dnrops
/
cryptpad
mirror of https://github.com/xwiki-labs/cryptpad
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updated nginx config for new API server features

This commit is contained in:
ansuz 2023-05-11 17:06:46 +05:30
parent bd19288869
commit bf548c1022
1 changed files with 18 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
docs/example.nginx.conf
View File

@ -174,7 +174,12 @@ server {
# We prefer to serve static content from nginx directly and to leave the API server to handle # We prefer to serve static content from nginx directly and to leave the API server to handle
# the dynamic content that only it can manage. This is primarily an optimization # the dynamic content that only it can manage. This is primarily an optimization
location ^~ /cryptpad_websocket { location ^~ /cryptpad_websocket {
proxy_pass http://localhost:3000; # XXX
# static assets like blobs and blocks are served by clustered workers in the API server
# Websocket traffic still needs to be handled by the main process, which means it needs
# to be hosted on a different port. By default 3003 will be used, though this is configurable
# via config.websocketPort
proxy_pass http://localhost:3003;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -213,7 +218,11 @@ server {
add_header Cross-Origin-Embedder-Policy require-corp; add_header Cross-Origin-Embedder-Policy require-corp;
} }
# encrypted blobs are immutable and are thus cached for a year # Requests for blobs and blocks are now proxied to the API server
# This simplifies NGINX path configuration in the event they are being hosted in a non-standard location
# or with odd unexpected permissions. Serving blobs in this manner also means that it will be possible to
# enforce access control for them, though this is not yet implemented.
# Access control (via TOTP 2FA) has been added to blocks, so they can be handled with the same directives.
location ~ ^/(blob|block)/.*$ { location ~ ^/(blob|block)/.*$ {
if ($request_method = 'OPTIONS') { if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' "${allowed_origins}"; add_header 'Access-Control-Allow-Origin' "${allowed_origins}";
@ -225,14 +234,13 @@ server {
add_header 'Content-Length' 0; add_header 'Content-Length' 0;
return 204; return 204;
} }
add_header X-Content-Type-Options nosniff; # Since we are proxying to the API server these headers can get duplicated
add_header Cache-Control max-age=31536000; # so we hide them
add_header 'Access-Control-Allow-Origin' "${allowed_origins}"; proxy_hide_header 'X-Content-Type-Options';
add_header 'Access-Control-Allow-Credentials' true; proxy_hide_header 'Access-Control-Allow-Origin';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; proxy_hide_header 'Permissions-Policy';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'; proxy_hide_header 'X-XSS-Protection';^
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'; proxy_pass http://localhost:3000;
try_files $uri =404;
} }
# The nodejs server has some built-in forwarding rules to prevent # The nodejs server has some built-in forwarding rules to prevent