Merge branch 'master' into akaunting
This commit is contained in:
commit
1a32e33734
|
@ -25,7 +25,7 @@
|
|||
add_header Access-Control-Allow-Origin "*";
|
||||
|
||||
set $coop '';
|
||||
if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
|
||||
#if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
|
||||
|
||||
# Enable SharedArrayBuffer in Firefox (for .xlsx export)
|
||||
add_header Cross-Origin-Resource-Policy cross-origin;
|
||||
|
@ -45,7 +45,7 @@
|
|||
set $styleSrc "'unsafe-inline' 'self' ${main_domain}";
|
||||
|
||||
# connect-src restricts URLs which can be loaded using script interfaces
|
||||
set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}";
|
||||
set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain} https://${sandbox_domain}";
|
||||
|
||||
# fonts can be loaded from data-URLs or the main domain
|
||||
set $fontSrc "'self' data: ${main_domain}";
|
||||
|
@ -75,10 +75,15 @@
|
|||
# the following assets are loaded via the sandbox domain
|
||||
# they unfortunately still require exceptions to the sandboxing to work correctly.
|
||||
if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
|
||||
if ($uri ~ ^\/common\/onlyoffice\/.*\/index\.html.*$) { set $unsafe 1; }
|
||||
if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
|
||||
|
||||
# everything except the sandbox domain is a privileged scope, as they might be used to handle keys
|
||||
if ($host != $sandbox_domain) { set $unsafe 0; }
|
||||
# this iframe is an exception. Office file formats are converted outside of the sandboxed scope
|
||||
# because of bugs in Chromium-based browsers that incorrectly ignore headers that are supposed to enable
|
||||
# the use of some modern APIs that we require when javascript is run in a cross-origin context.
|
||||
# We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope
|
||||
if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
|
||||
|
||||
# privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
|
||||
if ($unsafe) {
|
||||
|
|
|
@ -1,5 +1,11 @@
|
|||
{% extends "core.j2" %}
|
||||
|
||||
{% block root %}
|
||||
root {{ nginx_www_dir }}{{ item.root }};
|
||||
index {{ item.index }};
|
||||
try_files {{ item.override_try_files | default('$uri $uri/ /index.php') }};
|
||||
{% endblock %}
|
||||
|
||||
{% block location %}
|
||||
|
||||
## LOCATIONS
|
||||
|
@ -29,8 +35,8 @@
|
|||
|
||||
location /admin/ {
|
||||
auth_basic "closed site";
|
||||
auth_basic_user_file {{ nginx_www_dir }}/{{ item.root }}/admin/.htpasswd;
|
||||
|
||||
auth_basic_user_file {{ nginx_www_dir }}{{ item.root }}/admin/.htpasswd;
|
||||
|
||||
location ~ \.php$ {
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
|
@ -41,11 +47,11 @@
|
|||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_index index.php;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
fastcgi_pass unix:{{ pool_listen }};
|
||||
{% if item.upstream_params is defined and item.upstream_params is iterable %}
|
||||
{% for param in item.upstream_params %}
|
||||
{{ param }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% endblock %}
|
||||
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
{% extends "core.j2" %}
|
||||
|
||||
{% block extra_upstreams %}
|
||||
|
||||
proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g
|
||||
inactive=720m use_temp_path=off;
|
||||
|
||||
upstream phoenix {
|
||||
server 127.0.0.1:4000 max_fails=5 fail_timeout=60s;
|
||||
}
|
||||
{% endblock %}
|
||||
|
||||
{% block location %}
|
||||
|
||||
location / {
|
||||
proxy_pass http://phoenix;
|
||||
}
|
||||
|
||||
location ~ ^/(media|proxy) {
|
||||
proxy_cache pleroma_media_cache;
|
||||
slice 1m;
|
||||
proxy_cache_key $host$uri$is_args$args$slice_range;
|
||||
proxy_set_header Range $slice_range;
|
||||
proxy_cache_valid 200 206 301 304 1h;
|
||||
proxy_cache_lock on;
|
||||
proxy_ignore_client_abort on;
|
||||
proxy_buffering on;
|
||||
chunked_transfer_encoding on;
|
||||
proxy_pass http://phoenix;
|
||||
}
|
||||
{% endblock %}
|
Loading…
Reference in New Issue