infra
/
cryptpad
2
1
Fork 0
Code Issues Pull Requests Projects Releases 1 Activity

Merge branch 'newconfig' of github.com:xwiki-labs/cryptpad into staging

Browse Source
pull/1/head
ansuz 6 years ago
parent 285ee17ed2 9ceebb603d
commit d0df398b42
2 changed files with 168 additions and 183 deletions
Show Stats Download Patch File Download Diff File

338
config.example.js
Unescape Escape View File

@ -12,104 +12,53 @@ var _domain = 'http://localhost:3000/';
// to enable this feature, uncomment the line below:
// require('heapdump');
// we prepend a space because every usage expects it
// requiring admins to preserve it is unnecessarily confusing
var domain = ' ' + _domain;
module.exports = {
// the address you want to bind to, :: means all ipv4 and ipv6 addresses
// this may not work on all operating systems
httpAddress: '::',
// Content-Security-Policy
var baseCSP = [
"default-src 'none'",
"style-src 'unsafe-inline' 'self' " + domain,
"script-src 'self'" + domain,
"font-src 'self' data:" + domain,
// the port on which your httpd will listen
/* child-src is used to restrict iframes to a set of allowed domains.
* connect-src is used to restrict what domains can connect to the websocket.
*
* it is recommended that you configure these fields to match the
* domain which will serve your CryptPad instance.
*/
"child-src blob: *",
// IE/Edge
"frame-src blob: *",
/* CryptPad can be configured to send customized HTTP Headers
* These settings may vary widely depending on your needs
* Examples are provided below
/* this allows connections over secure or insecure websockets
if you are deploying to production, you'll probably want to remove
the ws://* directive, and change '*' to your domain
*/
"connect-src 'self' ws: wss: blob:" + domain,
httpHeaders: {
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Access-Control-Allow-Origin": "*"
},
// data: is used by codemirror
"img-src 'self' data: blob:" + domain,
"media-src * blob:",
contentSecurity: [
"default-src 'none'",
"style-src 'unsafe-inline' 'self' " + domain,
"script-src 'self'" + domain,
"font-src 'self' data:" + domain,
/* child-src is used to restrict iframes to a set of allowed domains.
* connect-src is used to restrict what domains can connect to the websocket.
*
* it is recommended that you configure these fields to match the
* domain which will serve your CryptPad instance.
*/
"child-src blob: *",
// IE/Edge
"frame-src blob: *",
"media-src * blob:",
/* this allows connections over secure or insecure websockets
if you are deploying to production, you'll probably want to remove
the ws://* directive, and change '*' to your domain
*/
"connect-src 'self' ws: wss: blob:" + domain,
// data: is used by codemirror
"img-src 'self' data: blob:" + domain,
// for accounts.cryptpad.fr authentication and pad2 cross-domain iframe sandbox
"frame-ancestors *",
].join('; '),
// CKEditor requires significantly more lax content security policy in order to function.
padContentSecurity: [
"default-src 'none'",
"style-src 'unsafe-inline' 'self'" + domain,
// Unsafe inline, unsafe-eval are needed for ckeditor :(
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
"font-src 'self'" + domain,
/* See above under 'contentSecurity' as to how these values should be
* configured for best effect.
*/
"child-src *",
// IE/Edge
"frame-src *",
// see the comment above in the 'contentSecurity' section
"connect-src 'self' ws: wss:" + domain,
// (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
"img-src * blob:",
].join('; '),
// OnlyOffice requires even more lax content security policy in order to function.
ooContentSecurity: [
"default-src 'none'",
"style-src 'unsafe-inline' 'self'" + domain,
// Unsafe inline, unsafe-eval are needed for ckeditor :(
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
"font-src 'self'" + domain,
// for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
"frame-ancestors *",
];
/* See above under 'contentSecurity' as to how these values should be
* configured for best effect.
*/
"child-src *",
// IE/Edge
"frame-src *",
// see the comment above in the 'contentSecurity' section
"connect-src 'self' blob: ws: wss:" + domain,
module.exports = {
// (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
"img-src * blob: data:",
].join('; '),
/* =====================
* Infra setup
* ===================== */
// the address you want to bind to, :: means all ipv4 and ipv6 addresses
// this may not work on all operating systems
httpAddress: '::',
// the port on which your httpd will listen
httpPort: 3000,
// This is for allowing the cross-domain iframe to function when developing
@ -131,15 +80,31 @@ module.exports = {
*/
websocketPath: '/cryptpad_websocket',
/* CryptPad can log activity to stdout
* This may be useful for debugging
/* CryptPad can be configured to send customized HTTP Headers
* These settings may vary widely depending on your needs
* Examples are provided below
*/
logToStdout: false,
httpHeaders: {
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Access-Control-Allow-Origin": "*"
},
/* CryptPad supports verbose logging
* (false by default)
contentSecurity: baseCSP.join('; ') +
"script-src 'self'" + domain,
// CKEditor and OnlyOffice require significantly more lax content security policy in order to function.
padContentSecurity: baseCSP.join('; ') +
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
/* it is recommended that you serve CryptPad over https
* the filepaths below are used to configure your certificates
*/
verbose: false,
//privKeyAndCertFiles: [
// '/etc/apache2/ssl/my_secret.key',
// '/etc/apache2/ssl/my_public_cert.crt',
// '/etc/apache2/ssl/my_certificate_authorities_cert_chain.ca'
//],
/* Main pages
* add exceptions to the router so that we can access /privacy.html
@ -156,6 +121,10 @@ module.exports = {
'faq'
],
/* =====================
* Subscriptions
* ===================== */
/* Limits, Donations, Subscriptions and Contact
*
* By default, CryptPad limits every registered user to 50MB of storage. It also shows a
@ -174,6 +143,15 @@ module.exports = {
allowSubscriptions: true,
removeDonateButton: false,
/*
* By default, CryptPad also contacts our accounts server once a day to check for changes in
* the people who have accounts. This check-in will also send the version of your CryptPad
* instance and your email so we can reach you if we are aware of a serious problem. We will
* never sell it or send you marketing mail. If you want to block this check-in and remain
* completely invisible, set this and allowSubscriptions both to false.
*/
adminEmail: 'i.did.not.read.my.config@cryptpad.fr',
/* Sales coming from your server will be identified by your domain
*
* If you are using CryptPad in a business context, please consider taking a support contract
@ -214,6 +192,18 @@ module.exports = {
*/
},
/* =====================
* STORAGE
* ===================== */
/* Pads that are not 'pinned' by any registered user can be set to expire
* after a configurable number of days of inactivity (default 90 days).
* The value can be changed or set to false to remove expiration.
* Expired pads can then be removed using a cron job calling the
* `delete-inactive.js` script with node
*/
inactiveTime: 90, // days
/* some features may require that the server be able to schedule tasks
far into the future, such as:
> "three months from now, this channel should expire"
@ -221,43 +211,47 @@ module.exports = {
*/
enableTaskScheduling: true,
/* if you would like the list of scheduled tasks to be stored in
a custom location, change the path below:
*/
taskPath: './tasks',
/* Setting this value to anything other than true will cause file upload
* attempts to be rejected outright.
*/
enableUploads: true,
/* if you would like users' authenticated blocks to be stored in
a custom location, change the path below:
*/
blockPath: './block',
/* If you have enabled file upload, you have the option of restricting it
* to a list of users identified by their public keys. If this value is set
* to true, your server will query a file (cryptpad/privileged.conf) when
* users connect via RPC. Only users whose public keys can be found within
* the file will be allowed to upload.
*
* privileged.conf uses '#' for line comments, and splits keys by newline.
* This is a temporary measure until a better quota system is in place.
* registered users' public keys can be found on the settings page.
*/
restrictUploads: false,
/*
* By default, CryptPad also contacts our accounts server once a day to check for changes in
* the people who have accounts. This check-in will also send the version of your CryptPad
* instance and your email so we can reach you if we are aware of a serious problem. We will
* never sell it or send you marketing mail. If you want to block this check-in and remain
* completely invisible, set this and allowSubscriptions both to false.
/* Max Upload Size (bytes)
* this sets the maximum size of any one file uploaded to the server.
* anything larger than this size will be rejected
*/
adminEmail: 'i.did.not.read.my.config@cryptpad.fr',
maxUploadSize: 20 * 1024 * 1024,
/* =====================
* HARDWARE RELATED
* ===================== */
/*
You have the option of specifying an alternative storage adaptor.
These status of these alternatives are specified in their READMEs,
which are available at the following URLs:
/* CryptPad's file storage adaptor closes unused files after a configurable
* number of milliseconds (default 30000 (30 seconds))
*/
channelExpirationMs: 30000,
mongodb: a noSQL database
https://github.com/xwiki-labs/cryptpad-mongo-store
amnesiadb: in memory storage
https://github.com/xwiki-labs/cryptpad-amnesia-store
leveldb: a simple, fast, key-value store
https://github.com/xwiki-labs/cryptpad-level-store
sql: an adaptor for a variety of sql databases via knexjs
https://github.com/xwiki-labs/cryptpad-sql-store
/* CryptPad's file storage adaptor is limited by the number of open files.
* When the adaptor reaches openFileLimit, it will clean up older files
*/
openFileLimit: 2048,
For the most up to date solution, use the default storage adaptor.
*/
storage: './storage/file',
/* =====================
* DATABASE VOLUMES
* ===================== */
/*
CryptPad stores each document in an individual file on your hard drive.
@ -273,13 +267,15 @@ module.exports = {
*/
pinPath: './pins',
/* Pads that are not 'pinned' by any registered user can be set to expire
* after a configurable number of days of inactivity (default 90 days).
* The value can be changed or set to false to remove expiration.
* Expired pads can then be removed using a cron job calling the
* `delete-inactive.js` script with node
*/
inactiveTime: 90, // days
/* if you would like the list of scheduled tasks to be stored in
a custom location, change the path below:
*/
taskPath: './tasks',
/* if you would like users' authenticated blocks to be stored in
a custom location, change the path below:
*/
blockPath: './block',
/* CryptPad allows logged in users to upload encrypted files. Files/blobs
* are stored in a 'blob-store'. Set its location here.
@ -291,51 +287,25 @@ module.exports = {
*/
blobStagingPath: './blobstage',
/* CryptPad's file storage adaptor closes unused files after a configurable
* number of milliseconds (default 30000 (30 seconds))
*/
channelExpirationMs: 30000,
/* =====================
* Debugging
* ===================== */
/* CryptPad's file storage adaptor is limited by the number of open files.
* When the adaptor reaches openFileLimit, it will clean up older files
/* CryptPad can log activity to stdout
* This may be useful for debugging
*/
openFileLimit: 2048,
logToStdout: false,
/* CryptPad's socket server can be extended to respond to RPC calls
* you can configure it to respond to custom RPC calls if you like.
* provide the path to your RPC module here, or `false` if you would
* like to disable the RPC interface completely
/* CryptPad supports verbose logging
* (false by default)
*/
rpc: './rpc.js',
verbose: false,
/* RPC errors are shown by default, but if you really don't care,
* you can suppress them
*/
suppressRPCErrors: false,
/* Setting this value to anything other than true will cause file upload
* attempts to be rejected outright.
*/
enableUploads: true,
/* If you have enabled file upload, you have the option of restricting it
* to a list of users identified by their public keys. If this value is set
* to true, your server will query a file (cryptpad/privileged.conf) when
* users connect via RPC. Only users whose public keys can be found within
* the file will be allowed to upload.
*
* privileged.conf uses '#' for line comments, and splits keys by newline.
* This is a temporary measure until a better quota system is in place.
* registered users' public keys can be found on the settings page.
*/
//restrictUploads: false,
/* Max Upload Size (bytes)
* this sets the maximum size of any one file uploaded to the server.
* anything larger than this size will be rejected
*/
maxUploadSize: 20 * 1024 * 1024,
/* clients can use the /settings/ app to opt out of usage feedback
* which informs the server of things like how much each app is being
* used, and whether certain clientside features are supported by
@ -343,21 +313,12 @@ module.exports = {
* such that the service can be improved. Enable this with `true`
* and ignore feedback with `false` or by commenting the attribute
*/
//logFeedback: true,
logFeedback: false,
/* If you wish to see which remote procedure calls clients request,
* set this to true
*/
//logRPC: true,
/* it is recommended that you serve CryptPad over https
* the filepaths below are used to configure your certificates
*/
//privKeyAndCertFiles: [
// '/etc/apache2/ssl/my_secret.key',
// '/etc/apache2/ssl/my_public_cert.crt',
// '/etc/apache2/ssl/my_certificate_authorities_cert_chain.ca'
//],
logRPC: false,
/* You can get a repl for debugging the server if you want it.
* to enable this, specify the debugReplName and then you can
@ -366,4 +327,33 @@ module.exports = {
* repl names.
*/
//debugReplName: "cryptpad"
/* =====================
* DEPRECATED
* ===================== */
/*
You have the option of specifying an alternative storage adaptor.
These status of these alternatives are specified in their READMEs,
which are available at the following URLs:
mongodb: a noSQL database
https://github.com/xwiki-labs/cryptpad-mongo-store
amnesiadb: in memory storage
https://github.com/xwiki-labs/cryptpad-amnesia-store
leveldb: a simple, fast, key-value store
https://github.com/xwiki-labs/cryptpad-level-store
sql: an adaptor for a variety of sql databases via knexjs
https://github.com/xwiki-labs/cryptpad-sql-store
For the most up to date solution, use the default storage adaptor.
*/
storage: './storage/file',
/* CryptPad's socket server can be extended to respond to RPC calls
* you can configure it to respond to custom RPC calls if you like.
* provide the path to your RPC module here, or `false` if you would
* like to disable the RPC interface completely
*/
rpc: './rpc.js',
};

13
server.js
Unescape Escape View File

@ -75,20 +75,15 @@ var setHeaders = (function () {
if (config.padContentSecurity) {
padHeaders['Content-Security-Policy'] = clone(config.padContentSecurity);
}
const ooHeaders = clone(headers);
if (config.ooContentSecurity) {
ooHeaders['Content-Security-Policy'] = clone(config.ooContentSecurity);
}
if (Object.keys(headers).length) {
return function (req, res) {
const h = [/^\/pad(2)?\/inner\.html.*/].some((regex) => {
return regex.test(req.url)
}) ? padHeaders : ([
const h = [
/^\/pad(2)?\/inner\.html.*/,
/^\/sheet\/inner\.html.*/,
/^\/common\/onlyoffice\/.*\/index\.html.*/
].some((regex) => {
return regex.test(req.url)
}) ? ooHeaders : headers);
return regex.test(req.url)
}) ? padHeaders : headers;
for (let header in h) { res.setHeader(header, h[header]); }
};
}

Write Preview
Loading…
Cancel
Save