# ================= # - Install Cryptad on Debian 9 (stretch) # ================= # - See: # - https://blog.cavebeat.org/2017/07/cryptpad-installation-on-debian-stretch/ # - # - See also: # - git repository: https://github.com/xwiki-labs/cryptpad # - installation guide: https://github.com/xwiki-labs/cryptpad/wiki/Installation-guide # - # ---------- # - Pre-requisites # ---------- # - Install curl, git # - apt-get install curl git-core # - Install Python # - apt-get install python-minimal python # - Install compiler stuff # - # - apt-get install -y g++ g++-multilib gcc gcc-multilib cpp \ # - make automake autoconf libtool flex bison \ # - gettext pkg-config gnu-standards \ # - libssl-dev libreadline-dev libncurses-dev # - apt-get install gcc g++ make # --- # - Install Nginx webservice # --- apt-get install nginx # - Generate Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits # - mkdir /etc/nginx/ssl openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 # - Create nginx configuration for CryptPad # - cryptpad_url=cpad-01.oopen.de cat < cpad-01.oopen.de.conf # -- $cryptpad_url server { listen 80; listen [::]:80; server_name $cryptpad_url; return 301 https://\$server_name\$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name $cryptpad_url; ssl_certificate /var/lib/dehydrated/certs/$cryptpad_url/fullchain.pem; ssl_certificate_key /var/lib/dehydrated/certs/$cryptpad_url/privkey.pem; #ssl_trusted_certificate /var/lib/dehydrated/certs/$cryptpad_url/fullchain.pem; # - Needed for (automated) updating certificate # - include snippets/letsencrypt-acme-challenge.conf; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits # # To generate a dhparam.pem file, run in a terminal # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 # ssl_dhparam /etc/nginx/ssl/dhparam.pem; # Eable session resumption to improve https performance ssl_session_cache shared:SSL:50m; ssl_session_timeout 10m; ssl_session_tickets off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE # ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES) # Everything better than SHA1 (deprecated) # ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000" always; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; #add_header X-Frame-Options "SAMEORIGIN"; root /var/www/cryptpad; index index.html; error_page 404 /customize.dist/404.html; if (\$args ~ ver=) { set \$cacheControl max-age=31536000; } # Will not set any header if it is emptystring # add_header Cache-Control \$cacheControl; # - Does not work with CKEditor and OnlyOffice # - #set \$styleSrc "'unsafe-inline' 'self' $cryptpad_url"; #set \$scriptSrc "'self' $cryptpad_url"; #set \$connectSrc "'self' https://$cryptpad_url wss://$cryptpad_url $cryptpad_url https://api.$cryptpad_url blob: $cryptpad_url"; #set \$fontSrc "'self' data: $cryptpad_url"; #set \$imgSrc "'self' data: * blob: $cryptpad_url"; #set \$frameSrc "'self' $cryptpad_url blob: $cryptpad_url"; #set \$mediaSrc "'self' data: * blob: $cryptpad_url"; #set \$childSrc "https://$cryptpad_url"; #set \$workerSrc "https://$cryptpad_url"; # #set \$unsafe 0; #if (\$uri = "/pad/inner.html") { set \$unsafe 1; } #if (\$uri = "/sheet/inner.html") { set \$unsafe 1; } #if (\$uri = "/common/onlyoffice/web-apps/apps/spreadsheeteditor/main/index.html") { set \$unsafe 1; } #if (\$host != sandbox.cryptpad.info) { set \$unsafe 0; } #if (\$unsafe) { # set \$scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' $cryptpad_url"; #} # - Make CKEditor and OnlyOffice working # - # - See /var/www/cryptpad/config.js (contentSecurity,padContentSecurity, ooContentSecurity) # - set \$styleSrc "'unsafe-inline' 'self' $cryptpad_url"; set \$scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' $cryptpad_url"; set \$connectSrc "'self' ws: wss: $cryptpad_url"; set \$fontSrc "'self' data: $cryptpad_url"; set \$imgSrc " * blob:"; set \$frameSrc "*"; set \$mediaSrc "'self' data: * blob: $cryptpad_url"; set \$childSrc *; set \$workerSrc "https://$cryptpad_url"; add_header Content-Security-Policy "default-src 'none'; child-src \$childSrc; worker-src \$workerSrc; media-src \$mediaSrc; style-src \$styleSrc; script-src \$scriptSrc; connect-src \$connectSrc; font-src \$fontSrc; img-src \$imgSrc; frame-src \$frameSrc;"; location ^~ /cryptpad_websocket { proxy_pass http://localhost:3000; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header Host \$host; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; # WebSocket support (nginx 1.4) proxy_http_version 1.1; proxy_set_header Upgrade \$http_upgrade; proxy_set_header Connection upgrade; } location ^~ /customize.dist/ { # This is needed in order to prevent infinite recursion between /customize/ and the root } location ^~ /customize/ { rewrite ^/customize/(.*)\$ \$1 break; try_files /customize/\$uri /customize.dist/\$uri; } location = /api/config { proxy_pass http://localhost:3000; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header Host \$host; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; } location ^~ /blob/ { add_header Cache-Control max-age=31536000; try_files \$uri =404; } location ^~ /block/ { add_header Cache-Control max-age=0; try_files \$uri =404; } location ^~ /datastore/ { add_header Cache-Control max-age=0; try_files \$uri =404; } location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet)\$ { rewrite ^(.*)\$ \$1/ redirect; } try_files /www/\$uri /www/\$uri/index.html /customize/\$uri; } EOF # --- # - Install NodeJS v6.x on Debian 9 Stretch # --- # - Creates the apt sources list file '/etc/apt/sources.list.d/nodesource.list' for # - the NodeSource Node.js v6.x and also adds the NodeSource signing key to your keyring # - # - curl -sL https://deb.nodesource.com/setup_6.x | bash - # - # - Hope nodejs version 14.x will work # - # - nodejs 6.0 does not yet work for actuall etherpad, which ist also installed # - on this server. # - curl -sL https://deb.nodesource.com/setup_14.x | bash - apt-get update # - Install nodejs version 6.x from repository 'deb.nodesource.com' # - # - Tell the apt system to install nodejs from repository deb.nodesource.com # - # - You should pin the external source using the origin option to assign a high # - priority to "the external source" instead of using the release name. # - # - e,g: Add the following lines to your /etc/apt/preferences.d/preferences: # - # - Package: * # - Pin: origin deb.nodesource.com # - Pin-Priority: 1001 # - if ! $(grep -E -q "^\s*Pin:\s+origin\s+deb.nodesource.com" /etc/apt/preferences.d/preferences) ; then cat <> /etc/apt/preferences.d/preferences Package: * Pin: origin deb.nodesource.com Pin-Priority: 1001 EOF fi # - Verify with 'apt-cache policy nodejs' # - # - Output must conatin somethin liek that: # - Installationskandidat: 6.14.4-1nodesource1 # - apt-cache policy nodejs # - Install nodejs.. # - apt-get install nodejs # - An alternative possibility: # - # - 1. Show versions for nodejs # - # - # aptitude versions nodejs # - # - output may looks like: # - # - i 6.14.4-1nodesource1 500 # - p 10.15.2~dfsg-2 stable 500 # - # - 2. install nodejs 6.14.4-1nodesource1 # - # - apt-get install nodejs=6.14.4-1nodesource1 # - ^^^^^^^^^^^^^^^^^^^^^^^^^^ # - # - Test if installation was successfully # - node -v npm -v # --- # - Install bower # --- # - Install bower (global) # - npm install -g bower # --- # - Install cryptpad # --- cd /var/www # - Create needed folders # - mkdir /var/www/{.cache,.config,.local,.node-gyp,.npm} chown www-data:www-data /var/www/{.cache,.config,.local,.node-gyp,.npm} # - Get cryptpad # - git clone https://github.com/xwiki-labs/cryptpad chown -R www-data:www-data cryptpad cd cryptpad # - Complete Installation of cryptpad # - su www-data -s /bin/bash -c "npm install" su www-data -s /bin/bash -c "bower install" # --- # - Configure CryptPad # --- # - Create configuration file 'config.js'. (Copy the example file) # - # - The defaults should be good enough for most cases, but you may want to edit # - them. We recommend you read over the example file and change the values to # - fit your needs. cp -a config/config.example.js config/config.js # - Some base configuration # - # - adminEmail: 'admin.de', # - ... # - myDomain: oopen.de, # - perl -i -n -p -e"s#(\s*)(adminEmail:.*)#\1// \2\n\1adminEmail: 'admin\@oopen.de',#" /var/www/cryptpad/config/config.js perl -i -n -p -e"s#(\s*)(myDomain:.*)#\1// \2\n\1myDomain: oopen.de,#" /var/www/cryptpad/config/config.js # - deaktivate donate Button # - perl -i -n -p -e"s#(\s*)(//removeDonateButton:.*)#\1\2\n\1removeDonateButton: true,#" /var/www/cryptpad/config/config.js # - Set storage.. # - perl -i -n -p -e"s#(\s*)(//defaultStorageLimit:.*)#\1\2\n\1defaultStorageLimit: 250 * 1024 * 1024,#" /var/www/cryptpad/config/config.js # - Customizing CryptPad # - # - In order allow a variety of features to be changed and to allow site-specific # - changes to CryptPad apps while still keeping the git repository pristine, this # - directory exists to allow a set of hooks to be run. # - # - The server is configured to load files from the '/customize/' path # - preferentially from 'cryptpad/customize/', and to fall back to # - 'cryptpad/customize.dist/' if they are not found. # - # - If you wish to customize cryptpad, please **copy** # - '/customize.dist/' to '/customize' and then edit it there, this way you will # - still be able to pull from (and make pull requests to (!) the git repository. # - cp -a /var/www/cryptpad/customize.dist /var/www/cryptpad/customize # - Copy 'favicon.ico' to '/var/www/cryptpad/customize/main-favicon.png' # - cp ~chris/favicon.ico /var/www/cryptpad/customize/main-favicon.png # - Run as daemon using systemd # - cat << EOF > /etc/systemd/system/cryptpad.service [Unit] Description=CryptPad service [Service] User=www-data Group=www-data ExecStart=/usr/bin/node /var/www/cryptpad/server.js WorkingDirectory=/var/www/cryptpad Restart=always [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable cryptpad # - Start cryptpad # - systemctl start cryptpad