aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoransible_admin <capsul@cyberia.club>2020-11-02 01:31:22 +0000
committeransible_admin <capsul@cyberia.club>2020-11-02 01:31:22 +0000
commit58e360eeaad6a09bf93cd22b5a9c826c583b9a88 (patch)
treef6861b8a8a671b0422f270e5de82e3da356eaebf
parenta2b8b1ea05d8367b5324b893f65d434465200db4 (diff)
downloadops-handbook-58e360eeaad6a09bf93cd22b5a9c826c583b9a88.tar.gz
ops-handbook-58e360eeaad6a09bf93cd22b5a9c826c583b9a88.tar.bz2
Remove cryptpad config from raaz
-rw-r--r--ansible/files/raaz.cyberia.club/nginx/cryptpad.cyberia.club.conf179
1 files changed, 0 insertions, 179 deletions
diff --git a/ansible/files/raaz.cyberia.club/nginx/cryptpad.cyberia.club.conf b/ansible/files/raaz.cyberia.club/nginx/cryptpad.cyberia.club.conf
deleted file mode 100644
index c9aa3d2..0000000
--- a/ansible/files/raaz.cyberia.club/nginx/cryptpad.cyberia.club.conf
+++ /dev/null
@@ -1,179 +0,0 @@
-server {
- listen 80;
- server_name cryptpad.cyberia.club;
- location / {
- return 301 https://cryptpad.cyberia.club/;
- }
-}
-
-server {
- listen 443 ssl http2;
-
- set $main_domain "cryptpad.cyberia.club";
-
- # CryptPad's dynamic content (websocket traffic and encrypted blobs)
- # can be served over separate domains. Using dedicated domains (or subdomains)
- # for these purposes allows you to move them to a separate machine at a later date
- # if you find that a single machine cannot handle all of your users.
- # If you don't use dedicated domains, this can be the same as $main_domain
- # If you do, they'll be added as exceptions to any rules which block connections to remote domains.
- set $api_domain "cryptpad.cyberia.club";
- set $files_domain "cryptpad.cyberia.club";
-
- # nginx doesn't let you set server_name via variables, so you need to hardcode your domains here
- server_name cryptpad.cyberia.club;
-
- # You'll need to Set the path to your certificates and keys here
- ssl_certificate /etc/ssl/uacme/cryptpad.cyberia.club/cert.pem;
- ssl_certificate_key /etc/ssl/uacme/private/cryptpad.cyberia.club/key.pem;
-
- # Speeds things up a little bit when resuming a session
- ssl_session_timeout 5m;
-
- # You'll need nginx 1.13.0 or better to support TLSv1.3
- ssl_protocols TLSv1.2 TLSv1.3;
-
- # https://cipherli.st/
- ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
- ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
-
- add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
- add_header X-XSS-Protection "1; mode=block";
- add_header X-Content-Type-Options nosniff;
- add_header Access-Control-Allow-Origin "*";
- # add_header X-Frame-Options "SAMEORIGIN";
-
- # Insert the path to your CryptPad repository root here
- root /opt/cryptpad;
- index index.html;
- error_page 404 /customize.dist/404.html;
-
- # any static assets loaded with "ver=" in their URL will be cached for a year
- if ($args ~ ver=) {
- set $cacheControl max-age=31536000;
- }
- # Will not set any header if it is emptystring
- add_header Cache-Control $cacheControl;
-
- # CSS can be dynamically set inline, loaded from the same domain, or from $main_domain
- set $styleSrc "'unsafe-inline' 'self' ${main_domain}";
-
- # connect-src restricts URLs which can be loaded using script interfaces
- set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}";
-
- # fonts can be loaded from data-URLs or the main domain
- set $fontSrc "'self' data: ${main_domain}";
-
- # images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking
- set $imgSrc "'self' data: * blob: ${main_domain}";
-
- # specifies valid sources for loading media using video or audio
- set $mediaSrc "'self' data: * blob: ${main_domain}";
-
- # defines valid sources for webworkers and nested browser contexts
- # deprecated in favour of worker-src and frame-src
- set $childSrc "https://${main_domain}";
-
- # specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
- # supercedes child-src but is unfortunately not yet universally supported.
- set $workerSrc "https://${main_domain}";
-
- # script-src specifies valid sources for javascript, including inline handlers
- set $scriptSrc "'self' resource: ${main_domain}";
-
- set $unsafe 0;
- # the following assets are loaded via the sandbox domain
- # they unfortunately still require exceptions to the sandboxing to work correctly.
- if ($uri = "/pad/inner.html") { set $unsafe 1; }
- if ($uri = "/sheet/inner.html") { set $unsafe 1; }
- if ($uri ~ ^\/common\/onlyoffice\/.*\/index\.html.*$) { set $unsafe 1; }
-
- # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
- if ($unsafe) {
- set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: ${main_domain}";
- }
-
- # Finally, set all the rules you composed above.
- add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc;";
-
- # The nodejs process can handle all traffic whether accessed over websocket or as static assets
- # We prefer to serve static content from nginx directly and to leave the API server to handle
- # the dynamic content that only it can manage. This is primarily an optimization
- location ^~ /cryptpad_websocket {
- proxy_pass http://localhost:3000;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
- # WebSocket support (nginx 1.4)
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection upgrade;
- }
-
- location ^~ /customize.dist/ {
- # This is needed in order to prevent infinite recursion between /customize/ and the root
- }
- # try to load customizeable content via /customize/ and fall back to the default content
- # located at /customize.dist/
- # This is what allows you to override behaviour.
- location ^~ /customize/ {
- rewrite ^/customize/(.*)$ $1 break;
- try_files /customize/$uri /customize.dist/$uri;
- }
-
- # /api/config is loaded once per page load and is used to retrieve
- # the caching variable which is applied to every other resource
- # which is loaded during that session.
- location = /api/config {
- proxy_pass http://localhost:3000;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- }
-
- # encrypted blobs are immutable and are thus cached for a year
- location ^~ /blob/ {
- if ($request_method = 'OPTIONS') {
- add_header 'Access-Control-Allow-Origin' '*';
- add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
- add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
- add_header 'Access-Control-Max-Age' 1728000;
- add_header 'Content-Type' 'application/octet-stream; charset=utf-8';
- add_header 'Content-Length' 0;
- return 204;
- }
- add_header Cache-Control max-age=31536000;
- add_header 'Access-Control-Allow-Origin' '*';
- add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
- add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
- add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
- try_files $uri =404;
- }
-
- # the "block-store" serves encrypted payloads containing users' drive keys
- # these payloads are unlocked via login credentials. They are mutable
- # and are thus never cached. They're small enough that it doesn't matter, in any case.
- location ^~ /block/ {
- add_header Cache-Control max-age=0;
- try_files $uri =404;
- }
-
- # This block provides an alternative means of loading content
- # otherwise only served via websocket. This is solely for debugging purposes,
- # and is thus not allowed by default.
- #location ^~ /datastore/ {
- #add_header Cache-Control max-age=0;
- #try_files $uri =404;
- #}
-
- # The nodejs server has some built-in forwarding rules to prevent
- # URLs like /pad from resulting in a 404. This simply adds a trailing slash
- # to a variety of applications.
- location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams)$ {
- rewrite ^(.*)$ $1/ redirect;
- }
-
- # Finally, serve anything the above exceptions don't govern.
- try_files /www/$uri /www/$uri/index.html /customize/$uri;
-}