Merge branch 'master' into akaunting
This commit is contained in:
commit
44a9e5e7f4
|
@ -0,0 +1,54 @@
|
||||||
|
{% extends "core.j2" %}
|
||||||
|
|
||||||
|
{% block root %}
|
||||||
|
root {{ nginx_www_dir }}{{ item.root }};
|
||||||
|
index {{ item.index }};
|
||||||
|
{% endblock %}
|
||||||
|
|
||||||
|
{% block location %}
|
||||||
|
location / {
|
||||||
|
try_files {{ item.override_try_files | default('$uri $uri/ =404') }};
|
||||||
|
}
|
||||||
|
{% endblock %}
|
||||||
|
{% block app_root_location %}
|
||||||
|
{% endblock %}
|
||||||
|
|
||||||
|
{% block extra_locations %}
|
||||||
|
{% endblock %}
|
||||||
|
|
||||||
|
{% block custom_locations %}
|
||||||
|
{% endblock %}
|
||||||
|
|
||||||
|
{% block local_content %}
|
||||||
|
{% if item.manage_local_content is not defined %}
|
||||||
|
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
|
||||||
|
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
|
||||||
|
location ~ /\. {
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
|
||||||
|
{% if item.favicon is defined %}
|
||||||
|
location /favicon.ico {
|
||||||
|
alias {{ item.favicon }};
|
||||||
|
expires 30d;
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
location ~* \.(txt|js|css|png|jpe?g|gif|ico|svg)$ {
|
||||||
|
expires 30d;
|
||||||
|
log_not_found off;
|
||||||
|
}
|
||||||
|
{% endif %}
|
||||||
|
{% endblock %}
|
||||||
|
{% block app_specific %}
|
||||||
|
location ~ \.php$ {
|
||||||
|
{% if item.upstream_params is defined and item.upstream_params is iterable %}
|
||||||
|
{% for param in item.upstream_params %}
|
||||||
|
{{ param }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
}
|
||||||
|
{% endblock %}
|
||||||
|
|
|
@ -57,10 +57,10 @@ server {
|
||||||
add_header X-Download-Options noopen;
|
add_header X-Download-Options noopen;
|
||||||
add_header X-Permitted-Cross-Domain-Policies none;
|
add_header X-Permitted-Cross-Domain-Policies none;
|
||||||
add_header Referrer-Policy {{ item.referrer | default('no-referrer') }};
|
add_header Referrer-Policy {{ item.referrer | default('no-referrer') }};
|
||||||
|
{% endif %}
|
||||||
{% if item.header_sameorigin is defined %}
|
{% if item.header_sameorigin is defined %}
|
||||||
add_header X-Frame-Options "SAMEORIGIN";
|
add_header X-Frame-Options "SAMEORIGIN";
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
|
||||||
{% if item.nginx_HSTS_policy is defined %}
|
{% if item.nginx_HSTS_policy is defined %}
|
||||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
|
@ -24,13 +24,16 @@
|
||||||
|
|
||||||
add_header Access-Control-Allow-Origin "*";
|
add_header Access-Control-Allow-Origin "*";
|
||||||
|
|
||||||
set $coop '';
|
#set $coop '';
|
||||||
#if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
|
#if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
|
||||||
|
|
||||||
|
# Opt out of Google's FLoC Network
|
||||||
|
add_header Permissions-Policy interest-cohort=();
|
||||||
|
|
||||||
# Enable SharedArrayBuffer in Firefox (for .xlsx export)
|
# Enable SharedArrayBuffer in Firefox (for .xlsx export)
|
||||||
add_header Cross-Origin-Resource-Policy cross-origin;
|
add_header Cross-Origin-Resource-Policy cross-origin;
|
||||||
add_header Cross-Origin-Opener-Policy $coop;
|
|
||||||
add_header Cross-Origin-Embedder-Policy require-corp;
|
add_header Cross-Origin-Embedder-Policy require-corp;
|
||||||
|
|
||||||
# any static assets loaded with "ver=" in their URL will be cached for a year
|
# any static assets loaded with "ver=" in their URL will be cached for a year
|
||||||
if ($args ~ ver=) {
|
if ($args ~ ver=) {
|
||||||
set $cacheControl max-age=31536000;
|
set $cacheControl max-age=31536000;
|
||||||
|
@ -42,23 +45,24 @@
|
||||||
add_header Cache-Control $cacheControl;
|
add_header Cache-Control $cacheControl;
|
||||||
|
|
||||||
# CSS can be dynamically set inline, loaded from the same domain, or from $main_domain
|
# CSS can be dynamically set inline, loaded from the same domain, or from $main_domain
|
||||||
set $styleSrc "'unsafe-inline' 'self' ${main_domain}";
|
set $styleSrc "'unsafe-inline' 'self' https://${main_domain}";
|
||||||
|
|
||||||
# connect-src restricts URLs which can be loaded using script interfaces
|
# connect-src restricts URLs which can be loaded using script interfaces
|
||||||
set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain} https://${sandbox_domain}";
|
set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}";
|
||||||
|
|
||||||
# fonts can be loaded from data-URLs or the main domain
|
# fonts can be loaded from data-URLs or the main domain
|
||||||
set $fontSrc "'self' data: ${main_domain}";
|
set $fontSrc "'self' data: https://${main_domain}";
|
||||||
|
|
||||||
# images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking
|
# images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking
|
||||||
set $imgSrc "'self' data: * blob: ${main_domain}";
|
set $imgSrc "'self' data: blob: https://${main_domain}";
|
||||||
|
|
||||||
# frame-src specifies valid sources for nested browsing contexts.
|
# frame-src specifies valid sources for nested browsing contexts.
|
||||||
# this prevents loading any iframes from anywhere other than the sandbox domain
|
# this prevents loading any iframes from anywhere other than the sandbox domain
|
||||||
set $frameSrc "'self' ${sandbox_domain} blob:";
|
set $frameSrc "'self' https://${sandbox_domain} blob:";
|
||||||
|
|
||||||
# specifies valid sources for loading media using video or audio
|
# specifies valid sources for loading media using video or audio
|
||||||
set $mediaSrc "'self' data: * blob: ${main_domain}";
|
#set $mediaSrc "'self' data: * blob: ${main_domain}";
|
||||||
|
set $mediaSrc "blob:";
|
||||||
|
|
||||||
# defines valid sources for webworkers and nested browser contexts
|
# defines valid sources for webworkers and nested browser contexts
|
||||||
# deprecated in favour of worker-src and frame-src
|
# deprecated in favour of worker-src and frame-src
|
||||||
|
@ -66,10 +70,10 @@
|
||||||
|
|
||||||
# specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
|
# specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
|
||||||
# supercedes child-src but is unfortunately not yet universally supported.
|
# supercedes child-src but is unfortunately not yet universally supported.
|
||||||
set $workerSrc "https://${main_domain}";
|
set $workerSrc "'self'";
|
||||||
|
|
||||||
# script-src specifies valid sources for javascript, including inline handlers
|
# script-src specifies valid sources for javascript, including inline handlers
|
||||||
set $scriptSrc "'self' resource: ${main_domain}";
|
set $scriptSrc "'self' resource: https://${main_domain}";
|
||||||
|
|
||||||
set $unsafe 0;
|
set $unsafe 0;
|
||||||
# the following assets are loaded via the sandbox domain
|
# the following assets are loaded via the sandbox domain
|
||||||
|
@ -87,7 +91,7 @@
|
||||||
|
|
||||||
# privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
|
# privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
|
||||||
if ($unsafe) {
|
if ($unsafe) {
|
||||||
set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: ${main_domain}";
|
set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
|
||||||
}
|
}
|
||||||
|
|
||||||
# Finally, set all the rules you composed above.
|
# Finally, set all the rules you composed above.
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
{% block root %}
|
{% block root %}
|
||||||
root {{ nginx_www_dir }}{{ item.root }};
|
root {{ nginx_www_dir }}{{ item.root }};
|
||||||
index {{ item.index }};
|
index {{ item.index }};
|
||||||
try_files {{ item.override_try_files | default('$uri $uri/ /index.php') }};
|
try_files {{ item.override_try_files | default('try_files $uri $uri/ /index.php$is_args$args') }};
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
||||||
{% block location %}
|
{% block location %}
|
||||||
|
@ -28,22 +28,7 @@
|
||||||
|
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
||||||
{% block extra_upstreams %}
|
|
||||||
map $http_user_agent $pastebin_badagent {
|
|
||||||
~*bot 1;
|
|
||||||
~*spider 1;
|
|
||||||
~*crawl 1;
|
|
||||||
~https?:// 1;
|
|
||||||
WhatsApp 1;
|
|
||||||
SkypeUriPreview 1;
|
|
||||||
facebookexternalhit 1;
|
|
||||||
}
|
|
||||||
{% endblock %}
|
|
||||||
|
|
||||||
{% block app_specific %}
|
{% block app_specific %}
|
||||||
if ($pastebin_badagent) {
|
|
||||||
return 403;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /cfg {
|
location /cfg {
|
||||||
return 403;
|
return 403;
|
||||||
|
@ -52,4 +37,12 @@ map $http_user_agent $pastebin_badagent {
|
||||||
location /data {
|
location /data {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
|
{% if item.file_cache is defined and item.file_cache is iterable %}
|
||||||
|
{% for param in item.file_cache %}
|
||||||
|
open_file_cache {{ param.cache }};
|
||||||
|
open_file_cache_valid {{ param.valid }};
|
||||||
|
open_file_cache_min_uses {{ param.min_users }};
|
||||||
|
open_file_cache_errors {{ param.cache_errors }};
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
Loading…
Reference in New Issue