Merge from staging (#65)

Main changes:
  - Rewritten way of creating HTTPS hosts. Prevents creating HTTPS vhost without existing certificate.
  - Break out conditions into a list.

Co-authored-by: meaz <meaz@disroot.org>
Reviewed-on: #65
Reviewed-by: meaz <meaz@no-reply@disroot.org>

tasks/main.yml

@@ -7,10 +7,10 @@
   include_tasks: config.yml
 
 - name: "[NGINX] - Set SSL configuration"
-  include: ssl.yml
+  include_tasks: ssl.yml
 
 - name: '[NGINX] - Deploy TOR for onion hidden services'
-  include: tor.yml
+  include_tasks: tor.yml
   when: enable_tor == 'true'
 
 - name: '[NGINX] - Create onion addresses'

tasks/vhost.yml

@@ -3,19 +3,44 @@
   slurp:
     src: "/var/lib/tor/{{ item.name }}/hostname"
   register: "onion_address"
-  when:  item.onion is defined and item.onion == 'true'
+  when:  
+    - item.onion is defined
+    - item.onion == 'true'
 
 - name: "[NGINX] - Set fact"
   set_fact:
     enable_tor: 'false'
+    
+- name: "[NGINX] - Check if the certificate for the vhost exists"
+  stat:
+    path: '{{ nginx_ssl_dir }}/{{ item.name }}/privkey.pem'
+  register: cert_exists
+  when:
+    - item.ssl_name is defined
 
-- name: "[NGINX] - Create vhosts"
+- name: "[NGINX] - Create HTTPS vhosts"
   template:
     src: etc/nginx/sites-available/{{ item.template }}.j2
     dest: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
   notify:
       - reload nginx
-  when: item.state is defined and item.state != 'delete'
+  when: 
+    - item.ssl_name is defined
+    - cert_exists is defined
+    - cert_exists.stat.exists 
+    - item.state is defined 
+    - item.state != 'delete'
+
+- name: "[NGINX] - Create HTTP vhosts"
+  template:
+    src: etc/nginx/sites-available/{{ item.template }}.j2
+    dest: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
+  notify:
+      - reload nginx
+  when: 
+    - item.ssl_name is not defined
+    - item.state is defined 
+    - item.state != 'delete'
 
 - name: "[NGINX] - Delete vhosts"
   file:
@@ -23,16 +48,35 @@
     state: absent
   notify:
       - reload nginx
-  when: item.state is defined and item.state == 'delete'
+  when: 
+    - item.state is defined
+    - item.state == 'delete'
 
-- name: "[NGINX] - Enable vhosts"
+- name: "[NGINX] - Enable HTTPS vhosts"
   file:
     src: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
     dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item.name }}"
     state: link
   notify:
       - reload nginx
-  when: item.state is defined and item.state == 'enable'
+  when:
+    - item.ssl_name is defined
+    - cert_exists is defined
+    - cert_exists.stat.exists
+    - item.state is defined
+    - item.state == 'enable'
+
+- name: "[NGINX] - Enable HTTP vhosts"
+  file:
+    src: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
+    dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item.name }}"
+    state: link
+  notify:
+      - reload nginx
+  when:
+    - item.ssl_name is not defined 
+    - item.state is defined
+    - item.state == 'enable'
 
 - name: "[NGINX] - Disable vhosts"
   file:
@@ -40,7 +84,10 @@
     state: absent
   notify:
       - reload nginx
-  when: item.state is defined and (item.state == 'disable' or item.state == 'delete')
+  when: 
+    - item.state is defined
+    - item.state == 'disable' 
+    - item.state == 'delete'
 
 - name: "[NGINX] - Delete default vhost when explicitely defined"
   file:
@@ -50,10 +97,30 @@
     - reload nginx
   when: nginx_default_vhost is not none
 
-- name: "[NGINX] - Create maintenance vhosts"
+- name: "[NGINX] - Create HTTPS maintenance vhosts"
   template:
     src: etc/nginx/sites-available/maintenance.j2
     dest: "{{ nginx_etc_dir }}/sites-available/maintenance-{{ item.name }}"
   notify:
       - reload nginx
-  when: (item.state is defined) and (item.state != 'delete') and (item.maintenance is defined) and (item.maintenance == 'true') 
+  when: 
+    - item.ssl_name is defined
+    - cert_exists is defined
+    - cert_exists.stat.exists
+    - item.state is defined
+    - item.state != 'delete'
+    - item.maintenance is defined
+    - item.maintenance == 'true' 
+
+- name: "[NGINX] - Create HTTP maintenance vhosts"
+  template:
+    src: etc/nginx/sites-available/maintenance.j2
+    dest: "{{ nginx_etc_dir }}/sites-available/maintenance-{{ item.name }}"
+  notify:
+      - reload nginx
+  when: 
+    - item.ssl_name is not defined
+    - item.state is defined
+    - item.state != 'delete'
+    - item.maintenance is defined
+    - item.maintenance == 'true' 

templates/etc/nginx/sites-available/basephp.j2

@@ -10,14 +10,6 @@
     try_files {{ item.override_try_files | default('$uri $uri/ =404') }};
   }
 {% endblock %}
-{% block app_root_location %}
-{% endblock %}
-
-{% block extra_locations %}
-{% endblock %}
-
-{% block custom_locations %}
-{% endblock %}
 
 {% block local_content %}
 {% if item.manage_local_content is not defined %}

templates/etc/nginx/sites-available/core.j2

@@ -95,6 +95,9 @@ server {
   add_header X-Robots-Tag "{{ item.header_robots | default('none') }}";
 {% endif %}
 {% endif %}
+{% if item.header_frame_ancestors is defined and item.header_frame_ancestors == 'true' %}
+  add_header Content-Security-Policy "frame-ancestors 'self';";
+{% endif %}
 {% endblock %}
 
 {% block location %}

templates/etc/nginx/sites-available/cryptpad.j2

@@ -1,124 +1,135 @@
+# SPDX-FileCopyrightText: 2023 XWiki CryptPad Team <contact@cryptpad.org> and contributors
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
 {% extends "core.j2" %}
 
 {% block app_specific %}
-  # CryptPad serves static assets over these two domains.
-  # `main_domain` is what users will enter in their address bar.
-  # Privileged computation such as key management is handled in this scope
-  # UI content is loaded via the `sandbox_domain`.
-  # "Content Security Policy" headers prevent content loaded via the sandbox
-  # from accessing privileged information.
-  # These variables must be different to take advantage of CryptPad's sandboxing techniques.
-  # In the event of an XSS vulnerability in CryptPad's front-end code
-  # this will limit the amount of information accessible to attackers.
-  set $main_domain "{{ item.ssl_name }}";
-  set $sandbox_domain "sandbox.{{ item.ssl_name }}";
 
-  # By default CryptPad allows remote domains to embed CryptPad documents in iframes.
-  # This behaviour can be blocked by changing $allowed_origins from "*" to the
-  # sandbox domain, which must be permitted to load content from the main domain
-  # in order for CryptPad to work as expected.
-  #
-  # An example is given below which can be uncommented if you want to block
-  # remote sites from including content from your server
-  set $allowed_origins "*";
-  # set $allowed_origins "https://${sandbox_domain}";
+    # Include mime.types to be able to support .mjs files (see "types" below)
+    include mime.types;
 
-  # CryptPad's dynamic content (websocket traffic and encrypted blobs)
-  # can be served over separate domains. Using dedicated domains (or subdomains)
-  # for these purposes allows you to move them to a separate machine at a later date
-  # if you find that a single machine cannot handle all of your users.
-  # If you don't use dedicated domains, this can be the same as $main_domain
-  # If you do, they can be added as exceptions to any rules which block connections to remote domains.
-  # You can find these variables referenced below in the relevant places.
-  set $api_domain "{{ item.ssl_name }}";
-  set $files_domain "{{ item.ssl_name }}";
+    # CryptPad serves static assets over these two domains.
+    # `main_domain` is what users will enter in their address bar.
+    # Privileged computation such as key management is handled in this scope
+    # UI content is loaded via the `sandbox_domain`.
+    # "Content Security Policy" headers prevent content loaded via the sandbox
+    # from accessing privileged information.
+    # These variables must be different to take advantage of CryptPad's sandboxing techniques.
+    # In the event of an XSS vulnerability in CryptPad's front-end code
+    # this will limit the amount of information accessible to attackers.
+    set $main_domain "{{ item.ssl_name }}";
+    set $sandbox_domain "sandbox.{{ item.ssl_name }}";
 
-  add_header Access-Control-Allow-Origin "${allowed_origins}";
+    # By default CryptPad forbids remote domains from embedding CryptPad documents in iframes.
+    # The sandbox domain must always be permitted in order for the platform to function.
+    # If you wish to enable remote embedding you may change the value below to "*"
+    # as per the commented value.
+    set $allowed_origins "https://${sandbox_domain}";
+    #set $allowed_origins "*";
 
-  #set $coop '';
- #if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
+    # CryptPad's dynamic content (websocket traffic and encrypted blobs)
+    # can be served over separate domains. Using dedicated domains (or subdomains)
+    # for these purposes allows you to move them to a separate machine at a later date
+    # if you find that a single machine cannot handle all of your users.
+    # If you don't use dedicated domains, this can be the same as $main_domain
+    # If you do, they can be added as exceptions to any rules which block connections to remote domains.
+    # You can find these variables referenced below in the relevant places
+    set $api_domain "{{ item.ssl_name }}";
+    set $files_domain "{{ item.ssl_name }}";
 
-  # Opt out of Google's FLoC Network
-  add_header Permissions-Policy interest-cohort=();
+    add_header Access-Control-Allow-Origin "${allowed_origins}";
+    add_header Access-Control-Allow-Credentials true;
+    # add_header X-Frame-Options "SAMEORIGIN";
 
-  # Enable SharedArrayBuffer in Firefox (for .xlsx export)
-  add_header Cross-Origin-Resource-Policy cross-origin;
-  add_header Cross-Origin-Embedder-Policy require-corp;
+    # Opt out of Google's FLoC Network
+    add_header Permissions-Policy interest-cohort=();
 
-  # This rule overrides the above caching directive and makes things somewhat less efficient.
-  # We had inverted them as an optimization, but Safari 16 introduced a bug that interpreted
-  # some important headers incorrectly when loading these files from cache.
-  # This is why we can't have nice things :(
-  if ($uri ~ ^(\/|.*\/|.*\.html)$) {
-      set $cacheControl no-cache;
-  }
-  if ($args ~ ver=) {
-    set $cacheControl max-age=31536000;
-  }
+    # Enable SharedArrayBuffer in Firefox (for .xlsx export)
+    add_header Cross-Origin-Resource-Policy cross-origin;
+    add_header Cross-Origin-Embedder-Policy require-corp;
 
-  # Will not set any header if it is emptystring
-  add_header Cache-Control $cacheControl;
+    # any static assets loaded with "ver=" in their URL will be cached for a year
+    if ($args ~ ver=) {
+        set $cacheControl max-age=31536000;
+    }
+    # This rule overrides the above caching directive and makes things somewhat less efficient.
+    # We had inverted them as an optimization, but Safari 16 introduced a bug that interpreted
+    # some important headers incorrectly when loading these files from cache.
+    # This is why we can't have nice things :(
+    if ($uri ~ ^(\/|.*\/|.*\.html)$) {
+        set $cacheControl no-cache;
+    }
 
-  # CSS can be dynamically set inline, loaded from the same domain, or from $main_domain
-  set $styleSrc   "'unsafe-inline' 'self' https://${main_domain}";
+    # Will not set any header if it is emptystring
+    add_header Cache-Control $cacheControl;
 
-  # connect-src restricts URLs which can be loaded using script interfaces
-  # if you have configured your instance to use a dedicated $files_domain or $api_domain
-  # you will need to add them below as: https://${files_domain} and https://${api_domain}
-  set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}";
+    # CSS can be dynamically set inline, loaded from the same domain, or from $main_domain
+    set $styleSrc   "'unsafe-inline' 'self' https://${main_domain}";
 
-  # fonts can be loaded from data-URLs or the main domain
-  set $fontSrc    "'self' data: https://${main_domain}";
+    # connect-src restricts URLs which can be loaded using script interfaces
+    # if you have configured your instance to use a dedicated $files_domain or $api_domain
+    # you will need to add them below as: https://${files_domain} and https://${api_domain}
+    set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}";
 
-  # images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking
-  set $imgSrc     "'self' data: blob: https://${main_domain}";
+    # fonts can be loaded from data-URLs or the main domain
+    set $fontSrc    "'self' data: https://${main_domain}";
 
-  # frame-src specifies valid sources for nested browsing contexts.
-  # this prevents loading any iframes from anywhere other than the sandbox domain
-  set $frameSrc   "'self' https://${sandbox_domain} blob:";
+    # images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking
+    set $imgSrc     "'self' data: blob: https://${main_domain}";
 
-  # specifies valid sources for loading media using video or audio
-  set $mediaSrc   "blob:";
+    # frame-src specifies valid sources for nested browsing contexts.
+    # this prevents loading any iframes from anywhere other than the sandbox domain
+    set $frameSrc   "'self' https://${sandbox_domain} blob:";
 
-  # defines valid sources for webworkers and nested browser contexts
-  # deprecated in favour of worker-src and frame-src
-  set $childSrc   "https://${main_domain}";
+    # specifies valid sources for loading media using video or audio
+    set $mediaSrc   "blob:";
 
-  # specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
-  # supercedes child-src but is unfortunately not yet universally supported.
-  set $workerSrc  "'self'";
+    # defines valid sources for webworkers and nested browser contexts
+    # deprecated in favour of worker-src and frame-src
+    set $childSrc   "https://${main_domain}";
 
-  # script-src specifies valid sources for javascript, including inline handlers
-  set $scriptSrc  "'self' resource: https://${main_domain}";
+    # specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
+    # supercedes child-src but is unfortunately not yet universally supported.
+    set $workerSrc  "'self'";
 
-  # frame-ancestors specifies which origins can embed your CryptPad instance
-  # this must include 'self' and your main domain (over HTTPS) in order for CryptPad to work
-  # if you have enabled remote embedding via the admin panel then this must be more permissive.
-  # note: cryptpad.fr permits web pages served via https: and vector: (element desktop app)
-  set $frameAncestors "'self' {{ item.frameancestors | default('https://${main_domain}:') }}";
-  # set $frameAncestors "'self' https: vector:";
+    # script-src specifies valid sources for javascript, including inline handlers
+    set $scriptSrc  "'self' resource: https://${main_domain}";
 
-  set $unsafe 0;
-  # the following assets are loaded via the sandbox domain
-  # they unfortunately still require exceptions to the sandboxing to work correctly.
-  if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
-  if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
+    # frame-ancestors specifies which origins can embed your CryptPad instance
+    # this must include 'self' and your main domain (over HTTPS) in order for CryptPad to work
+    # if you have enabled remote embedding via the admin panel then this must be more permissive.
+    # note: cryptpad.fr permits web pages served via https: and vector: (element desktop app)
+    set $frameAncestors "'self' {{ item.frameancestors | default('https://${main_domain}:') }}";
+    # set $frameAncestors "'self' https: vector:";
 
-  # everything except the sandbox domain is a privileged scope, as they might be used to handle keys
-  if ($host != $sandbox_domain) { set $unsafe 0; }
-  # this iframe is an exception. Office file formats are converted outside of the sandboxed scope
-  # because of bugs in Chromium-based browsers that incorrectly ignore headers that are supposed to enable
-  # the use of some modern APIs that we require when javascript is run in a cross-origin context.
-  # We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope
-  if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
+    set $unsafe 0;
+    # the following assets are loaded via the sandbox domain
+    # they unfortunately still require exceptions to the sandboxing to work correctly.
+    if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
+    if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
 
-  # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
-  if ($unsafe) {
-    set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
-  }
+    # everything except the sandbox domain is a privileged scope, as they might be used to handle keys
+    if ($host != $sandbox_domain) { set $unsafe 0; }
+    # this iframe is an exception. Office file formats are converted outside of the sandboxed scope
+    # because of bugs in Chromium-based browsers that incorrectly ignore headers that are supposed to enable
+    # the use of some modern APIs that we require when javascript is run in a cross-origin context.
+    # We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope
+    if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
+
+    # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
+    if ($unsafe) {
+        set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
+    }
+
+    # Finally, set all the rules you composed above.
+    add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";
+
+    # Add support for .mjs files used by pdfjs
+    types {
+        application/javascript mjs;
+    }
 
-  # Finally, set all the rules you composed above.
-  add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";
 {% endblock %}
 
 {% block root %}
@@ -127,97 +138,90 @@
     index index.html;
     error_page 404 /customize.dist/404.html;
 
-    # Finally, serve anything the above exceptions don't govern.
-    try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri;
 {% endblock %}
 {% block location%}
     # The nodejs process can handle all traffic whether accessed over websocket or as static assets
     # We prefer to serve static content from nginx directly and to leave the API server to handle
     # the dynamic content that only it can manage. This is primarily an optimization
-  location ^~ /cryptpad_websocket {
-    proxy_pass http://{{ item.proxy_pass }}:3000;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header Host $host;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    location ^~ /cryptpad_websocket {
+        # XXX
+        # static assets like blobs and blocks are served by clustered workers in the API server
+        # Websocket traffic still needs to be handled by the main process, which means it needs
+        # to be hosted on a different port. By default 3003 will be used, though this is configurable
+        # via config.websocketPort
+        proxy_pass http://{{ item.proxy_pass }}:3003;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
-    # WebSocket support (nginx 1.4)
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection upgrade;
-  }
-
-  location ^~ /customize.dist/ {
-    # This is needed in order to prevent infinite recursion between /customize/ and the root
-  }
-
-  # try to load customizeable content via /customize/ and fall back to the default content
-  # located at /customize.dist/
-  # This is what allows you to override behaviour.
-  location ^~ /customize/ {
-    rewrite ^/customize/(.*)$ $1 break;
-    try_files /customize/$uri /customize.dist/$uri;
-  }
-
-  # /api/config is loaded once per page load and is used to retrieve
-  # the caching variable which is applied to every other resource
-  # which is loaded during that session.
-  location ~ ^/api/.*$ {
-    proxy_pass http://{{ item.proxy_pass }}:3000;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header Host $host;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-    # These settings prevent both NGINX and the API server
-    # from setting the same headers and creating duplicates
-    proxy_hide_header Cross-Origin-Resource-Policy;
-    add_header Cross-Origin-Resource-Policy cross-origin;
-    proxy_hide_header Cross-Origin-Embedder-Policy;
-    add_header Cross-Origin-Embedder-Policy require-corp;
-  }
-
-  # encrypted blobs are immutable and are thus cached for a year
-  location ^~ /blob/ {
-    if ($request_method = 'OPTIONS') {
-        add_header 'Access-Control-Allow-Origin' "${allowed_origins}";
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
-        add_header 'Access-Control-Max-Age' 1728000;
-        add_header 'Content-Type' 'application/octet-stream; charset=utf-8';
-        add_header 'Content-Length' 0;
-        return 204;
+        # WebSocket support (nginx 1.4)
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection upgrade;
     }
-    add_header X-Content-Type-Options nosniff;
-    add_header Cache-Control max-age=31536000;
-    add_header 'Access-Control-Allow-Origin' "${allowed_origins}";
-    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-    add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length';
-    add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length';
-    try_files $uri =404;
-  }
 
-  # the "block-store" serves encrypted payloads containing users' drive keys
-  # these payloads are unlocked via login credentials. They are mutable
-  # and are thus never cached. They're small enough that it doesn't matter, in any case.
-  location ^~ /block/ {
-    add_header X-Content-Type-Options nosniff;
-    add_header Cache-Control max-age=0;
-    try_files $uri =404;
-  }
+    location ^~ /customize.dist/ {
+        # This is needed in order to prevent infinite recursion between /customize/ and the root
+    }
+    # try to load customizeable content via /customize/ and fall back to the default content
+    # located at /customize.dist/
+    # This is what allows you to override behaviour.
+    location ^~ /customize/ {
+        rewrite ^/customize/(.*)$ $1 break;
+        try_files /customize/$uri /customize.dist/$uri;
+    }
 
-{% if item.debug is defined and item.debug == 'true' %}
-  # This block provides an alternative means of loading content
-  # otherwise only served via websocket. This is solely for debugging purposes,
-  # and is thus not allowed by default.
-  location ^~ /datastore/ {
-    add_header Cache-Control max-age=0;
-    try_files $uri =404;
-  }
-{% endif %}
+    # /api/config is loaded once per page load and is used to retrieve
+    # the caching variable which is applied to every other resource
+    # which is loaded during that session.
+    location ~ ^/api/.*$ {
+        proxy_pass http://{{ item.proxy_pass }}:3000;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
-  # The nodejs server has some built-in forwarding rules to prevent
-  # URLs like /pad from resulting in a 404. This simply adds a trailing slash
-  # to a variety of applications.
-  location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ {
-      rewrite ^(.*)$ $1/ redirect;
-  }
+        # These settings prevent both NGINX and the API server
+        # from setting the same headers and creating duplicates
+        proxy_hide_header Cross-Origin-Resource-Policy;
+        add_header Cross-Origin-Resource-Policy cross-origin;
+        proxy_hide_header Cross-Origin-Embedder-Policy;
+        add_header Cross-Origin-Embedder-Policy require-corp;
+    }
+
+    # Requests for blobs and blocks are now proxied to the API server
+    # This simplifies NGINX path configuration in the event they are being hosted in a non-standard location
+    # or with odd unexpected permissions. Serving blobs in this manner also means that it will be possible to
+    # enforce access control for them, though this is not yet implemented.
+    # Access control (via TOTP 2FA) has been added to blocks, so they can be handled with the same directives.
+    location ~ ^/(blob|block)/.*$ {
+        if ($request_method = 'OPTIONS') {
+            add_header 'Access-Control-Allow-Origin' "${allowed_origins}";
+            add_header 'Access-Control-Allow-Credentials' true;
+            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+            add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
+            add_header 'Access-Control-Max-Age' 1728000;
+            add_header 'Content-Type' 'application/octet-stream; charset=utf-8';
+            add_header 'Content-Length' 0;
+            return 204;
+        }
+        # Since we are proxying to the API server these headers can get duplicated
+        # so we hide them
+        proxy_hide_header 'X-Content-Type-Options';
+        proxy_hide_header 'Access-Control-Allow-Origin';
+        proxy_hide_header 'Permissions-Policy';
+        proxy_hide_header 'X-XSS-Protection';
+        proxy_hide_header 'Cross-Origin-Resource-Policy';
+        proxy_hide_header 'Cross-Origin-Embedder-Policy';
+        proxy_pass http://{{ item.proxy_pass }}:3000;
+    }
+
+    # The nodejs server has some built-in forwarding rules to prevent
+    # URLs like /pad from resulting in a 404. This simply adds a trailing slash
+    # to a variety of applications.
+    location ~ ^/(register|login|recovery|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup|diagram)$ {
+        rewrite ^(.*)$ $1/ redirect;
+    }
+
+    # Finally, serve anything the above exceptions don't govern.
+    try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri;
 {% endblock %}

templates/etc/nginx/sites-available/lemmy.j2

@@ -1,25 +1,42 @@
 limit_req_zone $binary_remote_addr zone={{ item.name }}_ratelimit:10m rate=1r/s;
 
 {% extends "core.j2" %}
+{% block extra_upstreams %}
+upstream lemmy {
+  server "{{ item.upstream_name }}:{{ item.lemmy_port }}";
+}
+upstream lemmy-ui {
+  server "{{ item.upstream_name }}:{{ item.lemmy_ui_port }}";
+}
+{% endblock %}
+{% block headers %}
+
+# Various content security headers
+  add_header Referrer-Policy "same-origin";
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-Frame-Options "DENY";
+  add_header X-XSS-Protection "1; mode=block";
+
+{% endblock %}
 
 {% block location %}
+
 # frontend
 location / {
   # The default ports:
   # lemmy_ui_port: 1235
   # lemmy_port: 8536
 
-  set $proxpass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_ui_port }};
-  if ($http_accept = "application/activity+json") {
-    set $proxpass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_port }};
+  set $proxpass "{{ item.upstream_proto }}://lemmy-ui";
+
+  if ($http_accept ~ "application/activity+json") {
+    set $proxpass "{{ item.upstream_proto }}://lemmy";
   }
-  if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
-     set $proxpass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_port }};
-  }
-  if ($request_method = POST) {
-    set $proxpass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_port }};
+  if ($request_method = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
+    set $proxpass "{{ item.upstream_proto }}://lemmy";
   }
   proxy_pass $proxpass;
+
   rewrite ^(.+)/+$ $1 permanent;
 
   # Send actual client IP upstream
@@ -29,57 +46,20 @@ location / {
   }
 
 # backend
-location ~ ^/(api|feeds|nodeinfo|.well-known) {
-  proxy_pass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_port }};
+location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) {
+  proxy_pass {{ item.upstream_proto }}://lemmy;
   proxy_http_version 1.1;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "upgrade";
 
   # Rate limit
-  limit_req zone={{ item.name }}_ratelimit burst=30 nodelay;
+  #limit_req zone={{ item.name }}_ratelimit burst=30 nodelay;
 
   # Add IP forwarding headers
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header Host $host;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   }
-{% if lemmy_pictrs_deploy == true %}
-  # pictrs only - for adding browser cache control.
-  location ~ ^/(pictrs) {
-      # allow browser cache, images never update, we can apply long term cache
-      expires 120d;
-      add_header Pragma "public";
-      add_header Cache-Control "public";
-
-      proxy_pass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ lemmy_port }};
-      proxy_http_version 1.1;
-      proxy_set_header Upgrade $http_upgrade;
-      proxy_set_header Connection "upgrade";
-
-      # Rate limit
-      limit_req zone={{ item.name }}_ratelimit burst=30 nodelay;
-
-      # Add IP forwarding headers
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header Host $host;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    }
-
-  # Redirect pictshare images to pictrs
-  location ~ /pictshare/(.*)$ {
-    return 301 /pictrs/image/$1;
-  }
-{% endif %}
-
 {% endblock %}
 
-# Anonymize IP addresses
-# https://www.supertechcrew.com/anonymizing-logs-nginx-apache/
-map $remote_addr $remote_addr_anon {
-  ~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
-  ~(?P<ip>[^:]+:[^:]+):       $ip::;
-  127.0.0.1                   $remote_addr;
-  ::1                         $remote_addr;
-  default                     {{ item.upstream_name }};
-}
 

templates/etc/nginx/sites-available/movim.j2

@@ -0,0 +1,81 @@
+
+{% if item.pic_cache is defined and item.pic_cache == 'true' %}
+fastcgi_cache_path /tmp/nginx_cache levels=1:2 keys_zone=nginx_cache:100m inactive=60m;
+fastcgi_cache_key "$scheme$request_method$host$request_uri";
+{% endif %}
+{% extends "core.j2" %}
+
+{% block root %}
+  root {{ nginx_www_dir }}{{ item.root }};
+  index index.php;
+{% endblock %}
+
+
+{% block location %}
+## LOCATIONS
+
+{% if item.proxy == 'true' %}
+  location / {
+    proxy_pass  {{ item.proto }}://{{ item.upstream_name }}:{{ item.listen }};
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_redirect off;
+  }
+
+{% else %}
+  location / {
+    set $no_cache 1;
+    try_files $uri $uri/ /index.php$is_args$args;
+  }
+{% endif %}
+
+  location ~ /\. {
+    deny all;
+  }
+
+  location = /favicon.ico {
+	  expires 30d;
+	  access_log off;
+	  log_not_found off;
+  }
+
+  location ~ ^/(config|temp|log)/ {
+    deny all;
+  }
+
+  location ~ \.php$ {
+    fastcgi_pass {{ item.fastcgi_pass }};
+    fastcgi_index index.php;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    include fastcgi_params;
+    add_header X-Cache $upstream_cache_status;
+    fastcgi_ignore_headers "Cache-Control" "Expires" "Set-Cookie";
+    fastcgi_cache nginx_cache;
+    fastcgi_cache_valid any 7d;
+    fastcgi_cache_bypass $no_cache;
+    fastcgi_no_cache $no_cache;
+  }
+
+{% if item.ws is defined and item.ws == 'true' %}
+  location /ws/ {
+    proxy_pass {{ item.upstream_schema }}://{{ item.upstream_name }}:{{ item.upstream_port }};
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_redirect off;
+    }
+{% endif %}
+{% if item.pic_cache is defined and item.pic_cache == 'true' %}
+  location /picture {
+    set $no_cache 0; 
+    try_files $uri $uri/ /index.php$is_args$args;
+  }
+{% endif %}
+
+{% endblock %}

templates/etc/nginx/sites-available/mumble-web.j2

@@ -15,7 +15,7 @@ map $http_upgrade $connection_upgrade {
   }
 
   location /server {
-    proxy_pass {{ item.proto }}://{{ item.server }}:{{ item.port }};
+    proxy_pass http://{{ item.server }}:{{ item.port }};
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";

templates/etc/nginx/sites-available/pleroma.j2

@@ -13,6 +13,11 @@ upstream phoenix {
 
   location / {
     proxy_pass http://phoenix;
+{% if item.mangane is defined and item.mangane == 'true' %}
+    proxy_hide_header Content-Security-Policy;
+    add_header Content-Security-Policy "upgrade-insecure-requests;script-src 'self';connect-src 'self' blob:     https://{{ item.name }} wss://{{ item.name }};media-src 'self' https:;img-src 'self' data: blob: https:;default-   src 'none';base-uri 'self';frame-ancestors 'none';style-src 'self' 'unsafe-inline';font-src 'self';manifest-src  'self';" always;
+{% endif %}
+
   }
 
   location ~ ^/(media|proxy) {

templates/etc/nginx/sites-available/searx.j2

@@ -2,6 +2,9 @@
 
 {%block root %}
   root {{ searx_app_dir }}/searx;
+{% if item.real_ip_from is defined %}
+set_real_ip_from {{ item.real_ip_from }};
+{% endif %}
 {% endblock %}
 
 {% block location %}

templates/etc/nginx/sites-available/zabbix_check.j2

@@ -1,10 +1,23 @@
 server {
-  listen 10061;
+  listen {{ item.port }};
   
-  location /nginx_status {
-    stub_status on;
+  location /basic_status {
+    stub_status;
     access_log off;
     allow 127.0.0.1;
     deny all;
   }
+{% if item.php_check is defined and item.php_check == 'true' %}
+   location ~ ^/(status|ping)$ {
+     access_log off;
+     allow 127.0.0.1;
+     deny all;
+ 
+     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+     fastcgi_index index.php;
+     include fastcgi_params;
+     fastcgi_pass unix:{{ pool_listen }};
+  }
+{% endif %}
+
 }