From c56815fa3be8d84b9f74c27bf6b5213db5a7e7eb Mon Sep 17 00:00:00 2001 From: ansuz Date: Thu, 5 Dec 2019 19:41:45 -0500 Subject: [PATCH] WIP nginx config refactor --- docs/example.nginx.conf | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/docs/example.nginx.conf b/docs/example.nginx.conf index a54687560..462b205fd 100644 --- a/docs/example.nginx.conf +++ b/docs/example.nginx.conf @@ -6,7 +6,16 @@ server { listen 443 ssl http2; - server_name your-main-domain.com your-sandbox-domain.com; + + # XXX These two variables + set $main_domain "your-main-domain.com"; + set $sandbox_domain "your-sandbox-domain.com"; + + # The $api_domain and $files_domain are optional + set $api_domain "api.your-main-domain.com"; + set $files_domain "files.your-main-domain.com"; + + server_name $main_domain $sandbox_domain; ssl_certificate /home/cryptpad/.acme.sh/your-main-domain.com/fullchain.cer; ssl_certificate_key /home/cryptpad/.acme.sh/your-main-domain.com/your-main-domain.com.key; @@ -24,6 +33,7 @@ server { add_header X-Content-Type-Options nosniff; # add_header X-Frame-Options "SAMEORIGIN"; + # Insert the path to your CryptPad repository root here root /home/cryptpad/cryptpad; index index.html; error_page 404 /customize.dist/404.html; @@ -34,15 +44,15 @@ server { # Will not set any header if it is emptystring add_header Cache-Control $cacheControl; - set $styleSrc "'unsafe-inline' 'self' your-main-domain.com"; - set $scriptSrc "'self' your-main-domain.com"; - set $connectSrc "'self' https://your-main-domain.com wss://your-main-domain.com your-main-domain.com https://api.your-main-domain.com blob: your-main-domain.com"; - set $fontSrc "'self' data: your-main-domain.com"; - set $imgSrc "'self' data: * blob: your-main-domain.com"; - set $frameSrc "'self' your-sandbox-domain.com blob: your-sandbox-domain.com"; - set $mediaSrc "'self' data: * blob: your-main-domain.com"; - set $childSrc "https://your-main-domain.com"; - set $workerSrc "https://your-main-domain.com"; + set $styleSrc "'unsafe-inline' 'self' ${main_domain}"; + set $scriptSrc "'self' ${main_domain}"; + set $connectSrc "'self' https://${main_domain} wss://${main_domain} $main_domain https://${api_domain} blob:"; + set $fontSrc "'self' data: ${main_domain}"; + set $imgSrc "'self' data: * blob: ${main_domain}"; + set $frameSrc "'self' ${sandbox_domain} blob:"; + set $mediaSrc "'self' data: * blob: ${main_domain}"; + set $childSrc "https://${main_domain}"; + set $workerSrc "https://${main_domain}"; set $unsafe 0; if ($uri = "/pad/inner.html") { set $unsafe 1; } @@ -50,7 +60,7 @@ server { if ($uri = "/common/onlyoffice/web-apps/apps/spreadsheeteditor/main/index.html") { set $unsafe 1; } if ($host != sandbox.cryptpad.info) { set $unsafe 0; } if ($unsafe) { - set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' new2.cryptpad.fr cryptpad.fr"; + set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' ${main_domain}"; } add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc;";