc; media-src \$mediaSrc; style-src \$styleSrc; script-src \$scriptSrc; connect-src \$connectSrc; font-src \$fontSrc; img-src \$imgSrc; frame-src \$frameSrc;"; - - # The nodejs process can handle all traffic whether accessed over websocket or as static assets - # We prefer to serve static content from nginx directly and to leave the API server to handle - # the dynamic content that only it can manage. This is primarily an optimization - location ^~ /cryptpad_websocket { - proxy_pass http://localhost:3000; - proxy_set_header X-Real-IP \$remote_addr; - proxy_set_header Host \$host; - proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; - - # WebSocket support (nginx 1.4) - proxy_http_version 1.1; - proxy_set_header Upgrade \$http_upgrade; - proxy_set_header Connection upgrade; - } - - location ^~ /customize.dist/ { - # This is needed in order to prevent infinite recursion between /customize/ and the root - } - # try to load customizeable content via /customize/ and fall back to the default content - # located at /customize.dist/ - # This is what allows you to override behaviour. - location ^~ /customize/ { - rewrite ^/customize/(.*)\$ \$1 break; - try_files /customize/\$uri /customize.dist/\$uri; - } - - # /api/config is loaded once per page load and is used to retrieve - # the caching variable which is applied to every other resource - # which is loaded during that session. - location ~ ^/api/(config|broadcast).*\$ { - proxy_pass http://localhost:3000; - proxy_set_header X-Real-IP \$remote_addr; - proxy_set_header Host \$host; - proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; - - # These settings prevent both NGINX and the API server - # from setting the same headers and creating duplicates - proxy_hide_header Cross-Origin-Resource-Policy; - add_header Cross-Origin-Resource-Policy cross-origin; - proxy_hide_header Cross-Origin-Embedder-Policy; - add_header Cross-Origin-Embedder-Policy require-corp; - } - - # encrypted blobs are immutable and are thus cached for a year - location ^~ /blob/ { - if (\$request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'application/octet-stream; charset=utf-8'; - add_header 'Content-Length' 0; - return 204; - } - add_header Cache-Control max-age=31536000; - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'; - add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'; - try_files \$uri =404; - } -EOF - -cat <> /etc/nginx/sites-available/${vhost_config_file} - - # the "block-store" serves encrypted payloads containing users' drive keys - # these payloads are unlocked via login credentials. They are mutable - # and are thus never cached. They're small enough that it doesn't matter, in any case. - location ^~ /block/ { - add_header Cache-Control max-age=0; - try_files \$uri =404; - } - - # This block provides an alternative means of loading content - # otherwise only served via websocket. This is solely for debugging purposes, - # and is thus not allowed by default. - #location ^~ /datastore/ { - #add_header Cache-Control max-age=0; - #try_files \$uri =404; - #} - - # The nodejs server has some built-in forwarding rules to prevent - # URLs like /pad from resulting in a 404. This simply adds a trailing slash - # to a variety of applications. - location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert)\$ { - rewrite ^(.*)\$ \$1/ redirect; - } - - # Finally, serve anything the above exceptions don't govern. - try_files /www/\$uri /www/\$uri/index.html /customize/\$uri; - - # Only authenticated users - # - #auth_basic "\$auth_type"; - #auth_basic_user_file /etc/nginx/.htpasswd-${cryptpad_url%%.*}; -} -EOF +# - see: https://github.com/xwiki-labs/cryptpad/blob/main/docs/example.nginx.conf +# - +# ---------- # --- @@ -604,3 +312,10 @@ systemctl start cryptpad # # https://${cryptpad_url}/checkup/ +# Maybe the the 'checkup' script recommends to run: +# +# npm run build +# +# we have to do this under the webservice user www-data +# +su www-data -s /bin/bash -c "npm run build" diff --git a/nginx_cryptpad.conf.tmpl b/nginx_cryptpad.conf.tmpl index cf0d752..84f1a22 100644 --- a/nginx_cryptpad.conf.tmpl +++ b/nginx_cryptpad.conf.tmpl @@ -1,149 +1,315 @@ +# -- cpad-01.oopen.de + +# we want restrict authentication to cryptpad sandbox urls "cpadsb-01.oopen.de" +# +#map $http_host $auth_type { +# default "off"; #This will turn off auth-basic +# cpadsb-01.oopen.de "Restricted"; #This or any other string will turn it back on +#} + server { listen 80; listen [::]:80; - server_name @cryptpad-url@; + server_name cpad-01.oopen.de; return 301 https://$server_name$request_uri; } +# This file is included strictly as an example of how Nginx can be configured +# to work with CryptPad. This example WILL NOT WORK AS IS. For best results, +# compare the sections of this configuration file against a working CryptPad +# installation (http server by the Nodejs process). If you are using CryptPad +# in production and require professional support please contact sales@cryptpad.fr server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl http2; + listen [::]:443 ssl http2; - server_name @cryptpad-url@; + # CryptPad serves static assets over these two domains. + # `main_domain` is what users will enter in their address bar. + # Privileged computation such as key management is handled in this scope + # UI content is loaded via the `sandbox_domain`. + # "Content Security Policy" headers prevent content loaded via the sandbox + # from accessing privileged information. + # These variables must be different to take advantage of CryptPad's sandboxing techniques. + # In the event of an XSS vulnerability in CryptPad's front-end code + # this will limit the amount of information accessible to attackers. + set $main_domain "cpad-01.oopen.de"; + set $sandbox_domain "cpadsb-01.oopen.de"; - ssl_certificate /var/lib/dehydrated/certs/@cryptpad-url@/fullchain.pem; - ssl_certificate_key /var/lib/dehydrated/certs/@cryptpad-url@/privkey.pem; - #ssl_trusted_certificate /var/lib/dehydrated/certs/@cryptpad-url@/fullchain.pem; + # By default CryptPad allows remote domains to embed CryptPad documents in iframes. + # This behaviour can be blocked by changing $allowed_origins from "*" to the + # sandbox domain, which must be permitted to load content from the main domain + # in order for CryptPad to work as expected. + # + # An example is given below which can be uncommented if you want to block + # remote sites from including content from your server + set $allowed_origins "*"; + # set $allowed_origins "https://${sandbox_domain}"; - # - Needed for (automated) updating certificate - # - - include snippets/letsencrypt-acme-challenge.conf; + # CryptPad's dynamic content (websocket traffic and encrypted blobs) + # can be served over separate domains. Using dedicated domains (or subdomains) + # for these purposes allows you to move them to a separate machine at a later date + # if you find that a single machine cannot handle all of your users. + # If you don't use dedicated domains, this can be the same as $main_domain + # If you do, they can be added as exceptions to any rules which block connections to remote domains. + # You can find these variables referenced below in the relevant places + set $api_domain "${main_domain}"; + set $files_domain "${main_domain}"; + # nginx doesn't let you set server_name via variables, so you need to hardcode your domains here + server_name cpad-01.oopen.de cpadsb-01.oopen.de; - # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits - # - # To generate a dhparam.pem file, run in a terminal - # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 - # - ssl_dhparam /etc/nginx/ssl/dhparam.pem; + # You'll need to Set the path to your certificates and keys here + # IMPORTANT: this config is intended to serve assets for at least two domains + # (your main domain and your sandbox domain). As such, you'll need to generate a single SSL certificate + # that includes both domains in order for things to work as expected. + ssl_certificate /var/lib/dehydrated/certs/cpad-01.oopen.de/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/cpad-01.oopen.de/privkey.pem; + ssl_trusted_certificate /var/lib/dehydrated/certs/cpad-01.oopen.de/chain.pem; + # ---------- + # !! inserted by ckubu !! + # + # Needed for (automated) updating certificate + # + include snippets/letsencrypt-acme-challenge.conf; + # + # ---------- - # Eable session resumption to improve https performance - ssl_session_cache shared:SSL:50m; - ssl_session_timeout 10m; - ssl_session_tickets off; + # diffie-hellman parameters are used to negotiate keys for your session + # generate strong parameters using the following command + #! ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096 + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + # Speeds things up a little bit when resuming a session + ssl_session_timeout 5m; + #ssl_session_cache shared:SSL:5m; + ssl_session_cache shared:SSL_CP:5m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE + # You'll need nginx 1.13.0 or better to support TLSv1.3 + ssl_protocols TLSv1.2 TLSv1.3; - # ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES) - # Everything better than SHA1 (deprecated) - # - ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'; - ssl_prefer_server_ciphers on; + # https://cipherli.st/ + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 - add_header Strict-Transport-Security "max-age=31536000" always; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Content-Type-Options nosniff; - #add_header X-Frame-Options "SAMEORIGIN"; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + add_header Access-Control-Allow-Origin "${allowed_origins}"; + # add_header X-Frame-Options "SAMEORIGIN"; - root /var/www/cryptpad; - index index.html; - error_page 404 /customize.dist/404.html; + # ---------- + # !! included by ckubu !! + # + # Nginx Bad Bot Blocker Includes + # + #include /etc/nginx/bots.d/ddos.conf; + #include /etc/nginx/bots.d/blockbots.conf; - if ($args ~ ver=) { - set $cacheControl max-age=31536000; - } - # Will not set any header if it is emptystring - # - add_header Cache-Control $cacheControl; + #if ($allowed_country = no) { + # set $blockreason '[geo_blocked]'; + # return 403; + #} + #if ( $bad_querystring !~* "\[OK\]" ) { + # set $blockreason $bad_querystring; + # return 403; + #} - # - Does not work with CKEditor and OnlyOffice - # - - #set $styleSrc "'unsafe-inline' 'self'"; - #set $scriptSrc "'self' @cryptpad-url@"; - #set $connectSrc "'self' https://@cryptpad-url@ wss://@cryptpad-url@ @cryptpad-url@ https://api.@cryptpad-url@ blob: @cryptpad-url@"; - #set $fontSrc "'self' data: @cryptpad-url@"; - #set $imgSrc "'self' data: * blob: @cryptpad-url@"; - #set $frameSrc "'self' @cryptpad-url@ blob: @cryptpad-url@"; - #set $mediaSrc "'self' data: * blob: @cryptpad-url@"; - #set $childSrc "https://@cryptpad-url@"; - #set $workerSrc "https://@cryptpad-url@"; - # - #set $unsafe 0; - #if ($uri = "/pad/inner.html") { set $unsafe 1; } - #if ($uri = "/sheet/inner.html") { set $unsafe 1; } - #if ($uri = "/common/onlyoffice/web-apps/apps/spreadsheeteditor/main/index.html") { set $unsafe 1; } - #if ($host != sandbox.cryptpad.info) { set $unsafe 0; } - #if ($unsafe) { - # set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' @cryptpad-url@"; - #} + #if ( $bad_request !~* "\[OK\]" ) { + # set $blockreason $bad_request; + # return 403; + #} + #if ( $bad_request_method !~* "\[OK\]" ) { + # set $blockreason $bad_request_method; + # return 403; + #} + # End Bad Bot Blocker Includes + # ---------- - # - Make CKEditor and OnlyOffice working - # - - # - See /var/www/cryptpad/config.js (contentSecurity,padContentSecurity, ooContentSecurity) - # - - set $styleSrc "'unsafe-inline' 'self' @cryptpad-url@"; - set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' @cryptpad-url@"; - set $connectSrc "'self' ws: wss: @cryptpad-url@"; - set $fontSrc "'self' data: @cryptpad-url@"; - set $imgSrc " * blob:"; - set $frameSrc "*"; - set $mediaSrc "'self' data: * blob: @cryptpad-url@"; - set $childSrc *; - set $workerSrc "https://@cryptpad-url@"; + # Opt out of Google's FLoC Network + add_header Permissions-Policy interest-cohort=(); - add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc;"; + # Enable SharedArrayBuffer in Firefox (for .xlsx export) + add_header Cross-Origin-Resource-Policy cross-origin; + add_header Cross-Origin-Embedder-Policy require-corp; - location ^~ /cryptpad_websocket { - proxy_pass http://localhost:3000; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # Insert the path to your CryptPad repository root here + root /var/www/cryptpad; + index index.html; + error_page 404 /customize.dist/404.html; - # WebSocket support (nginx 1.4) - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection upgrade; - } + # any static assets loaded with "ver=" in their URL will be cached for a year + if ($uri ~ ^(\/|.*\/|.*\.html)$) { + set $cacheControl no-cache; + } + if ($args ~ ver=) { + set $cacheControl max-age=31536000; + } + # Will not set any header if it is emptystring + add_header Cache-Control $cacheControl; - location ^~ /customize.dist/ { - # This is needed in order to prevent infinite recursion between /customize/ and the root - } - location ^~ /customize/ { - rewrite ^/customize/(.*)$ $1 break; - try_files /customize/$uri /customize.dist/$uri; - } + # CSS can be dynamically set inline, loaded from the same domain, or from $main_domain + set $styleSrc "'unsafe-inline' 'self' https://${main_domain}"; - location = /api/config { - proxy_pass http://localhost:3000; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } + # connect-src restricts URLs which can be loaded using script interfaces + # if you have configured your instance to use a dedicated $files_domain or $api_domain + # you will need to add them below as: https://${files_domain} and https://${api_domain} + set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}"; - location ^~ /blob/ { - add_header Cache-Control max-age=31536000; - try_files $uri =404; - } + # fonts can be loaded from data-URLs or the main domain + set $fontSrc "'self' data: https://${main_domain}"; - location ^~ /block/ { - add_header Cache-Control max-age=0; - try_files $uri =404; - } + # images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking + set $imgSrc "'self' data: blob: https://${main_domain}"; - location ^~ /datastore/ { - add_header Cache-Control max-age=0; - try_files $uri =404; - } + # frame-src specifies valid sources for nested browsing contexts. + # this prevents loading any iframes from anywhere other than the sandbox domain + set $frameSrc "'self' https://${sandbox_domain} blob:"; - location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet)$ { - rewrite ^(.*)$ $1/ redirect; - } + # specifies valid sources for loading media using video or audio + set $mediaSrc "blob:"; - try_files /www/$uri /www/$uri/index.html /customize/$uri; + # defines valid sources for webworkers and nested browser contexts + # deprecated in favour of worker-src and frame-src + set $childSrc "https://${main_domain}"; + # specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. + # supercedes child-src but is unfortunately not yet universally supported. + set $workerSrc "'self'"; + + # script-src specifies valid sources for javascript, including inline handlers + set $scriptSrc "'self' resource: https://${main_domain}"; + + # frame-ancestors specifies which origins can embed your CryptPad instance + # this must include 'self' and your main domain (over HTTPS) in order for CryptPad to work + # if you have enabled remote embedding via the admin panel then this must be more permissive. + # note: cryptpad.fr permits web pages served via https: and vector: (element desktop app) + #set $frameAncestors "'self' https://${main_domain}"; + set $frameAncestors "'self' https: vector:"; + + set $unsafe 0; + # the following assets are loaded via the sandbox domain + # they unfortunately still require exceptions to the sandboxing to work correctly. + if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; } + if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; } + + # everything except the sandbox domain is a privileged scope, as they might be used to handle keys + if ($host != $sandbox_domain) { set $unsafe 0; } + # this iframe is an exception. Office file formats are converted outside of the sandboxed scope + # because of bugs in Chromium-based browsers that incorrectly ignore headers that are supposed to enable + # the use of some modern APIs that we require when javascript is run in a cross-origin context. + # We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope + if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; } + + # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied + if ($unsafe) { + set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}"; + } + + # Finally, set all the rules you composed above. + add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors"; + + # The nodejs process can handle all traffic whether accessed over websocket or as static assets + # We prefer to serve static content from nginx directly and to leave the API server to handle + # the dynamic content that only it can manage. This is primarily an optimization + location ^~ /cryptpad_websocket { + proxy_pass http://localhost:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # WebSocket support (nginx 1.4) + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; + } + + location ^~ /customize.dist/ { + # This is needed in order to prevent infinite recursion between /customize/ and the root + } + # try to load customizeable content via /customize/ and fall back to the default content + # located at /customize.dist/ + # This is what allows you to override behaviour. + location ^~ /customize/ { + rewrite ^/customize/(.*)$ $1 break; + try_files /customize/$uri /customize.dist/$uri; + } + + # /api/config is loaded once per page load and is used to retrieve + # the caching variable which is applied to every other resource + # which is loaded during that session. + location ~ ^/api/.*$ { + proxy_pass http://localhost:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # These settings prevent both NGINX and the API server + # from setting the same headers and creating duplicates + proxy_hide_header Cross-Origin-Resource-Policy; + add_header Cross-Origin-Resource-Policy cross-origin; + proxy_hide_header Cross-Origin-Embedder-Policy; + add_header Cross-Origin-Embedder-Policy require-corp; + } + + # encrypted blobs are immutable and are thus cached for a year + location ^~ /blob/ { + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' "${allowed_origins}"; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'application/octet-stream; charset=utf-8'; + add_header 'Content-Length' 0; + return 204; + } + add_header X-Content-Type-Options nosniff; + add_header Cache-Control max-age=31536000; + add_header 'Access-Control-Allow-Origin' "${allowed_origins}"; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'; + add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'; + try_files $uri =404; + } + + # the "block-store" serves encrypted payloads containing users' drive keys + # these payloads are unlocked via login credentials. They are mutable + # and are thus never cached. They're small enough that it doesn't matter, in any case. + location ^~ /block/ { + add_header X-Content-Type-Options nosniff; + add_header Cache-Control max-age=0; + try_files $uri =404; + } + + # This block provides an alternative means of loading content + # otherwise only served via websocket. This is solely for debugging purposes, + # and is thus not allowed by default. + #location ^~ /datastore/ { + #add_header Cache-Control max-age=0; + #try_files $uri =404; + #} + + # The nodejs server has some built-in forwarding rules to prevent + # URLs like /pad from resulting in a 404. This simply adds a trailing slash + # to a variety of applications. + location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ { + rewrite ^(.*)$ $1/ redirect; + } + + # Finally, serve anything the above exceptions don't govern. + try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri; + + + # ---------- + # !! included by ckubu !! + # + # Only authenticated users + # + #auth_basic "$auth_type"; + #auth_basic_user_file /etc/nginx/.htpasswd-cpad-01; + # + # ---------- } diff --git a/nginx_cryptpad.conf.tmpl.00 b/nginx_cryptpad.conf.tmpl.00 new file mode 100644 index 0000000..cf0d752 --- /dev/null +++ b/nginx_cryptpad.conf.tmpl.00 @@ -0,0 +1,149 @@ +server { + listen 80; + listen [::]:80; + server_name @cryptpad-url@; + return 301 https://$server_name$request_uri; +} + +server { + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name @cryptpad-url@; + + ssl_certificate /var/lib/dehydrated/certs/@cryptpad-url@/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/@cryptpad-url@/privkey.pem; + #ssl_trusted_certificate /var/lib/dehydrated/certs/@cryptpad-url@/fullchain.pem; + + # - Needed for (automated) updating certificate + # - + include snippets/letsencrypt-acme-challenge.conf; + + + # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + # + # To generate a dhparam.pem file, run in a terminal + # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 + # + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + + # Eable session resumption to improve https performance + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 10m; + ssl_session_tickets off; + + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE + + # ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES) + # Everything better than SHA1 (deprecated) + # + ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'; + ssl_prefer_server_ciphers on; + + add_header Strict-Transport-Security "max-age=31536000" always; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + #add_header X-Frame-Options "SAMEORIGIN"; + + root /var/www/cryptpad; + index index.html; + error_page 404 /customize.dist/404.html; + + if ($args ~ ver=) { + set $cacheControl max-age=31536000; + } + # Will not set any header if it is emptystring + # + add_header Cache-Control $cacheControl; + + + # - Does not work with CKEditor and OnlyOffice + # - + #set $styleSrc "'unsafe-inline' 'self'"; + #set $scriptSrc "'self' @cryptpad-url@"; + #set $connectSrc "'self' https://@cryptpad-url@ wss://@cryptpad-url@ @cryptpad-url@ https://api.@cryptpad-url@ blob: @cryptpad-url@"; + #set $fontSrc "'self' data: @cryptpad-url@"; + #set $imgSrc "'self' data: * blob: @cryptpad-url@"; + #set $frameSrc "'self' @cryptpad-url@ blob: @cryptpad-url@"; + #set $mediaSrc "'self' data: * blob: @cryptpad-url@"; + #set $childSrc "https://@cryptpad-url@"; + #set $workerSrc "https://@cryptpad-url@"; + # + #set $unsafe 0; + #if ($uri = "/pad/inner.html") { set $unsafe 1; } + #if ($uri = "/sheet/inner.html") { set $unsafe 1; } + #if ($uri = "/common/onlyoffice/web-apps/apps/spreadsheeteditor/main/index.html") { set $unsafe 1; } + #if ($host != sandbox.cryptpad.info) { set $unsafe 0; } + #if ($unsafe) { + # set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' @cryptpad-url@"; + #} + + + # - Make CKEditor and OnlyOffice working + # - + # - See /var/www/cryptpad/config.js (contentSecurity,padContentSecurity, ooContentSecurity) + # - + set $styleSrc "'unsafe-inline' 'self' @cryptpad-url@"; + set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' @cryptpad-url@"; + set $connectSrc "'self' ws: wss: @cryptpad-url@"; + set $fontSrc "'self' data: @cryptpad-url@"; + set $imgSrc " * blob:"; + set $frameSrc "*"; + set $mediaSrc "'self' data: * blob: @cryptpad-url@"; + set $childSrc *; + set $workerSrc "https://@cryptpad-url@"; + + add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc;"; + + location ^~ /cryptpad_websocket { + proxy_pass http://localhost:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # WebSocket support (nginx 1.4) + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; + } + + location ^~ /customize.dist/ { + # This is needed in order to prevent infinite recursion between /customize/ and the root + } + location ^~ /customize/ { + rewrite ^/customize/(.*)$ $1 break; + try_files /customize/$uri /customize.dist/$uri; + } + + location = /api/config { + proxy_pass http://localhost:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location ^~ /blob/ { + add_header Cache-Control max-age=31536000; + try_files $uri =404; + } + + location ^~ /block/ { + add_header Cache-Control max-age=0; + try_files $uri =404; + } + + location ^~ /datastore/ { + add_header Cache-Control max-age=0; + try_files $uri =404; + } + + location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet)$ { + rewrite ^(.*)$ $1/ redirect; + } + + try_files /www/$uri /www/$uri/index.html /customize/$uri; + +}