From 6e380ade1768c8062a4e5da1ce8ce991bec1aa0f Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Sat, 16 Aug 2014 12:33:10 +0000 Subject: [PATCH] owncloud will only let users access it from the PRIMARY_HOSTNAME (due to its trusted_domains option being set statically), so only include /cloud in the nginx configuration for PRIMARY_HOSTNAME --- conf/nginx-primaryonly.conf | 41 ++++++++++++++++++++++++++++++++ conf/nginx.conf | 47 ------------------------------------- management/web_update.py | 21 ++++++++++------- 3 files changed, 54 insertions(+), 55 deletions(-) create mode 100644 conf/nginx-primaryonly.conf diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf new file mode 100644 index 00000000..d7457ed6 --- /dev/null +++ b/conf/nginx-primaryonly.conf @@ -0,0 +1,41 @@ + # ownCloud configuration. + rewrite ^/cloud$ /cloud/ redirect; + rewrite ^/cloud/$ /cloud/index.php; + rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html; + location /cloud/ { + alias /usr/local/lib/owncloud/; + location ~ ^/(data|config|\.ht|db_structure\.xml|README) { + deny all; + } + } + location ~ ^(/cloud)(/[^/]+\.php)(/.*)?$ { + # note: ~ has precendence over a regular location block + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$2; + fastcgi_param SCRIPT_NAME $1$2; + fastcgi_param PATH_INFO $3; + fastcgi_param MOD_X_ACCEL_REDIRECT_ENABLED on; + fastcgi_read_timeout 630; + fastcgi_pass php-fpm; + error_page 403 /cloud/core/templates/403.php; + error_page 404 /cloud/core/templates/404.php; + client_max_body_size 1G; + fastcgi_buffers 64 4K; + } + location ^~ /cloud/data { + # In order to support MOD_X_ACCEL_REDIRECT_ENABLED, we need to expose + # the data directory but only allow 'internal' redirects within nginx + # so that this is not exposed to the world. + internal; + alias $STORAGE_ROOT/owncloud; + } + location ~ ^/((caldav|carddav|webdav).*)$ { + # Z-Push doesn't like getting a redirect, and a plain rewrite didn't work either. + # Properly proxying like this seems to work fine. + proxy_pass https://$HOSTNAME/cloud/remote.php/$1; + } + rewrite ^/.well-known/host-meta /cloud/public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last; + rewrite ^/.well-known/carddav /cloud/remote.php/carddav/ redirect; + rewrite ^/.well-known/caldav /cloud/remote.php/caldav/ redirect; + diff --git a/conf/nginx.conf b/conf/nginx.conf index 3ed75560..4f343c5a 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -31,12 +31,10 @@ server { index index.php; alias /usr/local/lib/roundcubemail/; } - location ~ /mail/config/.* { # A ~-style location is needed to give this precedence over the next block. return 403; } - location ~ /mail/.*\.php { # note: ~ has precendence over a regular location block include fastcgi_params; @@ -47,51 +45,6 @@ server { client_max_body_size 20M; } - # ownCloud configuration. - rewrite ^/cloud$ /cloud/ redirect; - rewrite ^/cloud/$ /cloud/index.php; - rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html; - location /cloud/ { - alias /usr/local/lib/owncloud/; - location ~ ^/(data|config|\.ht|db_structure\.xml|README) { - deny all; - } - } - - location ~ ^(/cloud)(/[^/]+\.php)(/.*)?$ { - # note: ~ has precendence over a regular location block - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$2; - fastcgi_param SCRIPT_NAME $1$2; - fastcgi_param PATH_INFO $3; - fastcgi_param MOD_X_ACCEL_REDIRECT_ENABLED on; - fastcgi_read_timeout 630; - fastcgi_pass php-fpm; - error_page 403 /cloud/core/templates/403.php; - error_page 404 /cloud/core/templates/404.php; - client_max_body_size 1G; - fastcgi_buffers 64 4K; - } - location ^~ /cloud/data { - # In order to support MOD_X_ACCEL_REDIRECT_ENABLED, we need to expose - # the data directory but only allow 'internal' redirects within nginx - # so that this is not exposed to the world. - internal; - alias $STORAGE_ROOT/owncloud; - } - - - location ~ ^/((caldav|carddav|webdav).*)$ { - # Z-Push doesn't like getting a redirect, and a plain rewrite didn't work either. - # Properly proxying like this seems to work fine. - proxy_pass https://$HOSTNAME/cloud/remote.php/$1; - } - - rewrite ^/.well-known/host-meta /cloud/public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last; - rewrite ^/.well-known/carddav /cloud/remote.php/carddav/ redirect; - rewrite ^/.well-known/caldav /cloud/remote.php/caldav/ redirect; - # Webfinger configuration. location = /.well-known/webfinger { include fastcgi_params; diff --git a/management/web_update.py b/management/web_update.py index 0665156b..3ef28560 100644 --- a/management/web_update.py +++ b/management/web_update.py @@ -43,9 +43,10 @@ def do_web_update(env): nginx_conf = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-top.conf")).read() # Add configuration for each web domain. - template = open(os.path.join(os.path.dirname(__file__), "../conf/nginx.conf")).read() + template1 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx.conf")).read() + template2 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-primaryonly.conf")).read() for domain in get_web_domains(env): - nginx_conf += make_domain_config(domain, template, env) + nginx_conf += make_domain_config(domain, template1, template2, env) # Did the file change? If not, don't bother writing & restarting nginx. nginx_conf_fn = "/etc/nginx/conf.d/local.conf" @@ -63,7 +64,7 @@ def do_web_update(env): return "web updated\n" -def make_domain_config(domain, template, env): +def make_domain_config(domain, template, template_for_primaryhost, env): # How will we configure this domain. # Where will its root directory be for static files? @@ -77,8 +78,13 @@ def make_domain_config(domain, template, env): # available. Make a self-signed one now if one doesn't exist. ensure_ssl_certificate_exists(domain, ssl_key, ssl_certificate, csr_path, env) + # Put pieces together. + nginx_conf_parts = re.split("\s*# ADDITIONAL DIRECTIVES HERE\s*", template) + nginx_conf = nginx_conf_parts[0] + "\n" + if domain == env['PRIMARY_HOSTNAME']: + nginx_conf += template_for_primaryhost + "\n" + # Replace substitution strings in the template & return. - nginx_conf = template nginx_conf = nginx_conf.replace("$STORAGE_ROOT", env['STORAGE_ROOT']) nginx_conf = nginx_conf.replace("$HOSTNAME", domain) nginx_conf = nginx_conf.replace("$ROOT", root) @@ -86,17 +92,16 @@ def make_domain_config(domain, template, env): nginx_conf = nginx_conf.replace("$SSL_CERTIFICATE", ssl_certificate) # Add in any user customizations. - nginx_conf_parts = re.split("(# ADDITIONAL DIRECTIVES HERE\n)", nginx_conf) nginx_conf_custom_fn = os.path.join(env["STORAGE_ROOT"], "www/custom.yaml") if os.path.exists(nginx_conf_custom_fn): yaml = rtyaml.load(open(nginx_conf_custom_fn)) if domain in yaml: yaml = yaml[domain] if "proxy" in yaml: - nginx_conf_parts[1] += "\tlocation / {\n\t\tproxy_pass %s;\n\t}\n" % yaml["proxy"] + nginx_conf += "\tlocation / {\n\t\tproxy_pass %s;\n\t}\n" % yaml["proxy"] - # Put it all together. - nginx_conf = "".join(nginx_conf_parts) + # Ending. + nginx_conf += nginx_conf_parts[1] return nginx_conf