Merge branch 'master' into akaunting
This commit is contained in:
commit
1a32e33734
|
@ -25,7 +25,7 @@
|
||||||
add_header Access-Control-Allow-Origin "*";
|
add_header Access-Control-Allow-Origin "*";
|
||||||
|
|
||||||
set $coop '';
|
set $coop '';
|
||||||
if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
|
#if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
|
||||||
|
|
||||||
# Enable SharedArrayBuffer in Firefox (for .xlsx export)
|
# Enable SharedArrayBuffer in Firefox (for .xlsx export)
|
||||||
add_header Cross-Origin-Resource-Policy cross-origin;
|
add_header Cross-Origin-Resource-Policy cross-origin;
|
||||||
|
@ -45,7 +45,7 @@
|
||||||
set $styleSrc "'unsafe-inline' 'self' ${main_domain}";
|
set $styleSrc "'unsafe-inline' 'self' ${main_domain}";
|
||||||
|
|
||||||
# connect-src restricts URLs which can be loaded using script interfaces
|
# connect-src restricts URLs which can be loaded using script interfaces
|
||||||
set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}";
|
set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain} https://${sandbox_domain}";
|
||||||
|
|
||||||
# fonts can be loaded from data-URLs or the main domain
|
# fonts can be loaded from data-URLs or the main domain
|
||||||
set $fontSrc "'self' data: ${main_domain}";
|
set $fontSrc "'self' data: ${main_domain}";
|
||||||
|
@ -75,10 +75,15 @@
|
||||||
# the following assets are loaded via the sandbox domain
|
# the following assets are loaded via the sandbox domain
|
||||||
# they unfortunately still require exceptions to the sandboxing to work correctly.
|
# they unfortunately still require exceptions to the sandboxing to work correctly.
|
||||||
if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
|
if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
|
||||||
if ($uri ~ ^\/common\/onlyoffice\/.*\/index\.html.*$) { set $unsafe 1; }
|
if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
|
||||||
|
|
||||||
# everything except the sandbox domain is a privileged scope, as they might be used to handle keys
|
# everything except the sandbox domain is a privileged scope, as they might be used to handle keys
|
||||||
if ($host != $sandbox_domain) { set $unsafe 0; }
|
if ($host != $sandbox_domain) { set $unsafe 0; }
|
||||||
|
# this iframe is an exception. Office file formats are converted outside of the sandboxed scope
|
||||||
|
# because of bugs in Chromium-based browsers that incorrectly ignore headers that are supposed to enable
|
||||||
|
# the use of some modern APIs that we require when javascript is run in a cross-origin context.
|
||||||
|
# We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope
|
||||||
|
if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
|
||||||
|
|
||||||
# privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
|
# privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
|
||||||
if ($unsafe) {
|
if ($unsafe) {
|
||||||
|
|
|
@ -1,5 +1,11 @@
|
||||||
{% extends "core.j2" %}
|
{% extends "core.j2" %}
|
||||||
|
|
||||||
|
{% block root %}
|
||||||
|
root {{ nginx_www_dir }}{{ item.root }};
|
||||||
|
index {{ item.index }};
|
||||||
|
try_files {{ item.override_try_files | default('$uri $uri/ /index.php') }};
|
||||||
|
{% endblock %}
|
||||||
|
|
||||||
{% block location %}
|
{% block location %}
|
||||||
|
|
||||||
## LOCATIONS
|
## LOCATIONS
|
||||||
|
@ -29,8 +35,8 @@
|
||||||
|
|
||||||
location /admin/ {
|
location /admin/ {
|
||||||
auth_basic "closed site";
|
auth_basic "closed site";
|
||||||
auth_basic_user_file {{ nginx_www_dir }}/{{ item.root }}/admin/.htpasswd;
|
auth_basic_user_file {{ nginx_www_dir }}{{ item.root }}/admin/.htpasswd;
|
||||||
|
|
||||||
location ~ \.php$ {
|
location ~ \.php$ {
|
||||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
include /etc/nginx/fastcgi_params;
|
include /etc/nginx/fastcgi_params;
|
||||||
|
@ -41,11 +47,11 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ \.php$ {
|
location ~ \.php$ {
|
||||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
{% if item.upstream_params is defined and item.upstream_params is iterable %}
|
||||||
fastcgi_index index.php;
|
{% for param in item.upstream_params %}
|
||||||
include /etc/nginx/fastcgi_params;
|
{{ param }}
|
||||||
fastcgi_pass unix:{{ pool_listen }};
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
}
|
}
|
||||||
|
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
{% extends "core.j2" %}
|
||||||
|
|
||||||
|
{% block extra_upstreams %}
|
||||||
|
|
||||||
|
proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g
|
||||||
|
inactive=720m use_temp_path=off;
|
||||||
|
|
||||||
|
upstream phoenix {
|
||||||
|
server 127.0.0.1:4000 max_fails=5 fail_timeout=60s;
|
||||||
|
}
|
||||||
|
{% endblock %}
|
||||||
|
|
||||||
|
{% block location %}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://phoenix;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ ^/(media|proxy) {
|
||||||
|
proxy_cache pleroma_media_cache;
|
||||||
|
slice 1m;
|
||||||
|
proxy_cache_key $host$uri$is_args$args$slice_range;
|
||||||
|
proxy_set_header Range $slice_range;
|
||||||
|
proxy_cache_valid 200 206 301 304 1h;
|
||||||
|
proxy_cache_lock on;
|
||||||
|
proxy_ignore_client_abort on;
|
||||||
|
proxy_buffering on;
|
||||||
|
chunked_transfer_encoding on;
|
||||||
|
proxy_pass http://phoenix;
|
||||||
|
}
|
||||||
|
{% endblock %}
|
Loading…
Reference in New Issue