Merge branch 'master' of https://git.oopen.de/install/cryptpad
This commit is contained in:
commit
d686bcbc3a
113
README.install
113
README.install
@ -20,6 +20,10 @@ cryptpad_url=o13-pad.oopen.de
|
||||
#cryptpad_sandbox_url=cpadsb-01.oopen.de
|
||||
#cryptpad_sandbox_url=o13-padsb.oopen.de
|
||||
cryptpad_sandbox_url="$cryptpad_url"
|
||||
cryptpad_sandbox_url="cpadsb-01.oopen.de"
|
||||
cryptpad_sandbox_url="o13-padsb.oopen.de"
|
||||
|
||||
vhost_config_file="${cryptpad_url}.conf"
|
||||
|
||||
|
||||
# ----------
|
||||
@ -33,6 +37,8 @@ apt-get install curl git-core
|
||||
# - Install Python
|
||||
# -
|
||||
apt-get install python-minimal python
|
||||
# debian bullseye:
|
||||
apt install python-is-python2 python2-minimal
|
||||
|
||||
# - Install compiler stuff
|
||||
# -
|
||||
@ -58,8 +64,14 @@ openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
|
||||
# - Create nginx configuration for CryptPad
|
||||
# -
|
||||
|
||||
cat <<EOF > /etc/nginx/sites-available/${cryptpad_url}.conf
|
||||
# -- $cryptpad_url
|
||||
cat <<EOF > /etc/nginx/sites-available/${vhost_config_file}
|
||||
|
||||
# we want restrict authentication to cryptpad sandbox urls "$cryptpad_sandbox_url"
|
||||
#
|
||||
#map \$http_host \$auth_type {
|
||||
# default "off"; #This will turn off auth-basic
|
||||
# $cryptpad_sandbox_url "Restricted"; #This or any other string will turn it back on
|
||||
#}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
@ -83,7 +95,7 @@ server {
|
||||
# In the event of an XSS vulnerability in CryptPad's front-end code
|
||||
# this will limit the amount of information accessible to attackers.
|
||||
set \$main_domain "$cryptpad_url";
|
||||
set \$sandbox_domain "$cryptpad_url";
|
||||
set \$sandbox_domain "$cryptpad_sandbox_url";
|
||||
|
||||
# CryptPad's dynamic content (websocket traffic and encrypted blobs)
|
||||
# can be served over separate domains. Using dedicated domains (or subdomains)
|
||||
@ -93,8 +105,21 @@ server {
|
||||
# If you do, they'll be added as exceptions to any rules which block connections to remote domains.
|
||||
set \$api_domain "$cryptpad_url";
|
||||
set \$files_domain "$cryptpad_url";
|
||||
EOF
|
||||
|
||||
if [[ "$cryptpad_url" = "$cryptpad_sandbox_url" ]]; then
|
||||
cat <<EOF >> /etc/nginx/sites-available/${vhost_config_file}
|
||||
|
||||
server_name $cryptpad_url;
|
||||
EOF
|
||||
else
|
||||
cat <<EOF >> /etc/nginx/sites-available/${vhost_config_file}
|
||||
|
||||
server_name $cryptpad_url $cryptpad_sandbox_url;
|
||||
EOF
|
||||
fi
|
||||
|
||||
cat <<EOF >> /etc/nginx/sites-available/${vhost_config_file}
|
||||
|
||||
ssl_certificate /var/lib/dehydrated/certs/$cryptpad_url/fullchain.pem;
|
||||
ssl_certificate_key /var/lib/dehydrated/certs/$cryptpad_url/privkey.pem;
|
||||
@ -119,7 +144,7 @@ server {
|
||||
# You'll need nginx 1.13.0 or better to support TLSv1.3
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
|
||||
|
||||
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
|
||||
|
||||
@ -154,9 +179,16 @@ server {
|
||||
#}
|
||||
# End Bad Bot Blocker Includes
|
||||
|
||||
set \$coop '';
|
||||
if (\$uri ~ ^\/sheet\/.*\$) { set \$coop 'same-origin'; }
|
||||
# Opt out of Google's FLoC Network
|
||||
add_header Permissions-Policy interest-cohort=();
|
||||
EOF
|
||||
|
||||
cat <<EOF >> /etc/nginx/sites-available/${vhost_config_file}
|
||||
|
||||
set \$coop '';
|
||||
#if (\$uri ~ ^\/(sheet|presentation|doc|convert)\/.*\$) { set \$coop 'same-origin'; }
|
||||
|
||||
# Enable SharedArrayBuffer in Firefox (for .xlsx export)
|
||||
add_header Cross-Origin-Resource-Policy cross-origin;
|
||||
add_header Cross-Origin-Opener-Policy \$coop;
|
||||
add_header Cross-Origin-Embedder-Policy require-corp;
|
||||
@ -176,12 +208,11 @@ server {
|
||||
# Will not set any header if it is emptystring
|
||||
add_header Cache-Control \$cacheControl;
|
||||
|
||||
|
||||
# CSS can be dynamically set inline, loaded from the same domain, or from \$main_domain
|
||||
set \$styleSrc "'unsafe-inline' 'self' \${main_domain}";
|
||||
|
||||
# connect-src restricts URLs which can be loaded using script interfaces
|
||||
set \$connectSrc "'self' https://\${main_domain} \${main_domain} https://\${api_domain} blob: wss://\${api_domain} \${api_domain} \${files_domain}";
|
||||
set \$connectSrc "'self' https://\${main_domain} \${main_domain} https://\${api_domain} blob: wss://\${api_domain} \${api_domain} \${files_domain} https://\${sandbox_domain}";
|
||||
|
||||
# fonts can be loaded from data-URLs or the main domain
|
||||
set \$fontSrc "'self' data: \${main_domain}";
|
||||
@ -210,11 +241,19 @@ server {
|
||||
set \$unsafe 0;
|
||||
# the following assets are loaded via the sandbox domain
|
||||
# they unfortunately still require exceptions to the sandboxing to work correctly.
|
||||
if (\$uri = "/sheet/inner.html") { set \$unsafe 1; }
|
||||
if (\$uri ~ ^\/common\/onlyoffice\/.*\/index\.html.*\$) { set \$unsafe 1; }
|
||||
if (\$uri ~ ^\/(sheet|doc|presentation)\/inner.html.*\$) { set \$unsafe 1; }
|
||||
if (\$uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*\$) { set \$unsafe 1; }
|
||||
|
||||
# everything except the sandbox domain is a privileged scope, as they might be used to handle keys
|
||||
if (\$host != \$sandbox_domain) { set \$unsafe 0; }
|
||||
# this iframe is an exception. Office file formats are converted outside of the sandboxed scope
|
||||
# because of bugs in Chromium-based browsers that incorrectly ignore headers that are supposed to enable
|
||||
# the use of some modern APIs that we require when javascript is run in a cross-origin context.
|
||||
# We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope
|
||||
if (\$uri ~ ^\/unsafeiframe\/inner\.html.*\$) { set \$unsafe 1; }
|
||||
EOF
|
||||
|
||||
cat <<EOF >> /etc/nginx/sites-available/${vhost_config_file}
|
||||
|
||||
# privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
|
||||
if (\$unsafe) {
|
||||
@ -253,11 +292,18 @@ server {
|
||||
# /api/config is loaded once per page load and is used to retrieve
|
||||
# the caching variable which is applied to every other resource
|
||||
# which is loaded during that session.
|
||||
location = /api/config {
|
||||
location ~ ^/api/(config|broadcast).*\$ {
|
||||
proxy_pass http://localhost:3000;
|
||||
proxy_set_header X-Real-IP \$remote_addr;
|
||||
proxy_set_header Host \$host;
|
||||
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
||||
|
||||
# These settings prevent both NGINX and the API server
|
||||
# from setting the same headers and creating duplicates
|
||||
proxy_hide_header Cross-Origin-Resource-Policy;
|
||||
add_header Cross-Origin-Resource-Policy cross-origin;
|
||||
proxy_hide_header Cross-Origin-Embedder-Policy;
|
||||
add_header Cross-Origin-Embedder-Policy require-corp;
|
||||
}
|
||||
|
||||
# encrypted blobs are immutable and are thus cached for a year
|
||||
@ -278,6 +324,9 @@ server {
|
||||
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length';
|
||||
try_files \$uri =404;
|
||||
}
|
||||
EOF
|
||||
|
||||
cat <<EOF >> /etc/nginx/sites-available/${vhost_config_file}
|
||||
|
||||
# the "block-store" serves encrypted payloads containing users' drive keys
|
||||
# these payloads are unlocked via login credentials. They are mutable
|
||||
@ -291,15 +340,15 @@ server {
|
||||
# otherwise only served via websocket. This is solely for debugging purposes,
|
||||
# and is thus not allowed by default.
|
||||
#location ^~ /datastore/ {
|
||||
#add_header Cache-Control max-age=0;
|
||||
#try_files \$uri =404;
|
||||
#add_header Cache-Control max-age=0;
|
||||
#try_files \$uri =404;
|
||||
#}
|
||||
|
||||
# The nodejs server has some built-in forwarding rules to prevent
|
||||
# URLs like /pad from resulting in a 404. This simply adds a trailing slash
|
||||
# to a variety of applications.
|
||||
location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams)\$ {
|
||||
rewrite ^(.*)\$ \$1/ redirect;
|
||||
location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert)\$ {
|
||||
rewrite ^(.*)\$ \$1/ redirect;
|
||||
}
|
||||
|
||||
# Finally, serve anything the above exceptions don't govern.
|
||||
@ -307,8 +356,8 @@ server {
|
||||
|
||||
# Only authenticated users
|
||||
#
|
||||
auth_basic "Restricted Content";
|
||||
auth_basic_user_file /etc/nginx/.htpasswd-${cryptpad_url%%.*};
|
||||
#auth_basic "\$auth_type";
|
||||
#auth_basic_user_file /etc/nginx/.htpasswd-${cryptpad_url%%.*};
|
||||
}
|
||||
EOF
|
||||
|
||||
@ -410,8 +459,8 @@ chown -R www-data:www-data /var/www/{.cache,.config,.local,.node-gyp,.npm,.priva
|
||||
# ---
|
||||
|
||||
cd /var/www/
|
||||
mkdir cryptpad
|
||||
chown www-data:www-data cryptpad
|
||||
chown www-data:www-data /var/www
|
||||
|
||||
|
||||
# - Get cryptpad
|
||||
# -
|
||||
@ -447,9 +496,13 @@ cp -a config/config.example.js config/config.js
|
||||
# - ...
|
||||
# - myDomain: oopen.de,
|
||||
# -
|
||||
perl -i -n -p -e"s#(\s*)(adminEmail:.*)#\1// \2\n\1adminEmail: 'admin\@oopen.de',#" /var/www/cryptpad/config/config.js
|
||||
if $(grep -q -E "\s*/?/?\s*adminEmail" /var/www/cryptpad/config/config.js 2> /dev/null) ; then
|
||||
perl -i -n -p -e"s#(\s*)(adminEmail:.*)#\1// \2\n\1adminEmail: 'admin\@oopen.de',#" /var/www/cryptpad/config/config.js
|
||||
else
|
||||
perl -i -n -p -e"s/(\s*})/ adminEmail: 'admin\@oopen.de',\n\1/" /var/www/cryptpad/config/config.js
|
||||
fi
|
||||
|
||||
perl -i -n -p -e"s#(\s*)(httpUnsafeOrigin:.*)#\1// \2\n\1httpUnsafeOrigin: 'http://localhost:3000',#" /var/www/cryptpad//config/config.js
|
||||
perl -i -n -p -e"s#(\s*)(httpUnsafeOrigin:.*)#\1// \2\n\1httpUnsafeOrigin: 'https://${cryptpad_url}',#" /var/www/cryptpad/config/config.js
|
||||
|
||||
perl -i -n -p -e"s#(\s*)(/*\s*)(httpSafeOrigin:.*)#\1// \3\n\1httpSafeOrigin: 'https://${cryptpad_sandbox_url}',#" /var/www/cryptpad/config/config.js
|
||||
|
||||
@ -458,7 +511,11 @@ perl -i -n -p -e"s#(\s*)(/*\s*)(httpAddress:.*)#\1// \3\n\1httpAddress: '::',#"
|
||||
|
||||
# - deaktivate donate Button
|
||||
# -
|
||||
perl -i -n -p -e"s#(\s*)(/*\s*)(removeDonateButton:.*)#\1//\3\n\1removeDonateButton: true,#" /var/www/cryptpad/config/config.js
|
||||
if $(grep -q -E "\s*/?/?\s*removeDonateButton" /var/www/cryptpad/config/config.js 2> /dev/null) ; then
|
||||
perl -i -n -p -e"s#(\s*)(/*\s*)(removeDonateButton:.*)#\1//\3\n\1removeDonateButton: true,#" /var/www/cryptpad/config/config.js
|
||||
else
|
||||
perl -i -n -p -e"s/(\s*})/ removeDonateButton: true,\n\1/" /var/www/cryptpad/config/config.js
|
||||
fi
|
||||
|
||||
# - Set storage..
|
||||
# -
|
||||
@ -482,8 +539,9 @@ cp -a /var/www/cryptpad/customize.dist /var/www/cryptpad/customize
|
||||
|
||||
# - Copy 'favicon.ico' to '/var/www/cryptpad/customize/main-favicon.png'
|
||||
# -
|
||||
#cp ~chris/favicon.ico /var/www/cryptpad/customize/main-favicon.png
|
||||
cp ~chris/favicon.ico /var/www/cryptpad/customize/main-favicon.png
|
||||
cp ~chris/favicon.ico /var/www/cryptpad/customize.dist/
|
||||
chown www-data:www-data /var/www/cryptpad/customize/main-favicon.png
|
||||
chown www-data:www-data /var/www/cryptpad/customize.dist/favicon.ico
|
||||
|
||||
|
||||
@ -537,3 +595,12 @@ systemctl enable cryptpad
|
||||
# -
|
||||
systemctl start cryptpad
|
||||
|
||||
|
||||
# ---
|
||||
# Basic Check of your configuration:
|
||||
# ---
|
||||
|
||||
# In yout browser type:
|
||||
#
|
||||
# https://${cryptpad_url}/checkup/
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user