mirror of https://github.com/xwiki-labs/cryptpad
updated nginx config for new API server features
This commit is contained in:
parent
bd19288869
commit
bf548c1022
|
@ -174,7 +174,12 @@ server {
|
||||||
# We prefer to serve static content from nginx directly and to leave the API server to handle
|
# We prefer to serve static content from nginx directly and to leave the API server to handle
|
||||||
# the dynamic content that only it can manage. This is primarily an optimization
|
# the dynamic content that only it can manage. This is primarily an optimization
|
||||||
location ^~ /cryptpad_websocket {
|
location ^~ /cryptpad_websocket {
|
||||||
proxy_pass http://localhost:3000;
|
# XXX
|
||||||
|
# static assets like blobs and blocks are served by clustered workers in the API server
|
||||||
|
# Websocket traffic still needs to be handled by the main process, which means it needs
|
||||||
|
# to be hosted on a different port. By default 3003 will be used, though this is configurable
|
||||||
|
# via config.websocketPort
|
||||||
|
proxy_pass http://localhost:3003;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
@ -213,7 +218,11 @@ server {
|
||||||
add_header Cross-Origin-Embedder-Policy require-corp;
|
add_header Cross-Origin-Embedder-Policy require-corp;
|
||||||
}
|
}
|
||||||
|
|
||||||
# encrypted blobs are immutable and are thus cached for a year
|
# Requests for blobs and blocks are now proxied to the API server
|
||||||
|
# This simplifies NGINX path configuration in the event they are being hosted in a non-standard location
|
||||||
|
# or with odd unexpected permissions. Serving blobs in this manner also means that it will be possible to
|
||||||
|
# enforce access control for them, though this is not yet implemented.
|
||||||
|
# Access control (via TOTP 2FA) has been added to blocks, so they can be handled with the same directives.
|
||||||
location ~ ^/(blob|block)/.*$ {
|
location ~ ^/(blob|block)/.*$ {
|
||||||
if ($request_method = 'OPTIONS') {
|
if ($request_method = 'OPTIONS') {
|
||||||
add_header 'Access-Control-Allow-Origin' "${allowed_origins}";
|
add_header 'Access-Control-Allow-Origin' "${allowed_origins}";
|
||||||
|
@ -225,14 +234,13 @@ server {
|
||||||
add_header 'Content-Length' 0;
|
add_header 'Content-Length' 0;
|
||||||
return 204;
|
return 204;
|
||||||
}
|
}
|
||||||
add_header X-Content-Type-Options nosniff;
|
# Since we are proxying to the API server these headers can get duplicated
|
||||||
add_header Cache-Control max-age=31536000;
|
# so we hide them
|
||||||
add_header 'Access-Control-Allow-Origin' "${allowed_origins}";
|
proxy_hide_header 'X-Content-Type-Options';
|
||||||
add_header 'Access-Control-Allow-Credentials' true;
|
proxy_hide_header 'Access-Control-Allow-Origin';
|
||||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
proxy_hide_header 'Permissions-Policy';
|
||||||
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length';
|
proxy_hide_header 'X-XSS-Protection';^
|
||||||
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length';
|
proxy_pass http://localhost:3000;
|
||||||
try_files $uri =404;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# The nodejs server has some built-in forwarding rules to prevent
|
# The nodejs server has some built-in forwarding rules to prevent
|
||||||
|
|
Loading…
Reference in New Issue