From 3d5cf1a713ca832a56f0cdd0735e78e8915af4f7 Mon Sep 17 00:00:00 2001 From: Junxiang Huang Date: Fri, 13 Dec 2024 16:15:15 +0800 Subject: [PATCH 1/4] opt: 12.0 libreoffice & use other reverse proxy --- manual/extension/libreoffice_online.md | 2 +- manual/setup/use_other_reverse_proxy.md | 24 +++++++++++++++++++----- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/manual/extension/libreoffice_online.md b/manual/extension/libreoffice_online.md index 8afbd5c6..f3d9ef6a 100644 --- a/manual/extension/libreoffice_online.md +++ b/manual/extension/libreoffice_online.md @@ -53,7 +53,7 @@ Add following config option to seahub_settings.py: ``` python OFFICE_SERVER_TYPE = 'CollaboraOffice' ENABLE_OFFICE_WEB_APP = True -OFFICE_WEB_APP_BASE_URL = 'https://seafile.example.com:6232/hosting/discovery' +OFFICE_WEB_APP_BASE_URL = 'http://collabora:9980/hosting/discovery' # Expiration of WOPI access token # WOPI access token is a string used by Seafile to determine the file's diff --git a/manual/setup/use_other_reverse_proxy.md b/manual/setup/use_other_reverse_proxy.md index 091cb83c..7e369d44 100644 --- a/manual/setup/use_other_reverse_proxy.md +++ b/manual/setup/use_other_reverse_proxy.md @@ -11,7 +11,8 @@ Before making changes to the configuration files, you **have to** know the servi If these services are **deployed in standalone mode** (such as *seadoc* and *notification-server*), or **deployed in the official documentation** of third-party plugins (such as *onlyoffice* and *collabora*), **you can skip modifying the configuration files of these services** (because Caddy is not used as a reverse proxy for such deployment approaches). - If you have not integrated some services, please choose ***Standalone*** or ***Refer to the official documentation of third-party plugins*** to install them when you need these services + If you have not integrated the services in the *Table 1*, please choose ***Standalone*** or ***Refer to the official documentation of third-party plugins*** to install them when you need these services + | YML | Service | Suggest exposed port | Service listen port | Require WebSocket | | --- | --- | --- | --- | --- | @@ -36,7 +37,7 @@ Before making changes to the configuration files, you **have to** know the servi 2. Delete all fields related to Caddy reverse proxy (in `label` section) !!! tip - Some `.yml` files (e.g., `onlyoffice.yml`) also have port-exposing information with Caddy in the top of the file, which also needs to be removed. + Some `.yml` files (e.g., `collabora.yml`) also have port-exposing information with Caddy in the top of the file, which also needs to be removed. We take `seafile-server.yml` for example (Pro edition): @@ -103,10 +104,8 @@ Modify `nginx.conf` and add reverse proxy for services ***seafile*** and ***sead proxy_pass http://127.0.0.1:80; proxy_read_timeout 310s; proxy_set_header Host $host; - proxy_set_header Forwarded "for=$remote_addr;proto=$scheme"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Connection ""; proxy_http_version 1.1; @@ -123,7 +122,6 @@ Modify `nginx.conf` and add reverse proxy for services ***seafile*** and ***sead proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; - proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 100m; } @@ -144,6 +142,22 @@ Modify `nginx.conf` and add reverse proxy for services ***seafile*** and ***sead proxy_set_header X-NginX-Proxy true; } ``` +=== "notification-server" + ```conf + location /notification/ping { + proxy_pass http://127.0.0.1:8083/ping; + access_log /var/log/nginx/notification.access.log seafileformat; + error_log /var/log/nginx/notification.error.log; + } + location /notification { + proxy_pass http://127.0.0.1:8083/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + access_log /var/log/nginx/notification.access.log seafileformat; + error_log /var/log/nginx/notification.error.log; + } + ``` ## Modify .env From c7b2f828605ed4c9d5df1a10059773605409a865 Mon Sep 17 00:00:00 2001 From: Junxiang Huang Date: Fri, 13 Dec 2024 16:36:50 +0800 Subject: [PATCH 2/4] opt: 12.0 docker caddy use https --- manual/docker/ce/seafile-server.yml | 23 +++++++++++++++++++++++ manual/docker/pro/seafile-server.yml | 23 +++++++++++++++++++++++ 2 files changed, 46 insertions(+) diff --git a/manual/docker/ce/seafile-server.yml b/manual/docker/ce/seafile-server.yml index 22dcd2a0..04279521 100644 --- a/manual/docker/ce/seafile-server.yml +++ b/manual/docker/ce/seafile-server.yml @@ -59,6 +59,29 @@ services: labels: caddy: ${SEAFILE_SERVER_PROTOCOL:-http}://${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty} caddy.reverse_proxy: "{{upstreams 80}}" + caddy.header.Strict-Transport-Security: "`max-age=31536000;`" + caddy.header.Referrer-Policy: "same-origin" + caddy.header.X-XSS-Protection: "`1; mode=block`" + caddy.header.X-Content-Type-Options: "nosniff" + caddy.header.X-Frame-Options: "SAMEORIGIN" + caddy.header.Content-Security-Policy: "` + block-all-mixed-content; + default-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; + style-src 'unsafe-inline' 'self'; + script-src 'unsafe-inline' 'unsafe-eval' 'self'; + script-src-elem 'unsafe-inline' 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233} maps.googleapis.com unpkg.com; + font-src 'self' data: unpkg.com; + img-src 'self' data: blob: https: mt0.google.com maps.googleapis.com maps.gstatic.com; + media-src 'self'; + form-action 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232}; + connect-src 'self' https:; + frame-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; + frame-ancestors 'self'; + worker-src 'self' blob:; + manifest-src 'self'; + object-src 'self'; + base-uri 'self' + `" depends_on: - db - memcached diff --git a/manual/docker/pro/seafile-server.yml b/manual/docker/pro/seafile-server.yml index 08cd7539..80a74900 100644 --- a/manual/docker/pro/seafile-server.yml +++ b/manual/docker/pro/seafile-server.yml @@ -87,6 +87,29 @@ services: labels: caddy: ${SEAFILE_SERVER_PROTOCOL:-http}://${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty} caddy.reverse_proxy: "{{upstreams 80}}" + caddy.header.Strict-Transport-Security: "`max-age=31536000;`" + caddy.header.Referrer-Policy: "same-origin" + caddy.header.X-XSS-Protection: "`1; mode=block`" + caddy.header.X-Content-Type-Options: "nosniff" + caddy.header.X-Frame-Options: "SAMEORIGIN" + caddy.header.Content-Security-Policy: "` + block-all-mixed-content; + default-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; + style-src 'unsafe-inline' 'self'; + script-src 'unsafe-inline' 'unsafe-eval' 'self'; + script-src-elem 'unsafe-inline' 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233} maps.googleapis.com unpkg.com; + font-src 'self' data: unpkg.com; + img-src 'self' data: blob: https: mt0.google.com maps.googleapis.com maps.gstatic.com; + media-src 'self'; + form-action 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232}; + connect-src 'self' https:; + frame-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; + frame-ancestors 'self'; + worker-src 'self' blob:; + manifest-src 'self'; + object-src 'self'; + base-uri 'self' + `" depends_on: - db - memcached From 2f6e6af334f5db8395e4d0b8a65579c71dc98acd Mon Sep 17 00:00:00 2001 From: Junxiang Huang Date: Fri, 13 Dec 2024 17:30:40 +0800 Subject: [PATCH 3/4] opt: 12.0 docker caddy use https --- manual/docker/ce/seafile-server.yml | 11 +---------- manual/docker/pro/seafile-server.yml | 11 +---------- 2 files changed, 2 insertions(+), 20 deletions(-) diff --git a/manual/docker/ce/seafile-server.yml b/manual/docker/ce/seafile-server.yml index 04279521..72dba543 100644 --- a/manual/docker/ce/seafile-server.yml +++ b/manual/docker/ce/seafile-server.yml @@ -69,18 +69,9 @@ services: default-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; style-src 'unsafe-inline' 'self'; script-src 'unsafe-inline' 'unsafe-eval' 'self'; - script-src-elem 'unsafe-inline' 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233} maps.googleapis.com unpkg.com; - font-src 'self' data: unpkg.com; - img-src 'self' data: blob: https: mt0.google.com maps.googleapis.com maps.gstatic.com; - media-src 'self'; + script-src-elem 'unsafe-inline' 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; form-action 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232}; - connect-src 'self' https:; frame-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; - frame-ancestors 'self'; - worker-src 'self' blob:; - manifest-src 'self'; - object-src 'self'; - base-uri 'self' `" depends_on: - db diff --git a/manual/docker/pro/seafile-server.yml b/manual/docker/pro/seafile-server.yml index 80a74900..279f59a7 100644 --- a/manual/docker/pro/seafile-server.yml +++ b/manual/docker/pro/seafile-server.yml @@ -97,18 +97,9 @@ services: default-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; style-src 'unsafe-inline' 'self'; script-src 'unsafe-inline' 'unsafe-eval' 'self'; - script-src-elem 'unsafe-inline' 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233} maps.googleapis.com unpkg.com; - font-src 'self' data: unpkg.com; - img-src 'self' data: blob: https: mt0.google.com maps.googleapis.com maps.gstatic.com; - media-src 'self'; + script-src-elem 'unsafe-inline' 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; form-action 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232}; - connect-src 'self' https:; frame-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; - frame-ancestors 'self'; - worker-src 'self' blob:; - manifest-src 'self'; - object-src 'self'; - base-uri 'self' `" depends_on: - db From 179cfff05f71220a48e6c3289968e4dcf1f51a04 Mon Sep 17 00:00:00 2001 From: Junxiang Huang Date: Fri, 13 Dec 2024 17:36:29 +0800 Subject: [PATCH 4/4] opt: 12.0 resotre preffer prox --- manual/docker/ce/seafile-server.yml | 14 -------------- manual/docker/pro/seafile-server.yml | 14 -------------- 2 files changed, 28 deletions(-) diff --git a/manual/docker/ce/seafile-server.yml b/manual/docker/ce/seafile-server.yml index 72dba543..22dcd2a0 100644 --- a/manual/docker/ce/seafile-server.yml +++ b/manual/docker/ce/seafile-server.yml @@ -59,20 +59,6 @@ services: labels: caddy: ${SEAFILE_SERVER_PROTOCOL:-http}://${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty} caddy.reverse_proxy: "{{upstreams 80}}" - caddy.header.Strict-Transport-Security: "`max-age=31536000;`" - caddy.header.Referrer-Policy: "same-origin" - caddy.header.X-XSS-Protection: "`1; mode=block`" - caddy.header.X-Content-Type-Options: "nosniff" - caddy.header.X-Frame-Options: "SAMEORIGIN" - caddy.header.Content-Security-Policy: "` - block-all-mixed-content; - default-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; - style-src 'unsafe-inline' 'self'; - script-src 'unsafe-inline' 'unsafe-eval' 'self'; - script-src-elem 'unsafe-inline' 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; - form-action 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232}; - frame-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; - `" depends_on: - db - memcached diff --git a/manual/docker/pro/seafile-server.yml b/manual/docker/pro/seafile-server.yml index 279f59a7..08cd7539 100644 --- a/manual/docker/pro/seafile-server.yml +++ b/manual/docker/pro/seafile-server.yml @@ -87,20 +87,6 @@ services: labels: caddy: ${SEAFILE_SERVER_PROTOCOL:-http}://${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty} caddy.reverse_proxy: "{{upstreams 80}}" - caddy.header.Strict-Transport-Security: "`max-age=31536000;`" - caddy.header.Referrer-Policy: "same-origin" - caddy.header.X-XSS-Protection: "`1; mode=block`" - caddy.header.X-Content-Type-Options: "nosniff" - caddy.header.X-Frame-Options: "SAMEORIGIN" - caddy.header.Content-Security-Policy: "` - block-all-mixed-content; - default-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; - style-src 'unsafe-inline' 'self'; - script-src 'unsafe-inline' 'unsafe-eval' 'self'; - script-src-elem 'unsafe-inline' 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; - form-action 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232}; - frame-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; - `" depends_on: - db - memcached