Skip to content

Commit

Permalink
fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
@stavros-k
stavros-k committed Jul 3, 2024
1 parent e13ea63 commit cb2846d
Showing 1 changed file with 86 additions and 85 deletions.
171 changes: 86 additions & 85 deletions ix-dev/charts/collabora/templates/docker-compose.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,91 +46,91 @@ configs:
nginx-conf:
content: |
events {
worker_connections 1024;
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
# Types to enable gzip compression on
gzip_types
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
image/svg+xml;
sendfile on;
client_max_body_size 1000m;
keepalive_timeout 65;
# Disable tokens for security (#23684)
server_tokens off;
gzip on;
client_body_temp_path /var/tmp/firmware;
server {
server_name "{{ nginx_host }}";
listen 0.0.0.0:{{ values.network.web_port }} default_server ssl http2;
ssl_certificate "{{ nginx_ssl_cert_path }}";
ssl_certificate_key "{{ nginx_ssl_key_path }}";
ssl_session_timeout 120m;
ssl_session_cache shared:ssl:16m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384;
add_header Strict-Transport-Security max-age=31536000;
location = /robots.txt {
add_header Content-Type text/plain;
proxy_set_header Referer "{{ nginx_url }}";
return 200 "User-agent: *\nDisallow: /loleaflet/*\n";
}
# static files
location ^~ /browser {
proxy_pass http://{{ collabora_container_name }}:9980;
proxy_set_header Host $$host;
# proxy_set_header Referer "{{ nginx_url }}";
}
# WOPI discovery URL
location ^~ /hosting/discovery {
set $$upstream_collabora {{ collabora_container_name }};
proxy_pass http://$$upstream_collabora:9980;
proxy_set_header Host $$http_host;
# proxy_set_header Referer "{{ nginx_url }}";
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://{{ collabora_container_name }}:9980;
proxy_set_header Host $$host;
# proxy_set_header Referer "{{ nginx_url }}";
}
# main websocket
location ~ ^/cool/(.*)/ws$$ {
proxy_pass http://{{ collabora_container_name }}:9980;
proxy_set_header Host $$host;
proxy_set_header Upgrade $$http_upgrade;
proxy_set_header Connection "Upgrade";
# proxy_set_header Referer "{{ nginx_url }}";
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass http://{{ collabora_container_name }}:9980;
proxy_set_header Host $$host;
proxy_set_header Referer "{{ nginx_url }}";
}
# Admin Console websocket
location ^~ /cool/adminws {
proxy_pass http://{{ collabora_container_name }}:9980;
proxy_set_header Host $$host;
proxy_set_header Upgrade $$http_upgrade;
proxy_set_header Connection "Upgrade";
# proxy_set_header Referer "{{ nginx_url }}";
proxy_read_timeout 36000s;
}
include mime.types;
default_type application/octet-stream;
# Types to enable gzip compression on
gzip_types
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
image/svg+xml;
sendfile on;
client_max_body_size 1000m;
keepalive_timeout 65;
# Disable tokens for security (#23684)
server_tokens off;
gzip on;
client_body_temp_path /var/tmp/firmware;
server {
server_name "{{ nginx_host }}";
listen 0.0.0.0:{{ values.network.web_port }} default_server ssl http2;
ssl_certificate "{{ nginx_ssl_cert_path }}";
ssl_certificate_key "{{ nginx_ssl_key_path }}";
ssl_session_timeout 120m;
ssl_session_cache shared:ssl:16m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384;
add_header Strict-Transport-Security max-age=31536000;
location = /robots.txt {
add_header Content-Type text/plain;
proxy_set_header Referer "{{ nginx_url }}";
return 200 "User-agent: *\nDisallow: /loleaflet/*\n";
}
# static files
location ^~ /browser {
proxy_pass http://{{ collabora_container_name }}:9980;
proxy_set_header Host $$host;
# proxy_set_header Referer "{{ nginx_url }}";
}
# WOPI discovery URL
location ^~ /hosting/discovery {
set $$upstream_collabora {{ collabora_container_name }};
proxy_pass http://$$upstream_collabora:9980;
proxy_set_header Host $$http_host;
# proxy_set_header Referer "{{ nginx_url }}";
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://{{ collabora_container_name }}:9980;
proxy_set_header Host $$host;
# proxy_set_header Referer "{{ nginx_url }}";
}
# main websocket
location ~ ^/cool/(.*)/ws$$ {
proxy_pass http://{{ collabora_container_name }}:9980;
proxy_set_header Host $$host;
proxy_set_header Upgrade $$http_upgrade;
proxy_set_header Connection "Upgrade";
# proxy_set_header Referer "{{ nginx_url }}";
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass http://{{ collabora_container_name }}:9980;
proxy_set_header Host $$host;
proxy_set_header Referer "{{ nginx_url }}";
}
# Admin Console websocket
location ^~ /cool/adminws {
proxy_pass http://{{ collabora_container_name }}:9980;
proxy_set_header Host $$host;
proxy_set_header Upgrade $$http_upgrade;
proxy_set_header Connection "Upgrade";
# proxy_set_header Referer "{{ nginx_url }}";
proxy_read_timeout 36000s;
}
}
}
{% endif %}

Expand Down Expand Up @@ -174,7 +174,8 @@ services:
restart: unless-stopped
deploy:
resources: {{ ix_lib.base.resources.resources(values.resources) | tojson }}
network_mode: service:{{ collabora_container_name }}
links:
- {{ collabora_container_name }}
configs:
- source: private
target: {{ nginx_ssl_key_path }}
Expand All @@ -188,7 +189,7 @@ services:
{% set caps = ix_lib.base.security.get_caps(add=["CHOWN", "FOWNER", "DAC_OVERRIDE", "SETGID", "SETUID"]) %}
cap_add: {{ caps.add | tojson }}
cap_drop: {{ caps.drop | tojson }}
security_opt: {{ ix_lib.base.security.get_sec_opts(remove=["no-new-privileges"], add=["apparmor=unconfined"]) | tojson }}
security_opt: {{ ix_lib.base.security.get_sec_opts() | tojson }}
{% if values.network.dns_opts %}
dns_opt: {{ ix_lib.base.network.dns_opts(values.network.dns_opts) | tojson }}
{% endif %}
Expand All @@ -197,8 +198,8 @@ services:
ports:
- {{ ix_lib.base.ports.get_port(port={"target": values.network.web_port, "published": values.network.web_port}) | tojson }}
volumes: {{ nginx_volume_mounts.items | tojson }}

{% endif %}

{% if volumes.items %}
volumes: {{ volumes.items | tojson }}
{% endif %}

0 comments on commit cb2846d

Please sign in to comment.