infra
/
cryptpad
2
1
Fork 0
Code Issues Pull Requests Projects Releases 1 Activity

Reorder config file

Browse Source
pull/1/head
yflory 6 years ago
parent 17dc4af1aa
commit 9ceebb603d
2 changed files with 168 additions and 183 deletions
Show Stats Download Patch File Download Diff File

290
config.example.js
Unescape Escape View File

@ -12,30 +12,12 @@ var _domain = 'http://localhost:3000/';
// to enable this feature, uncomment the line below: // to enable this feature, uncomment the line below:
// require('heapdump'); // require('heapdump');
// we prepend a space because every usage expects it // we prepend a space because every usage expects it
// requiring admins to preserve it is unnecessarily confusing // requiring admins to preserve it is unnecessarily confusing
var domain = ' ' + _domain; var domain = ' ' + _domain;
module.exports = {
// the address you want to bind to, :: means all ipv4 and ipv6 addresses
// this may not work on all operating systems
httpAddress: '::',
// the port on which your httpd will listen
/* CryptPad can be configured to send customized HTTP Headers // Content-Security-Policy
* These settings may vary widely depending on your needs var baseCSP = [
* Examples are provided below
*/
httpHeaders: {
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Access-Control-Allow-Origin": "*"
},
contentSecurity: [
"default-src 'none'", "default-src 'none'",
"style-src 'unsafe-inline' 'self' " + domain, "style-src 'unsafe-inline' 'self' " + domain,
"script-src 'self'" + domain, "script-src 'self'" + domain,
@ -51,8 +33,6 @@ module.exports = {
// IE/Edge // IE/Edge
"frame-src blob: *", "frame-src blob: *",
"media-src * blob:",
/* this allows connections over secure or insecure websockets /* this allows connections over secure or insecure websockets
if you are deploying to production, you'll probably want to remove if you are deploying to production, you'll probably want to remove
the ws://* directive, and change '*' to your domain the ws://* directive, and change '*' to your domain
@ -61,55 +41,24 @@ module.exports = {
// data: is used by codemirror // data: is used by codemirror
"img-src 'self' data: blob:" + domain, "img-src 'self' data: blob:" + domain,
"media-src * blob:",
// for accounts.cryptpad.fr authentication and pad2 cross-domain iframe sandbox // for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
"frame-ancestors *", "frame-ancestors *",
].join('; '), ];
// CKEditor requires significantly more lax content security policy in order to function.
padContentSecurity: [
"default-src 'none'",
"style-src 'unsafe-inline' 'self'" + domain,
// Unsafe inline, unsafe-eval are needed for ckeditor :(
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
"font-src 'self'" + domain,
/* See above under 'contentSecurity' as to how these values should be
* configured for best effect.
*/
"child-src *",
// IE/Edge
"frame-src *",
// see the comment above in the 'contentSecurity' section
"connect-src 'self' ws: wss:" + domain,
// (insecure remote) images are included by users of the wysiwyg who embed photos in their pads module.exports = {
"img-src * blob:",
].join('; '),
// OnlyOffice requires even more lax content security policy in order to function.
ooContentSecurity: [
"default-src 'none'",
"style-src 'unsafe-inline' 'self'" + domain,
// Unsafe inline, unsafe-eval are needed for ckeditor :(
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
"font-src 'self'" + domain,
/* See above under 'contentSecurity' as to how these values should be
* configured for best effect.
*/
"child-src *",
// IE/Edge
"frame-src *",
// see the comment above in the 'contentSecurity' section /* =====================
"connect-src 'self' blob: ws: wss:" + domain, * Infra setup
* ===================== */
// (insecure remote) images are included by users of the wysiwyg who embed photos in their pads // the address you want to bind to, :: means all ipv4 and ipv6 addresses
"img-src * blob: data:", // this may not work on all operating systems
].join('; '), httpAddress: '::',
// the port on which your httpd will listen
httpPort: 3000, httpPort: 3000,
// This is for allowing the cross-domain iframe to function when developing // This is for allowing the cross-domain iframe to function when developing
@ -131,15 +80,31 @@ module.exports = {
*/ */
websocketPath: '/cryptpad_websocket', websocketPath: '/cryptpad_websocket',
/* CryptPad can log activity to stdout /* CryptPad can be configured to send customized HTTP Headers
* This may be useful for debugging * These settings may vary widely depending on your needs
* Examples are provided below
*/ */
logToStdout: false, httpHeaders: {
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Access-Control-Allow-Origin": "*"
},
/* CryptPad supports verbose logging contentSecurity: baseCSP.join('; ') +
* (false by default) "script-src 'self'" + domain,
// CKEditor and OnlyOffice require significantly more lax content security policy in order to function.
padContentSecurity: baseCSP.join('; ') +
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
/* it is recommended that you serve CryptPad over https
* the filepaths below are used to configure your certificates
*/ */
verbose: false, //privKeyAndCertFiles: [
// '/etc/apache2/ssl/my_secret.key',
// '/etc/apache2/ssl/my_public_cert.crt',
// '/etc/apache2/ssl/my_certificate_authorities_cert_chain.ca'
//],
/* Main pages /* Main pages
* add exceptions to the router so that we can access /privacy.html * add exceptions to the router so that we can access /privacy.html
@ -156,6 +121,10 @@ module.exports = {
'faq' 'faq'
], ],
/* =====================
* Subscriptions
* ===================== */
/* Limits, Donations, Subscriptions and Contact /* Limits, Donations, Subscriptions and Contact
* *
* By default, CryptPad limits every registered user to 50MB of storage. It also shows a * By default, CryptPad limits every registered user to 50MB of storage. It also shows a
@ -174,6 +143,15 @@ module.exports = {
allowSubscriptions: true, allowSubscriptions: true,
removeDonateButton: false, removeDonateButton: false,
/*
* By default, CryptPad also contacts our accounts server once a day to check for changes in
* the people who have accounts. This check-in will also send the version of your CryptPad
* instance and your email so we can reach you if we are aware of a serious problem. We will
* never sell it or send you marketing mail. If you want to block this check-in and remain
* completely invisible, set this and allowSubscriptions both to false.
*/
adminEmail: 'i.did.not.read.my.config@cryptpad.fr',
/* Sales coming from your server will be identified by your domain /* Sales coming from your server will be identified by your domain
* *
* If you are using CryptPad in a business context, please consider taking a support contract * If you are using CryptPad in a business context, please consider taking a support contract
@ -214,6 +192,18 @@ module.exports = {
*/ */
}, },
/* =====================
* STORAGE
* ===================== */
/* Pads that are not 'pinned' by any registered user can be set to expire
* after a configurable number of days of inactivity (default 90 days).
* The value can be changed or set to false to remove expiration.
* Expired pads can then be removed using a cron job calling the
* `delete-inactive.js` script with node
*/
inactiveTime: 90, // days
/* some features may require that the server be able to schedule tasks /* some features may require that the server be able to schedule tasks
far into the future, such as: far into the future, such as:
> "three months from now, this channel should expire" > "three months from now, this channel should expire"
@ -221,43 +211,47 @@ module.exports = {
*/ */
enableTaskScheduling: true, enableTaskScheduling: true,
/* if you would like the list of scheduled tasks to be stored in /* Setting this value to anything other than true will cause file upload
a custom location, change the path below: * attempts to be rejected outright.
*/ */
taskPath: './tasks', enableUploads: true,
/* if you would like users' authenticated blocks to be stored in /* If you have enabled file upload, you have the option of restricting it
a custom location, change the path below: * to a list of users identified by their public keys. If this value is set
* to true, your server will query a file (cryptpad/privileged.conf) when
* users connect via RPC. Only users whose public keys can be found within
* the file will be allowed to upload.
*
* privileged.conf uses '#' for line comments, and splits keys by newline.
* This is a temporary measure until a better quota system is in place.
* registered users' public keys can be found on the settings page.
*/ */
blockPath: './block', restrictUploads: false,
/* /* Max Upload Size (bytes)
* By default, CryptPad also contacts our accounts server once a day to check for changes in * this sets the maximum size of any one file uploaded to the server.
* the people who have accounts. This check-in will also send the version of your CryptPad * anything larger than this size will be rejected
* instance and your email so we can reach you if we are aware of a serious problem. We will
* never sell it or send you marketing mail. If you want to block this check-in and remain
* completely invisible, set this and allowSubscriptions both to false.
*/ */
adminEmail: 'i.did.not.read.my.config@cryptpad.fr', maxUploadSize: 20 * 1024 * 1024,
/* /* =====================
You have the option of specifying an alternative storage adaptor. * HARDWARE RELATED
These status of these alternatives are specified in their READMEs, * ===================== */
which are available at the following URLs:
mongodb: a noSQL database /* CryptPad's file storage adaptor closes unused files after a configurable
https://github.com/xwiki-labs/cryptpad-mongo-store * number of milliseconds (default 30000 (30 seconds))
amnesiadb: in memory storage */
https://github.com/xwiki-labs/cryptpad-amnesia-store channelExpirationMs: 30000,
leveldb: a simple, fast, key-value store
https://github.com/xwiki-labs/cryptpad-level-store
sql: an adaptor for a variety of sql databases via knexjs
https://github.com/xwiki-labs/cryptpad-sql-store
For the most up to date solution, use the default storage adaptor. /* CryptPad's file storage adaptor is limited by the number of open files.
* When the adaptor reaches openFileLimit, it will clean up older files
*/ */
storage: './storage/file', openFileLimit: 2048,
/* =====================
* DATABASE VOLUMES
* ===================== */
/* /*
CryptPad stores each document in an individual file on your hard drive. CryptPad stores each document in an individual file on your hard drive.
@ -273,13 +267,15 @@ module.exports = {
*/ */
pinPath: './pins', pinPath: './pins',
/* Pads that are not 'pinned' by any registered user can be set to expire /* if you would like the list of scheduled tasks to be stored in
* after a configurable number of days of inactivity (default 90 days). a custom location, change the path below:
* The value can be changed or set to false to remove expiration.
* Expired pads can then be removed using a cron job calling the
* `delete-inactive.js` script with node
*/ */
inactiveTime: 90, // days taskPath: './tasks',
/* if you would like users' authenticated blocks to be stored in
a custom location, change the path below:
*/
blockPath: './block',
/* CryptPad allows logged in users to upload encrypted files. Files/blobs /* CryptPad allows logged in users to upload encrypted files. Files/blobs
* are stored in a 'blob-store'. Set its location here. * are stored in a 'blob-store'. Set its location here.
@ -291,51 +287,25 @@ module.exports = {
*/ */
blobStagingPath: './blobstage', blobStagingPath: './blobstage',
/* CryptPad's file storage adaptor closes unused files after a configurable /* =====================
* number of milliseconds (default 30000 (30 seconds)) * Debugging
*/ * ===================== */
channelExpirationMs: 30000,
/* CryptPad's file storage adaptor is limited by the number of open files. /* CryptPad can log activity to stdout
* When the adaptor reaches openFileLimit, it will clean up older files * This may be useful for debugging
*/ */
openFileLimit: 2048, logToStdout: false,
/* CryptPad's socket server can be extended to respond to RPC calls /* CryptPad supports verbose logging
* you can configure it to respond to custom RPC calls if you like. * (false by default)
* provide the path to your RPC module here, or `false` if you would
* like to disable the RPC interface completely
*/ */
rpc: './rpc.js', verbose: false,
/* RPC errors are shown by default, but if you really don't care, /* RPC errors are shown by default, but if you really don't care,
* you can suppress them * you can suppress them
*/ */
suppressRPCErrors: false, suppressRPCErrors: false,
/* Setting this value to anything other than true will cause file upload
* attempts to be rejected outright.
*/
enableUploads: true,
/* If you have enabled file upload, you have the option of restricting it
* to a list of users identified by their public keys. If this value is set
* to true, your server will query a file (cryptpad/privileged.conf) when
* users connect via RPC. Only users whose public keys can be found within
* the file will be allowed to upload.
*
* privileged.conf uses '#' for line comments, and splits keys by newline.
* This is a temporary measure until a better quota system is in place.
* registered users' public keys can be found on the settings page.
*/
//restrictUploads: false,
/* Max Upload Size (bytes)
* this sets the maximum size of any one file uploaded to the server.
* anything larger than this size will be rejected
*/
maxUploadSize: 20 * 1024 * 1024,
/* clients can use the /settings/ app to opt out of usage feedback /* clients can use the /settings/ app to opt out of usage feedback
* which informs the server of things like how much each app is being * which informs the server of things like how much each app is being
* used, and whether certain clientside features are supported by * used, and whether certain clientside features are supported by
@ -343,21 +313,12 @@ module.exports = {
* such that the service can be improved. Enable this with `true` * such that the service can be improved. Enable this with `true`
* and ignore feedback with `false` or by commenting the attribute * and ignore feedback with `false` or by commenting the attribute
*/ */
//logFeedback: true, logFeedback: false,
/* If you wish to see which remote procedure calls clients request, /* If you wish to see which remote procedure calls clients request,
* set this to true * set this to true
*/ */
//logRPC: true, logRPC: false,
/* it is recommended that you serve CryptPad over https
* the filepaths below are used to configure your certificates
*/
//privKeyAndCertFiles: [
// '/etc/apache2/ssl/my_secret.key',
// '/etc/apache2/ssl/my_public_cert.crt',
// '/etc/apache2/ssl/my_certificate_authorities_cert_chain.ca'
//],
/* You can get a repl for debugging the server if you want it. /* You can get a repl for debugging the server if you want it.
* to enable this, specify the debugReplName and then you can * to enable this, specify the debugReplName and then you can
@ -366,4 +327,33 @@ module.exports = {
* repl names. * repl names.
*/ */
//debugReplName: "cryptpad" //debugReplName: "cryptpad"
/* =====================
* DEPRECATED
* ===================== */
/*
You have the option of specifying an alternative storage adaptor.
These status of these alternatives are specified in their READMEs,
which are available at the following URLs:
mongodb: a noSQL database
https://github.com/xwiki-labs/cryptpad-mongo-store
amnesiadb: in memory storage
https://github.com/xwiki-labs/cryptpad-amnesia-store
leveldb: a simple, fast, key-value store
https://github.com/xwiki-labs/cryptpad-level-store
sql: an adaptor for a variety of sql databases via knexjs
https://github.com/xwiki-labs/cryptpad-sql-store
For the most up to date solution, use the default storage adaptor.
*/
storage: './storage/file',
/* CryptPad's socket server can be extended to respond to RPC calls
* you can configure it to respond to custom RPC calls if you like.
* provide the path to your RPC module here, or `false` if you would
* like to disable the RPC interface completely
*/
rpc: './rpc.js',
}; };

11
server.js
Unescape Escape View File

@ -75,20 +75,15 @@ var setHeaders = (function () {
if (config.padContentSecurity) { if (config.padContentSecurity) {
padHeaders['Content-Security-Policy'] = clone(config.padContentSecurity); padHeaders['Content-Security-Policy'] = clone(config.padContentSecurity);
} }
const ooHeaders = clone(headers);
if (config.ooContentSecurity) {
ooHeaders['Content-Security-Policy'] = clone(config.ooContentSecurity);
}
if (Object.keys(headers).length) { if (Object.keys(headers).length) {
return function (req, res) { return function (req, res) {
const h = [/^\/pad(2)?\/inner\.html.*/].some((regex) => { const h = [
return regex.test(req.url) /^\/pad(2)?\/inner\.html.*/,
}) ? padHeaders : ([
/^\/sheet\/inner\.html.*/, /^\/sheet\/inner\.html.*/,
/^\/common\/onlyoffice\/.*\/index\.html.*/ /^\/common\/onlyoffice\/.*\/index\.html.*/
].some((regex) => { ].some((regex) => {
return regex.test(req.url) return regex.test(req.url)
}) ? ooHeaders : headers); }) ? padHeaders : headers;
for (let header in h) { res.setHeader(header, h[header]); } for (let header in h) { res.setHeader(header, h[header]); }
}; };
} }

Write Preview
Loading…
Cancel
Save