web/cryptpad
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'newconfig' of github.com:xwiki-labs/cryptpad into staging

Browse Source
This commit is contained in:
ansuz 2019-03-19 14:11:52 +01:00
commit d0df398b42
2 changed files with 195 additions and 210 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

392
config.example.js
View File

@ -12,104 +12,53 @@ var _domain = 'http://localhost:3000/';
// to enable this feature, uncomment the line below: // to enable this feature, uncomment the line below:
// require('heapdump'); // require('heapdump');
// we prepend a space because every usage expects it // we prepend a space because every usage expects it
// requiring admins to preserve it is unnecessarily confusing // requiring admins to preserve it is unnecessarily confusing
var domain = ' ' + _domain; var domain = ' ' + _domain;
// Content-Security-Policy
var baseCSP = [
"default-src 'none'",
"style-src 'unsafe-inline' 'self' " + domain,
"script-src 'self'" + domain,
"font-src 'self' data:" + domain,
/* child-src is used to restrict iframes to a set of allowed domains.
* connect-src is used to restrict what domains can connect to the websocket.
*
* it is recommended that you configure these fields to match the
* domain which will serve your CryptPad instance.
*/
"child-src blob: *",
// IE/Edge
"frame-src blob: *",
/* this allows connections over secure or insecure websockets
if you are deploying to production, you'll probably want to remove
the ws://* directive, and change '*' to your domain
*/
"connect-src 'self' ws: wss: blob:" + domain,
// data: is used by codemirror
"img-src 'self' data: blob:" + domain,
"media-src * blob:",
// for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
"frame-ancestors *",
];
module.exports = { module.exports = {
/* =====================
* Infra setup
* ===================== */
// the address you want to bind to, :: means all ipv4 and ipv6 addresses // the address you want to bind to, :: means all ipv4 and ipv6 addresses
// this may not work on all operating systems // this may not work on all operating systems
httpAddress: '::', httpAddress: '::',
// the port on which your httpd will listen // the port on which your httpd will listen
/* CryptPad can be configured to send customized HTTP Headers
* These settings may vary widely depending on your needs
* Examples are provided below
*/
httpHeaders: {
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Access-Control-Allow-Origin": "*"
},
contentSecurity: [
"default-src 'none'",
"style-src 'unsafe-inline' 'self' " + domain,
"script-src 'self'" + domain,
"font-src 'self' data:" + domain,
/* child-src is used to restrict iframes to a set of allowed domains.
* connect-src is used to restrict what domains can connect to the websocket.
*
* it is recommended that you configure these fields to match the
* domain which will serve your CryptPad instance.
*/
"child-src blob: *",
// IE/Edge
"frame-src blob: *",
"media-src * blob:",
/* this allows connections over secure or insecure websockets
if you are deploying to production, you'll probably want to remove
the ws://* directive, and change '*' to your domain
*/
"connect-src 'self' ws: wss: blob:" + domain,
// data: is used by codemirror
"img-src 'self' data: blob:" + domain,
// for accounts.cryptpad.fr authentication and pad2 cross-domain iframe sandbox
"frame-ancestors *",
].join('; '),
// CKEditor requires significantly more lax content security policy in order to function.
padContentSecurity: [
"default-src 'none'",
"style-src 'unsafe-inline' 'self'" + domain,
// Unsafe inline, unsafe-eval are needed for ckeditor :(
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
"font-src 'self'" + domain,
/* See above under 'contentSecurity' as to how these values should be
* configured for best effect.
*/
"child-src *",
// IE/Edge
"frame-src *",
// see the comment above in the 'contentSecurity' section
"connect-src 'self' ws: wss:" + domain,
// (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
"img-src * blob:",
].join('; '),
// OnlyOffice requires even more lax content security policy in order to function.
ooContentSecurity: [
"default-src 'none'",
"style-src 'unsafe-inline' 'self'" + domain,
// Unsafe inline, unsafe-eval are needed for ckeditor :(
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
"font-src 'self'" + domain,
/* See above under 'contentSecurity' as to how these values should be
* configured for best effect.
*/
"child-src *",
// IE/Edge
"frame-src *",
// see the comment above in the 'contentSecurity' section
"connect-src 'self' blob: ws: wss:" + domain,
// (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
"img-src * blob: data:",
].join('; '),
httpPort: 3000, httpPort: 3000,
// This is for allowing the cross-domain iframe to function when developing // This is for allowing the cross-domain iframe to function when developing
@ -131,15 +80,31 @@ module.exports = {
*/ */
websocketPath: '/cryptpad_websocket', websocketPath: '/cryptpad_websocket',
/* CryptPad can log activity to stdout /* CryptPad can be configured to send customized HTTP Headers
* This may be useful for debugging * These settings may vary widely depending on your needs
* Examples are provided below
*/ */
logToStdout: false, httpHeaders: {
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Access-Control-Allow-Origin": "*"
},
/* CryptPad supports verbose logging contentSecurity: baseCSP.join('; ') +
* (false by default) "script-src 'self'" + domain,
// CKEditor and OnlyOffice require significantly more lax content security policy in order to function.
padContentSecurity: baseCSP.join('; ') +
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain,
/* it is recommended that you serve CryptPad over https
* the filepaths below are used to configure your certificates
*/ */
verbose: false, //privKeyAndCertFiles: [
// '/etc/apache2/ssl/my_secret.key',
// '/etc/apache2/ssl/my_public_cert.crt',
// '/etc/apache2/ssl/my_certificate_authorities_cert_chain.ca'
//],
/* Main pages /* Main pages
* add exceptions to the router so that we can access /privacy.html * add exceptions to the router so that we can access /privacy.html
@ -156,6 +121,10 @@ module.exports = {
'faq' 'faq'
], ],
/* =====================
* Subscriptions
* ===================== */
/* Limits, Donations, Subscriptions and Contact /* Limits, Donations, Subscriptions and Contact
* *
* By default, CryptPad limits every registered user to 50MB of storage. It also shows a * By default, CryptPad limits every registered user to 50MB of storage. It also shows a
@ -174,6 +143,15 @@ module.exports = {
allowSubscriptions: true, allowSubscriptions: true,
removeDonateButton: false, removeDonateButton: false,
/*
* By default, CryptPad also contacts our accounts server once a day to check for changes in
* the people who have accounts. This check-in will also send the version of your CryptPad
* instance and your email so we can reach you if we are aware of a serious problem. We will
* never sell it or send you marketing mail. If you want to block this check-in and remain
* completely invisible, set this and allowSubscriptions both to false.
*/
adminEmail: 'i.did.not.read.my.config@cryptpad.fr',
/* Sales coming from your server will be identified by your domain /* Sales coming from your server will be identified by your domain
* *
* If you are using CryptPad in a business context, please consider taking a support contract * If you are using CryptPad in a business context, please consider taking a support contract
@ -214,6 +192,18 @@ module.exports = {
*/ */
}, },
/* =====================
* STORAGE
* ===================== */
/* Pads that are not 'pinned' by any registered user can be set to expire
* after a configurable number of days of inactivity (default 90 days).
* The value can be changed or set to false to remove expiration.
* Expired pads can then be removed using a cron job calling the
* `delete-inactive.js` script with node
*/
inactiveTime: 90, // days
/* some features may require that the server be able to schedule tasks /* some features may require that the server be able to schedule tasks
far into the future, such as: far into the future, such as:
> "three months from now, this channel should expire" > "three months from now, this channel should expire"
@ -221,6 +211,62 @@ module.exports = {
*/ */
enableTaskScheduling: true, enableTaskScheduling: true,
/* Setting this value to anything other than true will cause file upload
* attempts to be rejected outright.
*/
enableUploads: true,
/* If you have enabled file upload, you have the option of restricting it
* to a list of users identified by their public keys. If this value is set
* to true, your server will query a file (cryptpad/privileged.conf) when
* users connect via RPC. Only users whose public keys can be found within
* the file will be allowed to upload.
*
* privileged.conf uses '#' for line comments, and splits keys by newline.
* This is a temporary measure until a better quota system is in place.
* registered users' public keys can be found on the settings page.
*/
restrictUploads: false,
/* Max Upload Size (bytes)
* this sets the maximum size of any one file uploaded to the server.
* anything larger than this size will be rejected
*/
maxUploadSize: 20 * 1024 * 1024,
/* =====================
* HARDWARE RELATED
* ===================== */
/* CryptPad's file storage adaptor closes unused files after a configurable
* number of milliseconds (default 30000 (30 seconds))
*/
channelExpirationMs: 30000,
/* CryptPad's file storage adaptor is limited by the number of open files.
* When the adaptor reaches openFileLimit, it will clean up older files
*/
openFileLimit: 2048,
/* =====================
* DATABASE VOLUMES
* ===================== */
/*
CryptPad stores each document in an individual file on your hard drive.
Specify a directory where files should be stored.
It will be created automatically if it does not already exist.
*/
filePath: './datastore/',
/* CryptPad allows logged in users to request that particular documents be
* stored by the server indefinitely. This is called 'pinning'.
* Pin requests are stored in a pin-store. The location of this store is
* defined here.
*/
pinPath: './pins',
/* if you would like the list of scheduled tasks to be stored in /* if you would like the list of scheduled tasks to be stored in
a custom location, change the path below: a custom location, change the path below:
*/ */
@ -231,16 +277,60 @@ module.exports = {
*/ */
blockPath: './block', blockPath: './block',
/* /* CryptPad allows logged in users to upload encrypted files. Files/blobs
* By default, CryptPad also contacts our accounts server once a day to check for changes in * are stored in a 'blob-store'. Set its location here.
* the people who have accounts. This check-in will also send the version of your CryptPad
* instance and your email so we can reach you if we are aware of a serious problem. We will
* never sell it or send you marketing mail. If you want to block this check-in and remain
* completely invisible, set this and allowSubscriptions both to false.
*/ */
adminEmail: 'i.did.not.read.my.config@cryptpad.fr', blobPath: './blob',
/* CryptPad stores incomplete blobs in a 'staging' area until they are
* fully uploaded. Set its location here.
*/
blobStagingPath: './blobstage',
/* =====================
* Debugging
* ===================== */
/* CryptPad can log activity to stdout
* This may be useful for debugging
*/
logToStdout: false,
/* CryptPad supports verbose logging
* (false by default)
*/
verbose: false,
/* RPC errors are shown by default, but if you really don't care,
* you can suppress them
*/
suppressRPCErrors: false,
/* clients can use the /settings/ app to opt out of usage feedback
* which informs the server of things like how much each app is being
* used, and whether certain clientside features are supported by
* the client's browser. The intent is to provide feedback to the admin
* such that the service can be improved. Enable this with `true`
* and ignore feedback with `false` or by commenting the attribute
*/
logFeedback: false,
/* If you wish to see which remote procedure calls clients request,
* set this to true
*/
logRPC: false,
/* You can get a repl for debugging the server if you want it.
* to enable this, specify the debugReplName and then you can
* connect to it with `nc -U /tmp/repl/<your name>.sock`
* If you run multiple cryptpad servers, you need to use different
* repl names.
*/
//debugReplName: "cryptpad"
/* =====================
* DEPRECATED
* ===================== */
/* /*
You have the option of specifying an alternative storage adaptor. You have the option of specifying an alternative storage adaptor.
These status of these alternatives are specified in their READMEs, These status of these alternatives are specified in their READMEs,
@ -259,48 +349,6 @@ module.exports = {
*/ */
storage: './storage/file', storage: './storage/file',
/*
CryptPad stores each document in an individual file on your hard drive.
Specify a directory where files should be stored.
It will be created automatically if it does not already exist.
*/
filePath: './datastore/',
/* CryptPad allows logged in users to request that particular documents be
* stored by the server indefinitely. This is called 'pinning'.
* Pin requests are stored in a pin-store. The location of this store is
* defined here.
*/
pinPath: './pins',
/* Pads that are not 'pinned' by any registered user can be set to expire
* after a configurable number of days of inactivity (default 90 days).
* The value can be changed or set to false to remove expiration.
* Expired pads can then be removed using a cron job calling the
* `delete-inactive.js` script with node
*/
inactiveTime: 90, // days
/* CryptPad allows logged in users to upload encrypted files. Files/blobs
* are stored in a 'blob-store'. Set its location here.
*/
blobPath: './blob',
/* CryptPad stores incomplete blobs in a 'staging' area until they are
* fully uploaded. Set its location here.
*/
blobStagingPath: './blobstage',
/* CryptPad's file storage adaptor closes unused files after a configurable
* number of milliseconds (default 30000 (30 seconds))
*/
channelExpirationMs: 30000,
/* CryptPad's file storage adaptor is limited by the number of open files.
* When the adaptor reaches openFileLimit, it will clean up older files
*/
openFileLimit: 2048,
/* CryptPad's socket server can be extended to respond to RPC calls /* CryptPad's socket server can be extended to respond to RPC calls
* you can configure it to respond to custom RPC calls if you like. * you can configure it to respond to custom RPC calls if you like.
* provide the path to your RPC module here, or `false` if you would * provide the path to your RPC module here, or `false` if you would
@ -308,62 +356,4 @@ module.exports = {
*/ */
rpc: './rpc.js', rpc: './rpc.js',
/* RPC errors are shown by default, but if you really don't care,
* you can suppress them
*/
suppressRPCErrors: false,
/* Setting this value to anything other than true will cause file upload
* attempts to be rejected outright.
*/
enableUploads: true,
/* If you have enabled file upload, you have the option of restricting it
* to a list of users identified by their public keys. If this value is set
* to true, your server will query a file (cryptpad/privileged.conf) when
* users connect via RPC. Only users whose public keys can be found within
* the file will be allowed to upload.
*
* privileged.conf uses '#' for line comments, and splits keys by newline.
* This is a temporary measure until a better quota system is in place.
* registered users' public keys can be found on the settings page.
*/
//restrictUploads: false,
/* Max Upload Size (bytes)
* this sets the maximum size of any one file uploaded to the server.
* anything larger than this size will be rejected
*/
maxUploadSize: 20 * 1024 * 1024,
/* clients can use the /settings/ app to opt out of usage feedback
* which informs the server of things like how much each app is being
* used, and whether certain clientside features are supported by
* the client's browser. The intent is to provide feedback to the admin
* such that the service can be improved. Enable this with `true`
* and ignore feedback with `false` or by commenting the attribute
*/
//logFeedback: true,
/* If you wish to see which remote procedure calls clients request,
* set this to true
*/
//logRPC: true,
/* it is recommended that you serve CryptPad over https
* the filepaths below are used to configure your certificates
*/
//privKeyAndCertFiles: [
// '/etc/apache2/ssl/my_secret.key',
// '/etc/apache2/ssl/my_public_cert.crt',
// '/etc/apache2/ssl/my_certificate_authorities_cert_chain.ca'
//],
/* You can get a repl for debugging the server if you want it.
* to enable this, specify the debugReplName and then you can
* connect to it with `nc -U /tmp/repl/<your name>.sock`
* If you run multiple cryptpad servers, you need to use different
* repl names.
*/
//debugReplName: "cryptpad"
}; };

13
server.js
View File

@ -75,20 +75,15 @@ var setHeaders = (function () {
if (config.padContentSecurity) { if (config.padContentSecurity) {
padHeaders['Content-Security-Policy'] = clone(config.padContentSecurity); padHeaders['Content-Security-Policy'] = clone(config.padContentSecurity);
} }
const ooHeaders = clone(headers);
if (config.ooContentSecurity) {
ooHeaders['Content-Security-Policy'] = clone(config.ooContentSecurity);
}
if (Object.keys(headers).length) { if (Object.keys(headers).length) {
return function (req, res) { return function (req, res) {
const h = [/^\/pad(2)?\/inner\.html.*/].some((regex) => { const h = [
return regex.test(req.url) /^\/pad(2)?\/inner\.html.*/,
}) ? padHeaders : ([
/^\/sheet\/inner\.html.*/, /^\/sheet\/inner\.html.*/,
/^\/common\/onlyoffice\/.*\/index\.html.*/ /^\/common\/onlyoffice\/.*\/index\.html.*/
].some((regex) => { ].some((regex) => {
return regex.test(req.url) return regex.test(req.url)
}) ? ooHeaders : headers); }) ? padHeaders : headers;
for (let header in h) { res.setHeader(header, h[header]); } for (let header in h) { res.setHeader(header, h[header]); }
}; };
} }