From c7b2f828605ed4c9d5df1a10059773605409a865 Mon Sep 17 00:00:00 2001
From: Junxiang Huang <wacmkxiaoyi@gmail.com>
Date: Fri, 13 Dec 2024 16:36:50 +0800
Subject: [PATCH] opt: 12.0 docker caddy use https

---
 manual/docker/ce/seafile-server.yml  | 23 +++++++++++++++++++++++
 manual/docker/pro/seafile-server.yml | 23 +++++++++++++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/manual/docker/ce/seafile-server.yml b/manual/docker/ce/seafile-server.yml
index 22dcd2a0..04279521 100644
--- a/manual/docker/ce/seafile-server.yml
+++ b/manual/docker/ce/seafile-server.yml
@@ -59,6 +59,29 @@ services:
     labels:
       caddy: ${SEAFILE_SERVER_PROTOCOL:-http}://${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty}
       caddy.reverse_proxy: "{{upstreams 80}}"
+      caddy.header.Strict-Transport-Security: "`max-age=31536000;`"
+      caddy.header.Referrer-Policy: "same-origin"
+      caddy.header.X-XSS-Protection: "`1; mode=block`"
+      caddy.header.X-Content-Type-Options: "nosniff"
+      caddy.header.X-Frame-Options: "SAMEORIGIN"
+      caddy.header.Content-Security-Policy: "`
+        block-all-mixed-content;
+        default-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233};
+        style-src 'unsafe-inline' 'self';
+        script-src 'unsafe-inline' 'unsafe-eval' 'self';
+        script-src-elem 'unsafe-inline' 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233} maps.googleapis.com unpkg.com;
+        font-src 'self' data: unpkg.com;
+        img-src 'self' data: blob: https: mt0.google.com maps.googleapis.com maps.gstatic.com;
+        media-src 'self';
+        form-action 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232};
+        connect-src 'self' https:;
+        frame-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233};
+        frame-ancestors 'self';
+        worker-src 'self' blob:;
+        manifest-src 'self';
+        object-src 'self';
+        base-uri 'self'
+        `"
     depends_on:
       - db
       - memcached
diff --git a/manual/docker/pro/seafile-server.yml b/manual/docker/pro/seafile-server.yml
index 08cd7539..80a74900 100644
--- a/manual/docker/pro/seafile-server.yml
+++ b/manual/docker/pro/seafile-server.yml
@@ -87,6 +87,29 @@ services:
     labels:
       caddy: ${SEAFILE_SERVER_PROTOCOL:-http}://${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty}
       caddy.reverse_proxy: "{{upstreams 80}}"
+      caddy.header.Strict-Transport-Security: "`max-age=31536000;`"
+      caddy.header.Referrer-Policy: "same-origin"
+      caddy.header.X-XSS-Protection: "`1; mode=block`"
+      caddy.header.X-Content-Type-Options: "nosniff"
+      caddy.header.X-Frame-Options: "SAMEORIGIN"
+      caddy.header.Content-Security-Policy: "`
+        block-all-mixed-content;
+        default-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233};
+        style-src 'unsafe-inline' 'self';
+        script-src 'unsafe-inline' 'unsafe-eval' 'self';
+        script-src-elem 'unsafe-inline' 'self' ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233} maps.googleapis.com unpkg.com;
+        font-src 'self' data: unpkg.com;
+        img-src 'self' data: blob: https: mt0.google.com maps.googleapis.com maps.gstatic.com;
+        media-src 'self';
+        form-action 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232};
+        connect-src 'self' https:;
+        frame-src 'self' ${SEAFILE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${SEAFILE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233};
+        frame-ancestors 'self';
+        worker-src 'self' blob:;
+        manifest-src 'self';
+        object-src 'self';
+        base-uri 'self'
+        `"
     depends_on:
       - db
       - memcached