Merge branch 'master' into akaunting

templates/etc/nginx/sites-available/cryptpad.j2

@@ -25,7 +25,7 @@
   add_header Access-Control-Allow-Origin "*";
 
   set $coop '';
- if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
+ #if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
 
   # Enable SharedArrayBuffer in Firefox (for .xlsx export)
   add_header Cross-Origin-Resource-Policy cross-origin;
@@ -45,7 +45,7 @@
   set $styleSrc   "'unsafe-inline' 'self' ${main_domain}";
 
   # connect-src restricts URLs which can be loaded using script interfaces
-  set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}";
+  set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain} https://${sandbox_domain}";
 
   # fonts can be loaded from data-URLs or the main domain
   set $fontSrc    "'self' data: ${main_domain}";
@@ -75,10 +75,15 @@
   # the following assets are loaded via the sandbox domain
   # they unfortunately still require exceptions to the sandboxing to work correctly.
   if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
-  if ($uri ~ ^\/common\/onlyoffice\/.*\/index\.html.*$) { set $unsafe 1; }
+  if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
 
   # everything except the sandbox domain is a privileged scope, as they might be used to handle keys
   if ($host != $sandbox_domain) { set $unsafe 0; }
+  # this iframe is an exception. Office file formats are converted outside of the sandboxed scope
+  # because of bugs in Chromium-based browsers that incorrectly ignore headers that are supposed to enable
+  # the use of some modern APIs that we require when javascript is run in a cross-origin context.
+  # We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope
+  if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
 
   # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
   if ($unsafe) {

templates/etc/nginx/sites-available/framadate.j2

@@ -1,5 +1,11 @@
 {% extends "core.j2" %}
 
+{% block root %}
+  root {{ nginx_www_dir }}{{ item.root }};
+  index {{ item.index }};
+  try_files {{ item.override_try_files | default('$uri $uri/ /index.php') }};
+{% endblock %}
+
 {% block  location %}
 
 ## LOCATIONS
@@ -29,8 +35,8 @@
 
   location /admin/ {
     auth_basic           "closed site";
-    auth_basic_user_file {{ nginx_www_dir }}/{{ item.root }}/admin/.htpasswd;
-  	
+    auth_basic_user_file {{ nginx_www_dir }}{{ item.root }}/admin/.htpasswd;
+
     location ~ \.php$ {
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 		  include /etc/nginx/fastcgi_params;
@@ -41,11 +47,11 @@
   }
 
   location ~ \.php$ {
-    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-    fastcgi_index index.php;
-    include /etc/nginx/fastcgi_params;
-    fastcgi_pass unix:{{ pool_listen }};
+  {% if item.upstream_params is defined and item.upstream_params is iterable %}
+  {% for param in item.upstream_params %}
+      {{ param }}
+  {% endfor %}
+  {% endif %}
   }
 
 {% endblock %}
-

templates/etc/nginx/sites-available/pleroma.j2

@@ -0,0 +1,31 @@
+{% extends "core.j2" %}
+
+{% block extra_upstreams %}
+
+proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g
+  inactive=720m use_temp_path=off;
+
+upstream phoenix {
+  server 127.0.0.1:4000 max_fails=5 fail_timeout=60s;
+}
+{% endblock %}
+
+{% block location %}
+
+  location / {
+    proxy_pass http://phoenix;
+  }
+
+  location ~ ^/(media|proxy) {
+    proxy_cache        pleroma_media_cache;
+    slice              1m;
+    proxy_cache_key    $host$uri$is_args$args$slice_range;
+    proxy_set_header   Range $slice_range;
+    proxy_cache_valid  200 206 301 304 1h;
+    proxy_cache_lock   on;
+    proxy_ignore_client_abort on;
+    proxy_buffering    on;
+    chunked_transfer_encoding on;
+    proxy_pass         http://phoenix;
+  }
+  {% endblock %}