tMerge branch 'main' into 5.6-rc

2023-12-18 14:07:13 +01:00 · 2023-12-18 14:07:13 +01:00 · f9e6c8d142
parent 315adc59d7 006e6b602a
commit f9e6c8d142
3 changed files with 58 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,19 @@
+# Security Policy
+
+## Supported Versions
+
+Considering the amount of resources necessary to backport security or bug fixes to previous, unsupported CryptPad versions, it's not something we do.
+However, we quickly release new minor versions in case of need.
+
+Please keep up with the latest release published here: https://github.com/cryptpad/cryptpad/releases
+
+Note that every GitHub release page has an RSS compatible feed that you can subscribe on to be informed of every new release.
+
+We do also communicate about this topic on:
+- [Our blog](https://blog.cryptpad.org)
+- [Our Matrix public space](https://matrix.to/#/#cryptpad:matrix.xwiki.com)
+- [Our Mastodon account](https://fosstodon.org/@cryptpad)
+
+## Reporting a Vulnerability
+
+Vulnerabilities can be reported using the GitHub Security interface. You can also send us an email at security@cryptpad.org
--- a/docs/cryptpad.service
+++ b/docs/cryptpad.service
@ -14,6 +14,10 @@ Restart=always
 # Restart service after 10 seconds if node service crashes
 RestartSec=2

+# Proper logging to journald
+StandardOutput=journal
+StandardError=journal+console
+
 User=cryptpad
 Group=cryptpad
 # modify to match your working directory
--- a/docs/example.httpd.conf
+++ b/docs/example.httpd.conf
@ -0,0 +1,35 @@
+#   This file is included strictly as an example of how Apache httpd can be
+#   configured to work with CryptPad. If you are using CryptPad in production
+#   and require professional support please contact sales@cryptpad.fr
+
+#   This configuration requires mod_ssl, mod_socache_shmcb, mod_proxy,
+#   mod_proxy_http and mod_headers
+
+Listen 443
+
+SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+SSLHonorCipherOrder off
+SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
+SSLSessionCache "shmcb:logs/ssl_scache(512000)"
+SSLSessionCacheTimeout 86400
+SSLSessionTickets off
+SSLUseStapling on
+SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
+
+<VirtualHost *:443>
+  ServerName cryptpad.your-domain.com
+  ServerAlias sandbox.your-domain.com
+  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
+  SSLEngine on
+  SSLCertificateFile /etc/letsencrypt/live/your-domain.com/cert.pem
+  SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem
+  BrowserMatch "MSIE [2-5]" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+  Protocols h2 http/1.1
+  LimitRequestBody 157286400
+  ProxyPass / http://localhost:3000/ upgrade=websocket
+  ProxyPassReverse / http://localhost:3000/
+</VirtualHost>