From cb2846d1b2f92eac90d82ff5472973d90ade4484 Mon Sep 17 00:00:00 2001 From: Stavros kois Date: Wed, 3 Jul 2024 18:48:50 +0300 Subject: [PATCH] fixes --- .../collabora/templates/docker-compose.yaml | 171 +++++++++--------- 1 file changed, 86 insertions(+), 85 deletions(-) diff --git a/ix-dev/charts/collabora/templates/docker-compose.yaml b/ix-dev/charts/collabora/templates/docker-compose.yaml index 069443da22..626bd38daa 100644 --- a/ix-dev/charts/collabora/templates/docker-compose.yaml +++ b/ix-dev/charts/collabora/templates/docker-compose.yaml @@ -46,91 +46,91 @@ configs: nginx-conf: content: | events { - worker_connections 1024; + worker_connections 1024; } http { - include mime.types; - default_type application/octet-stream; - # Types to enable gzip compression on - gzip_types - text/plain - text/css - text/js - text/xml - text/javascript - application/javascript - application/x-javascript - application/json - application/xml - application/rss+xml - image/svg+xml; - sendfile on; - client_max_body_size 1000m; - keepalive_timeout 65; - # Disable tokens for security (#23684) - server_tokens off; - gzip on; - client_body_temp_path /var/tmp/firmware; - server { - server_name "{{ nginx_host }}"; - listen 0.0.0.0:{{ values.network.web_port }} default_server ssl http2; - ssl_certificate "{{ nginx_ssl_cert_path }}"; - ssl_certificate_key "{{ nginx_ssl_key_path }}"; - ssl_session_timeout 120m; - ssl_session_cache shared:ssl:16m; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384; - add_header Strict-Transport-Security max-age=31536000; - location = /robots.txt { - add_header Content-Type text/plain; - proxy_set_header Referer "{{ nginx_url }}"; - return 200 "User-agent: *\nDisallow: /loleaflet/*\n"; - } - # static files - location ^~ /browser { - proxy_pass http://{{ collabora_container_name }}:9980; - proxy_set_header Host $$host; - # proxy_set_header Referer "{{ nginx_url }}"; - } - # WOPI discovery URL - location ^~ /hosting/discovery { - set $$upstream_collabora {{ collabora_container_name }}; - proxy_pass http://$$upstream_collabora:9980; - proxy_set_header Host $$http_host; - # proxy_set_header Referer "{{ nginx_url }}"; - } - # Capabilities - location ^~ /hosting/capabilities { - proxy_pass http://{{ collabora_container_name }}:9980; - proxy_set_header Host $$host; - # proxy_set_header Referer "{{ nginx_url }}"; - } - # main websocket - location ~ ^/cool/(.*)/ws$$ { - proxy_pass http://{{ collabora_container_name }}:9980; - proxy_set_header Host $$host; - proxy_set_header Upgrade $$http_upgrade; - proxy_set_header Connection "Upgrade"; - # proxy_set_header Referer "{{ nginx_url }}"; - proxy_read_timeout 36000s; - } - # download, presentation and image upload - location ~ ^/(c|l)ool { - proxy_pass http://{{ collabora_container_name }}:9980; - proxy_set_header Host $$host; - proxy_set_header Referer "{{ nginx_url }}"; - } - # Admin Console websocket - location ^~ /cool/adminws { - proxy_pass http://{{ collabora_container_name }}:9980; - proxy_set_header Host $$host; - proxy_set_header Upgrade $$http_upgrade; - proxy_set_header Connection "Upgrade"; - # proxy_set_header Referer "{{ nginx_url }}"; - proxy_read_timeout 36000s; - } + include mime.types; + default_type application/octet-stream; + # Types to enable gzip compression on + gzip_types + text/plain + text/css + text/js + text/xml + text/javascript + application/javascript + application/x-javascript + application/json + application/xml + application/rss+xml + image/svg+xml; + sendfile on; + client_max_body_size 1000m; + keepalive_timeout 65; + # Disable tokens for security (#23684) + server_tokens off; + gzip on; + client_body_temp_path /var/tmp/firmware; + server { + server_name "{{ nginx_host }}"; + listen 0.0.0.0:{{ values.network.web_port }} default_server ssl http2; + ssl_certificate "{{ nginx_ssl_cert_path }}"; + ssl_certificate_key "{{ nginx_ssl_key_path }}"; + ssl_session_timeout 120m; + ssl_session_cache shared:ssl:16m; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384; + add_header Strict-Transport-Security max-age=31536000; + location = /robots.txt { + add_header Content-Type text/plain; + proxy_set_header Referer "{{ nginx_url }}"; + return 200 "User-agent: *\nDisallow: /loleaflet/*\n"; } + # static files + location ^~ /browser { + proxy_pass http://{{ collabora_container_name }}:9980; + proxy_set_header Host $$host; + # proxy_set_header Referer "{{ nginx_url }}"; + } + # WOPI discovery URL + location ^~ /hosting/discovery { + set $$upstream_collabora {{ collabora_container_name }}; + proxy_pass http://$$upstream_collabora:9980; + proxy_set_header Host $$http_host; + # proxy_set_header Referer "{{ nginx_url }}"; + } + # Capabilities + location ^~ /hosting/capabilities { + proxy_pass http://{{ collabora_container_name }}:9980; + proxy_set_header Host $$host; + # proxy_set_header Referer "{{ nginx_url }}"; + } + # main websocket + location ~ ^/cool/(.*)/ws$$ { + proxy_pass http://{{ collabora_container_name }}:9980; + proxy_set_header Host $$host; + proxy_set_header Upgrade $$http_upgrade; + proxy_set_header Connection "Upgrade"; + # proxy_set_header Referer "{{ nginx_url }}"; + proxy_read_timeout 36000s; + } + # download, presentation and image upload + location ~ ^/(c|l)ool { + proxy_pass http://{{ collabora_container_name }}:9980; + proxy_set_header Host $$host; + proxy_set_header Referer "{{ nginx_url }}"; + } + # Admin Console websocket + location ^~ /cool/adminws { + proxy_pass http://{{ collabora_container_name }}:9980; + proxy_set_header Host $$host; + proxy_set_header Upgrade $$http_upgrade; + proxy_set_header Connection "Upgrade"; + # proxy_set_header Referer "{{ nginx_url }}"; + proxy_read_timeout 36000s; + } + } } {% endif %} @@ -174,7 +174,8 @@ services: restart: unless-stopped deploy: resources: {{ ix_lib.base.resources.resources(values.resources) | tojson }} - network_mode: service:{{ collabora_container_name }} + links: + - {{ collabora_container_name }} configs: - source: private target: {{ nginx_ssl_key_path }} @@ -188,7 +189,7 @@ services: {% set caps = ix_lib.base.security.get_caps(add=["CHOWN", "FOWNER", "DAC_OVERRIDE", "SETGID", "SETUID"]) %} cap_add: {{ caps.add | tojson }} cap_drop: {{ caps.drop | tojson }} - security_opt: {{ ix_lib.base.security.get_sec_opts(remove=["no-new-privileges"], add=["apparmor=unconfined"]) | tojson }} + security_opt: {{ ix_lib.base.security.get_sec_opts() | tojson }} {% if values.network.dns_opts %} dns_opt: {{ ix_lib.base.network.dns_opts(values.network.dns_opts) | tojson }} {% endif %} @@ -197,8 +198,8 @@ services: ports: - {{ ix_lib.base.ports.get_port(port={"target": values.network.web_port, "published": values.network.web_port}) | tojson }} volumes: {{ nginx_volume_mounts.items | tojson }} - {% endif %} + {% if volumes.items %} volumes: {{ volumes.items | tojson }} {% endif %}