opt: 12.0 docker caddy use https

2025-12-26 02:32:50 +00:00 · 2024-12-13 16:36:50 +08:00 · 2024-12-13 16:36:50 +08:00 · c7b2f82860
parent 3d5cf1a713
commit c7b2f82860
2 changed files with 46 additions and 0 deletions
--- a/manual/docker/ce/seafile-server.yml
+++ b/manual/docker/ce/seafile-server.yml
@ -59,6 +59,29 @@ services:
    labels:
      caddy: ${SEAFILE_SERVER_PROTOCOL:-http}://${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty}
      caddy.reverse_proxy: "{{upstreams 80}}"
+      caddy.header.Strict-Transport-Security: "`max-age=31536000;`"
+      caddy.header.Referrer-Policy: "same-origin"
+      caddy.header.X-XSS-Protection: "`1; mode=block`"
+      caddy.header.X-Content-Type-Options: "nosniff"
+      caddy.header.X-Frame-Options: "SAMEORIGIN"
+      caddy.header.Content-Security-Policy: "`
+        block-all-mixed-content;
+        default-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233};
+        style-src 'unsafe-inline' 'self';
+        script-src 'unsafe-inline' 'unsafe-eval' 'self';
+        script-src-elem 'unsafe-inline' 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233} maps.googleapis.com unpkg.com;
+        font-src 'self' data: unpkg.com;
+        img-src 'self' data: blob: https: mt0.google.com maps.googleapis.com maps.gstatic.com;
+        media-src 'self';
+        form-action 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232};
+        connect-src 'self' https:;
+        frame-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233};
+        frame-ancestors 'self';
+        worker-src 'self' blob:;
+        manifest-src 'self';
+        object-src 'self';
+        base-uri 'self'
+        `"
    depends_on:
      - db
      - memcached
--- a/manual/docker/pro/seafile-server.yml
+++ b/manual/docker/pro/seafile-server.yml
@ -87,6 +87,29 @@ services:
    labels:
      caddy: ${SEAFILE_SERVER_PROTOCOL:-http}://${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty}
      caddy.reverse_proxy: "{{upstreams 80}}"
+      caddy.header.Strict-Transport-Security: "`max-age=31536000;`"
+      caddy.header.Referrer-Policy: "same-origin"
+      caddy.header.X-XSS-Protection: "`1; mode=block`"
+      caddy.header.X-Content-Type-Options: "nosniff"
+      caddy.header.X-Frame-Options: "SAMEORIGIN"
+      caddy.header.Content-Security-Policy: "`
+        block-all-mixed-content;
+        default-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233};
+        style-src 'unsafe-inline' 'self';
+        script-src 'unsafe-inline' 'unsafe-eval' 'self';
+        script-src-elem 'unsafe-inline' 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233} maps.googleapis.com unpkg.com;
+        font-src 'self' data: unpkg.com;
+        img-src 'self' data: blob: https: mt0.google.com maps.googleapis.com maps.gstatic.com;
+        media-src 'self';
+        form-action 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232};
+        connect-src 'self' https:;
+        frame-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233};
+        frame-ancestors 'self';
+        worker-src 'self' blob:;
+        manifest-src 'self';
+        object-src 'self';
+        base-uri 'self'
+        `"
    depends_on:
      - db
      - memcached