Merge branch 'master' into vhost_headers_update
This commit is contained in:
commit
9e5bbabf68
|
@ -46,12 +46,13 @@
|
|||
add_header Cross-Origin-Embedder-Policy require-corp;
|
||||
|
||||
# any static assets loaded with "ver=" in their URL will be cached for a year
|
||||
if ($uri ~ ^(\/|.*\/|.*\.html)$) {
|
||||
set $cacheControl no-cache;
|
||||
}
|
||||
if ($args ~ ver=) {
|
||||
set $cacheControl max-age=31536000;
|
||||
}
|
||||
if ($uri ~ ^/.*(\/|\.html)$) {
|
||||
set $cacheControl no-cache;
|
||||
}
|
||||
|
||||
# Will not set any header if it is emptystring
|
||||
add_header Cache-Control $cacheControl;
|
||||
|
||||
|
@ -74,7 +75,6 @@
|
|||
set $frameSrc "'self' https://${sandbox_domain} blob:";
|
||||
|
||||
# specifies valid sources for loading media using video or audio
|
||||
#set $mediaSrc "'self' data: * blob: ${main_domain}";
|
||||
set $mediaSrc "blob:";
|
||||
|
||||
# defines valid sources for webworkers and nested browser contexts
|
||||
|
@ -92,7 +92,7 @@
|
|||
# this must include 'self' and your main domain (over HTTPS) in order for CryptPad to work
|
||||
# if you have enabled remote embedding via the admin panel then this must be more permissive.
|
||||
# note: cryptpad.fr permits web pages served via https: and vector: (element desktop app)
|
||||
set $frameAncestors "'self' https://${main_domain}";
|
||||
set $frameAncestors "'self' {{ item.frameancestors | default('https://${main_domain}:') }}";
|
||||
# set $frameAncestors "'self' https: vector:";
|
||||
|
||||
set $unsafe 0;
|
||||
|
@ -125,9 +125,12 @@
|
|||
error_page 404 /customize.dist/404.html;
|
||||
|
||||
# Finally, serve anything the above exceptions don't govern.
|
||||
try_files /www/$uri /www/$uri/index.html /customize/$uri;
|
||||
try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri;
|
||||
{% endblock %}
|
||||
{% block location%}
|
||||
# The nodejs process can handle all traffic whether accessed over websocket or as static assets
|
||||
# We prefer to serve static content from nginx directly and to leave the API server to handle
|
||||
# the dynamic content that only it can manage. This is primarily an optimization
|
||||
location ^~ /cryptpad_websocket {
|
||||
proxy_pass http://{{ item.proxy_pass }}:3000;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
|
@ -211,7 +214,7 @@
|
|||
# The nodejs server has some built-in forwarding rules to prevent
|
||||
# URLs like /pad from resulting in a 404. This simply adds a trailing slash
|
||||
# to a variety of applications.
|
||||
location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert)$ {
|
||||
location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ {
|
||||
rewrite ^(.*)$ $1/ redirect;
|
||||
}
|
||||
{% endblock %}
|
||||
|
|
|
@ -0,0 +1,22 @@
|
|||
{% extends "core.j2" %}
|
||||
|
||||
{% block root %}
|
||||
root {{ item.root }};
|
||||
index {{ item.index }};
|
||||
{% endblock %}
|
||||
|
||||
{% block location %}
|
||||
|
||||
## LOCATIONS
|
||||
location / {
|
||||
# Add cache for static files
|
||||
if ($request_uri ~* ^/(img|css|font|js)/) {
|
||||
add_header Expires "Thu, 31 Dec 2037 23:55:55 GMT";
|
||||
add_header Cache-Control "public, max-age=315360000";
|
||||
}
|
||||
|
||||
# HTTPS only header, improves security
|
||||
add_header Strict-Transport-Security "max-age=15768000";
|
||||
|
||||
}
|
||||
{% endblock %}
|
|
@ -6,14 +6,23 @@
|
|||
|
||||
{% block location %}
|
||||
location / {
|
||||
{% if item.filtron == 'true' %}
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Scheme $scheme;
|
||||
proxy_pass http://127.0.0.1:4004/;
|
||||
{% if item.upstream_name is defined %}
|
||||
proxy_pass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ item.upstream_port }};
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header Connection $http_connection;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Scheme $scheme;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Script-Name {{ searx_app_dir }};
|
||||
{% else %}
|
||||
include uwsgi_params;
|
||||
uwsgi_pass unix:/run/uwsgi/app/searx/socket;
|
||||
uwsgi_pass unix://{{ searx_socket }};
|
||||
uwsgi_param HTTP_HOST $host;
|
||||
uwsgi_param HTTP_CONNECTION $http_connection;
|
||||
uwsgi_param HTTP_X_SCHEME $scheme;
|
||||
uwsgi_param HTTP_X_SCRIPT_NAME {{ searx_app_dir }};
|
||||
uwsgi_param HTTP_X_REAL_IP $remote_addr;
|
||||
uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
|
||||
{% endif %}
|
||||
}
|
||||
{% endblock %}
|
||||
{% endblock %}
|
||||
|
|
Loading…
Reference in New Issue