394 lines
10 KiB
Plaintext
394 lines
10 KiB
Plaintext
map $http_host $this_host {
|
|
"" $host;
|
|
default $http_host;
|
|
}
|
|
|
|
map $http_cloudfront_forwarded_proto $cloudfront_forwarded_proto {
|
|
default $http_cloudfront_forwarded_proto;
|
|
"" $scheme;
|
|
}
|
|
|
|
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
|
|
default $http_x_forwarded_proto;
|
|
"" $cloudfront_forwarded_proto;
|
|
}
|
|
|
|
map $http_x_forwarded_port $proxy_x_forwarded_port {
|
|
default $http_x_forwarded_port;
|
|
'' $server_port;
|
|
}
|
|
|
|
map $http_x_forwarded_host $proxy_x_forwarded_host {
|
|
default $http_x_forwarded_host;
|
|
"" $this_host;
|
|
}
|
|
|
|
map $scheme $proxy_x_forwarded_ssl {
|
|
default off;
|
|
https on;
|
|
}
|
|
|
|
map $http_upgrade $proxy_connection {
|
|
default upgrade;
|
|
'' close;
|
|
}
|
|
|
|
map $uri $basename {
|
|
~/(?<captured_basename>[^/]*)$ $captured_basename;
|
|
}
|
|
|
|
map $request_uri $header_x_frame_options {
|
|
~*^/(favicon\.ico|products\/files\/share|products\/files\/saveas|products\/files\/filechoice|products\/files\/doceditor|thirdparty\/plugin) "";
|
|
default "SAMEORIGIN";
|
|
}
|
|
|
|
map $request_uri $cache_control {
|
|
default "no-cache, no-store, no-transform";
|
|
~*\/(filehandler\.ashx\?action=(thumb|preview))|\/(storage\/room_logos\/root\/|storage\/userPhotos\/root\/) "must-revalidate, no-transform, immutable, max-age=31536000";
|
|
~*\/(api\/2\.0.*|storage|login\.ashx|filehandler\.ashx|ChunkedUploader.ashx|ThirdPartyAppHandler|apisystem|sh|remoteEntry\.js|debuginfo\.md|static\/scripts\/api\.js|static\/scripts\/api\.poly\.js) "no-cache, no-store, no-transform";
|
|
~*\/(images|favicon.ico.*)|\.(js|woff|woff2|css)|(locales.*\.json) "must-revalidate, no-transform, immutable, max-age=31536000";
|
|
}
|
|
|
|
map $request_uri $content_security_policy {
|
|
"" "";
|
|
~*\/(ds-vpath)\/ "default-src *; script-src * 'unsafe-inline' 'unsafe-eval'; script-src-elem * 'unsafe-inline'; img-src * data:; style-src * 'unsafe-inline' data:; font-src * data:; frame-src * ascdesktop:; object-src; connect-src * ascdesktop:;";
|
|
}
|
|
|
|
include /etc/nginx/includes/onlyoffice-*.conf;
|
|
|
|
server_names_hash_bucket_size 128;
|
|
|
|
server {
|
|
listen 8092;
|
|
|
|
add_header Referrer-Policy "same-origin";
|
|
add_header X-Content-Type-Options "nosniff";
|
|
add_header X-Frame-Options $header_x_frame_options;
|
|
add_header Cache-Control $cache_control;
|
|
add_header Permissions-Policy "autoplay=(), geolocation=(), camera=(), microphone=(), interest-cohort=()";
|
|
|
|
root $public_root;
|
|
etag on;
|
|
|
|
large_client_header_buffers 4 16k;
|
|
client_max_body_size 4G;
|
|
|
|
gzip on;
|
|
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
|
|
gzip_min_length 1000;
|
|
gzip_proxied any;
|
|
|
|
fastcgi_read_timeout 600;
|
|
fastcgi_send_timeout 600;
|
|
fastcgi_keep_conn on;
|
|
fastcgi_intercept_errors on;
|
|
|
|
include fastcgi_params;
|
|
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_param PATH_INFO "";
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $this_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
|
|
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
|
|
proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $proxy_connection;
|
|
proxy_set_header Proxy "";
|
|
|
|
set $csp "";
|
|
access_by_lua '
|
|
local accept_header = ngx.req.get_headers()["Accept"]
|
|
if ngx.req.get_method() == "GET" and accept_header ~= nil and string.find(accept_header, "html") and not ngx.re.match(ngx.var.request_uri, "ds-vpath") then
|
|
local key = string.format("csp:%s",ngx.var.host)
|
|
local redis = require "resty.redis"
|
|
local red = redis:new()
|
|
local redis_host = "127.0.0.1"
|
|
local redis_port = 6379
|
|
local redis_pass = ""
|
|
|
|
red:set_timeout(1000) -- 1 second
|
|
|
|
local ok, err = red:connect(redis_host, redis_port)
|
|
if not ok then
|
|
ngx.log(ngx.ERR, "failed to connect to redis: ", err)
|
|
return
|
|
end
|
|
|
|
if redis_pass ~= "" then
|
|
local res, err = red:auth(redis_pass)
|
|
if not res then
|
|
ngx.log(ngx.ERR, "failed to authenticate: ", err)
|
|
return
|
|
end
|
|
end
|
|
|
|
local csp, err = red:hget(key, "data")
|
|
|
|
if csp == ngx.null or not csp then
|
|
ngx.log(ngx.INFO, "failed to get redis key: ", err)
|
|
else
|
|
ngx.header.Content_Security_Policy = csp
|
|
end
|
|
end
|
|
';
|
|
|
|
location ~* ^/ds-vpath/ {
|
|
rewrite /ds-vpath/(.*) /$1 break;
|
|
|
|
proxy_pass http://172.18.0.4:80;
|
|
proxy_redirect off;
|
|
|
|
client_max_body_size 100m;
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $proxy_connection;
|
|
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host/ds-vpath;
|
|
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
|
|
add_header Content-Security-Policy $content_security_policy;
|
|
|
|
}
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:5001;
|
|
proxy_redirect off;
|
|
location ~* /(manifest.json|sw.js|appIcon(.)*\.png|icon.svg|bg-error.png|favicon.ico|debuginfo.md) {
|
|
try_files /$basename /index.html =404;
|
|
}
|
|
|
|
|
|
location ~* /static/css/ {
|
|
try_files /css/$basename /index.html =404;
|
|
}
|
|
|
|
location ~* /static/fonts/(?<content>[^/]+) {
|
|
try_files /fonts/$content/$basename /index.html =404;
|
|
}
|
|
|
|
location ~* /static/offline/ {
|
|
try_files /offline/$basename /index.html =404;
|
|
}
|
|
|
|
location ~* /thirdparty/ {
|
|
try_files /thirdparty/third-party.html /index.html =404;
|
|
}
|
|
|
|
location ~* /static/locales/(?<content>[^/]+) {
|
|
try_files /locales/$content/$basename /index.html =404;
|
|
}
|
|
|
|
location ~* /static/scripts/ {
|
|
try_files /scripts/$basename /index.html =404;
|
|
}
|
|
|
|
location ~* /static/plugins/ {
|
|
try_files /plugins/$basename /index.html =404;
|
|
}
|
|
|
|
location ~* /static/images/(.*)$ {
|
|
try_files /images/$1 /index.html =404;
|
|
}
|
|
}
|
|
|
|
location /doceditor {
|
|
proxy_pass http://127.0.0.1:5013;
|
|
proxy_redirect off;
|
|
|
|
location ~* /_next/public/images/(.*)$ {
|
|
try_files /images/$1 /index.html =404;
|
|
}
|
|
}
|
|
|
|
location /login {
|
|
proxy_pass http://127.0.0.1:5011;
|
|
proxy_redirect off;
|
|
|
|
location ~* /static/favicon.ico {
|
|
try_files /$basename /index.html =404;
|
|
}
|
|
|
|
location ~* /static/images/(.*)$ {
|
|
try_files /images/$1 /index.html =404;
|
|
}
|
|
|
|
location ~* /static/css/ {
|
|
try_files /css/$basename /index.html =404;
|
|
}
|
|
}
|
|
|
|
location /management {
|
|
proxy_pass http://127.0.0.1:5015;
|
|
proxy_redirect off;
|
|
|
|
location ~* /static/favicon.ico {
|
|
try_files /$basename /index.html =404;
|
|
}
|
|
|
|
location ~* /static/images/(.*)$ {
|
|
try_files /images/$1 /index.html =404;
|
|
}
|
|
|
|
location ~* /static/fonts/(?<content>[^/]+) {
|
|
try_files /fonts/$content/$basename /index.html =404;
|
|
}
|
|
|
|
rewrite management/(.*) /$1 break;
|
|
}
|
|
|
|
location ~* /static/fonts/(?<content>[^/]+) {
|
|
try_files /fonts/$content/$basename /index.html =404;
|
|
}
|
|
|
|
location /sockjs-node {
|
|
proxy_pass http://127.0.0.1:5001;
|
|
proxy_redirect off;
|
|
}
|
|
|
|
location ~* /s/(.*) {
|
|
proxy_pass http://127.0.0.1:5000;
|
|
}
|
|
|
|
location /openapi {
|
|
proxy_pass http://127.0.0.1:5003;
|
|
|
|
location ~*/asc.web.api {
|
|
proxy_pass http://127.0.0.1:5000;
|
|
}
|
|
|
|
location ~*/asc.people {
|
|
proxy_pass http://127.0.0.1:5004;
|
|
}
|
|
|
|
location ~*/asc.files {
|
|
proxy_pass http://127.0.0.1:5007;
|
|
}
|
|
|
|
location ~*/asc.data.backup {
|
|
proxy_pass http://127.0.0.1:5012;
|
|
}
|
|
}
|
|
|
|
location /api/2.0 {
|
|
location ~* /(files|privacyroom) {
|
|
proxy_pass http://127.0.0.1:5007;
|
|
}
|
|
|
|
location ~* /(people|group|accounts) {
|
|
proxy_pass http://127.0.0.1:5004;
|
|
}
|
|
|
|
location ~* /(authentication|modules|portal|security|settings|smtpsettings|capabilities|thirdparty|encryption|feed) {
|
|
proxy_pass http://127.0.0.1:5000;
|
|
|
|
location ~* portal/(.*)(backup|restore)(.*) {
|
|
rewrite (.*)/portal/(.*) $1/backup/$2 break;
|
|
proxy_redirect off;
|
|
proxy_pass http://127.0.0.1:5012;
|
|
}
|
|
|
|
location ~* authentication/register(.*) {
|
|
rewrite (.*)/authentication/register(.*) $1/people/register$2 break;
|
|
proxy_redirect off;
|
|
proxy_pass http://127.0.0.1:5004;
|
|
}
|
|
}
|
|
|
|
location ~* /backup {
|
|
proxy_pass http://127.0.0.1:5012;
|
|
}
|
|
|
|
location ~* /migration {
|
|
proxy_pass http://127.0.0.1:5034;
|
|
}
|
|
}
|
|
|
|
location /sso {
|
|
rewrite sso/(.*) /$1 break;
|
|
proxy_pass http://127.0.0.1:9834;
|
|
}
|
|
|
|
location ~* /storage/files_template/ {
|
|
proxy_pass http://127.0.0.1:5007;
|
|
}
|
|
|
|
location ~* /(ssologin.ashx|login.ashx|storage) {
|
|
proxy_pass http://127.0.0.1:5003;
|
|
}
|
|
|
|
location /socket.io/ {
|
|
proxy_pass http://127.0.0.1:9899;
|
|
proxy_redirect off;
|
|
}
|
|
|
|
location /backupFileUpload.ashx {
|
|
proxy_pass http://127.0.0.1:5012;
|
|
}
|
|
|
|
location /logoUploader.ashx {
|
|
proxy_pass http://127.0.0.1:5000;
|
|
}
|
|
|
|
location /payment.ashx {
|
|
proxy_pass http://127.0.0.1:5000;
|
|
}
|
|
|
|
location /ThirdPartyApp {
|
|
proxy_pass http://127.0.0.1:5007;
|
|
}
|
|
|
|
location ~* /filehandler.ashx {
|
|
proxy_pass http://127.0.0.1:5007;
|
|
}
|
|
|
|
location /ChunkedUploader.ashx {
|
|
proxy_pass http://127.0.0.1:5007;
|
|
}
|
|
|
|
location /apisystem {
|
|
rewrite apisystem/(.*) /$1 break;
|
|
proxy_pass http://127.0.0.1:5010;
|
|
}
|
|
|
|
location /apicache {
|
|
rewrite apicache/(.*) /$1 break;
|
|
proxy_pass http://127.0.0.1:5100;
|
|
}
|
|
|
|
location /healthchecks {
|
|
rewrite /healthchecks/(.*)$ /$1 break;
|
|
proxy_pass http://127.0.0.1:5033;
|
|
}
|
|
|
|
error_page 401 /custom_401.html;
|
|
location = /custom_401.html {
|
|
root /etc/nginx/html;
|
|
internal;
|
|
}
|
|
|
|
error_page 403 /custom_403.html;
|
|
location = /custom_403.html {
|
|
root /etc/nginx/html;
|
|
internal;
|
|
}
|
|
|
|
error_page 404 /custom_404.html;
|
|
location = /custom_404.html {
|
|
root /etc/nginx/html;
|
|
internal;
|
|
}
|
|
|
|
error_page 500 502 503 504 /custom_50x.html;
|
|
location = /custom_50x.html {
|
|
root /etc/nginx/html;
|
|
internal;
|
|
}
|
|
}
|