mirror of https://github.com/xwiki-labs/cryptpad
updated nginx config for new API server features
This commit is contained in:
parent
bd19288869
commit
bf548c1022
|
@ -174,7 +174,12 @@ server {
|
|||
# We prefer to serve static content from nginx directly and to leave the API server to handle
|
||||
# the dynamic content that only it can manage. This is primarily an optimization
|
||||
location ^~ /cryptpad_websocket {
|
||||
proxy_pass http://localhost:3000;
|
||||
# XXX
|
||||
# static assets like blobs and blocks are served by clustered workers in the API server
|
||||
# Websocket traffic still needs to be handled by the main process, which means it needs
|
||||
# to be hosted on a different port. By default 3003 will be used, though this is configurable
|
||||
# via config.websocketPort
|
||||
proxy_pass http://localhost:3003;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
@ -213,7 +218,11 @@ server {
|
|||
add_header Cross-Origin-Embedder-Policy require-corp;
|
||||
}
|
||||
|
||||
# encrypted blobs are immutable and are thus cached for a year
|
||||
# Requests for blobs and blocks are now proxied to the API server
|
||||
# This simplifies NGINX path configuration in the event they are being hosted in a non-standard location
|
||||
# or with odd unexpected permissions. Serving blobs in this manner also means that it will be possible to
|
||||
# enforce access control for them, though this is not yet implemented.
|
||||
# Access control (via TOTP 2FA) has been added to blocks, so they can be handled with the same directives.
|
||||
location ~ ^/(blob|block)/.*$ {
|
||||
if ($request_method = 'OPTIONS') {
|
||||
add_header 'Access-Control-Allow-Origin' "${allowed_origins}";
|
||||
|
@ -225,14 +234,13 @@ server {
|
|||
add_header 'Content-Length' 0;
|
||||
return 204;
|
||||
}
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header Cache-Control max-age=31536000;
|
||||
add_header 'Access-Control-Allow-Origin' "${allowed_origins}";
|
||||
add_header 'Access-Control-Allow-Credentials' true;
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length';
|
||||
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length';
|
||||
try_files $uri =404;
|
||||
# Since we are proxying to the API server these headers can get duplicated
|
||||
# so we hide them
|
||||
proxy_hide_header 'X-Content-Type-Options';
|
||||
proxy_hide_header 'Access-Control-Allow-Origin';
|
||||
proxy_hide_header 'Permissions-Policy';
|
||||
proxy_hide_header 'X-XSS-Protection';^
|
||||
proxy_pass http://localhost:3000;
|
||||
}
|
||||
|
||||
# The nodejs server has some built-in forwarding rules to prevent
|
||||
|
|
Loading…
Reference in New Issue