diff --git a/conf/nextclound-conf.conf b/conf/nextclound-conf.conf new file mode 100644 index 00000000..dd7457bf --- /dev/null +++ b/conf/nextclound-conf.conf @@ -0,0 +1,60 @@ + + # Nextcloud configuration. + rewrite ^/cloud$ /cloud/ redirect; + rewrite ^/cloud/$ /cloud/index.php; + rewrite ^/cloud/(contacts|calendar|files)$ /cloud/index.php/apps/$1/ redirect; + rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html; + rewrite ^(/cloud/oc[sm]-provider)/$ $1/index.php redirect; + location /cloud/ { + alias /usr/local/lib/owncloud/; + location ~ ^/cloud/(build|tests|config|lib|3rdparty|templates|data|README)/ { + deny all; + } + location ~ ^/cloud/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + # Enable paths for service and cloud federation discovery + # Resolves warning in Nextcloud Settings panel + location ~ ^/cloud/(oc[sm]-provider)?/([^/]+\.php)$ { + index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$1/$2; + fastcgi_pass php-fpm; + } + } + location ~ ^(/cloud)((?:/ocs)?/[^/]+\.php)(/.*)?$ { + # note: ~ has precendence over a regular location block + # Accept URLs like: + # /cloud/index.php/apps/files/ + # /cloud/index.php/apps/files/ajax/scan.php (it's really index.php; see 6fdef379adfdeac86cc2220209bdf4eb9562268d) + # /cloud/ocs/v1.php/apps/files_sharing/api/v1 (see #240) + # /cloud/remote.php/webdav/yourfilehere... + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$2; + fastcgi_param SCRIPT_NAME $1$2; + fastcgi_param PATH_INFO $3; + fastcgi_param MOD_X_ACCEL_REDIRECT_ENABLED on; + fastcgi_param MOD_X_ACCEL_REDIRECT_PREFIX /owncloud-xaccel; + fastcgi_read_timeout 630; + fastcgi_pass php-fpm; + client_max_body_size 1G; + fastcgi_buffers 64 4K; + } + location ^~ /owncloud-xaccel/ { + # This directory is for MOD_X_ACCEL_REDIRECT_ENABLED. Nextcloud sends the full file + # path on disk as a subdirectory under this virtual path. + # We must only allow 'internal' redirects within nginx so that the filesystem + # is not exposed to the world. + internal; + alias /; + } + location ~ ^/((caldav|carddav|webdav).*)$ { + # Z-Push doesn't like getting a redirect, and a plain rewrite didn't work either. + # Properly proxying like this seems to work fine. + proxy_pass https://127.0.0.1/cloud/remote.php/$1; + } + rewrite ^/.well-known/host-meta /cloud/public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last; + rewrite ^/.well-known/carddav /cloud/remote.php/carddav/ redirect; + rewrite ^/.well-known/caldav /cloud/remote.php/caldav/ redirect; + diff --git a/conf/nginx-primaryonly-no-nextcloud.conf b/conf/nginx-primaryonly-no-nextcloud.conf deleted file mode 100644 index 09e1f34a..00000000 --- a/conf/nginx-primaryonly-no-nextcloud.conf +++ /dev/null @@ -1,17 +0,0 @@ - # Control Panel - # Proxy /admin to our Python based control panel daemon. It is - # listening on IPv4 only so use an IP address and not 'localhost'. - location /admin/assets { - alias /usr/local/lib/mailinabox/vendor/assets; - } - rewrite ^/admin$ /admin/; - rewrite ^/admin/munin$ /admin/munin/ redirect; - location /admin/ { - proxy_pass http://127.0.0.1:10222/; - proxy_set_header X-Forwarded-For $remote_addr; - add_header X-Frame-Options "DENY"; - add_header X-Content-Type-Options nosniff; - add_header Content-Security-Policy "frame-ancestors 'none';"; - } - - # ADDITIONAL DIRECTIVES HERE diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf index 288fce40..9a7576b1 100644 --- a/conf/nginx-primaryonly.conf +++ b/conf/nginx-primaryonly.conf @@ -14,63 +14,3 @@ add_header Content-Security-Policy "frame-ancestors 'none';"; } - # Nextcloud configuration. - rewrite ^/cloud$ /cloud/ redirect; - rewrite ^/cloud/$ /cloud/index.php; - rewrite ^/cloud/(contacts|calendar|files)$ /cloud/index.php/apps/$1/ redirect; - rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html; - rewrite ^(/cloud/oc[sm]-provider)/$ $1/index.php redirect; - location /cloud/ { - alias /usr/local/lib/owncloud/; - location ~ ^/cloud/(build|tests|config|lib|3rdparty|templates|data|README)/ { - deny all; - } - location ~ ^/cloud/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - # Enable paths for service and cloud federation discovery - # Resolves warning in Nextcloud Settings panel - location ~ ^/cloud/(oc[sm]-provider)?/([^/]+\.php)$ { - index index.php; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$1/$2; - fastcgi_pass php-fpm; - } - } - location ~ ^(/cloud)((?:/ocs)?/[^/]+\.php)(/.*)?$ { - # note: ~ has precendence over a regular location block - # Accept URLs like: - # /cloud/index.php/apps/files/ - # /cloud/index.php/apps/files/ajax/scan.php (it's really index.php; see 6fdef379adfdeac86cc2220209bdf4eb9562268d) - # /cloud/ocs/v1.php/apps/files_sharing/api/v1 (see #240) - # /cloud/remote.php/webdav/yourfilehere... - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$2; - fastcgi_param SCRIPT_NAME $1$2; - fastcgi_param PATH_INFO $3; - fastcgi_param MOD_X_ACCEL_REDIRECT_ENABLED on; - fastcgi_param MOD_X_ACCEL_REDIRECT_PREFIX /owncloud-xaccel; - fastcgi_read_timeout 630; - fastcgi_pass php-fpm; - client_max_body_size 1G; - fastcgi_buffers 64 4K; - } - location ^~ /owncloud-xaccel/ { - # This directory is for MOD_X_ACCEL_REDIRECT_ENABLED. Nextcloud sends the full file - # path on disk as a subdirectory under this virtual path. - # We must only allow 'internal' redirects within nginx so that the filesystem - # is not exposed to the world. - internal; - alias /; - } - location ~ ^/((caldav|carddav|webdav).*)$ { - # Z-Push doesn't like getting a redirect, and a plain rewrite didn't work either. - # Properly proxying like this seems to work fine. - proxy_pass https://127.0.0.1/cloud/remote.php/$1; - } - rewrite ^/.well-known/host-meta /cloud/public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last; - rewrite ^/.well-known/carddav /cloud/remote.php/carddav/ redirect; - rewrite ^/.well-known/caldav /cloud/remote.php/caldav/ redirect; - - # ADDITIONAL DIRECTIVES HERE diff --git a/management/web_update.py b/management/web_update.py index 43bedff3..78be0dac 100644 --- a/management/web_update.py +++ b/management/web_update.py @@ -76,17 +76,17 @@ def do_web_update(env): nginx_conf = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-top.conf")).read() # Load the templates. + template2_nextcloud = "" template0 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx.conf")).read() template1 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-alldomains.conf")).read() + template2 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-primaryonly.conf")).read() # Check if the user doesn't want Nextcloud. - if environ.get('DISABLE_NEXTCLOUD') == '0': - template2 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-primaryonly-no-nextcloud.conf")).read() - else: - template2 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-primaryonly.conf")).read() + if environ.get('DISABLE_NEXTCLOUD') != '0': + template2_nextcloud = open(os.path.join(os.path.dirname(__file__), "../conf/nextcloud-conf.conf")).read() template3 = "\trewrite ^(.*) https://$REDIRECT_DOMAIN$1 permanent;\n" # Add the PRIMARY_HOST configuration first so it becomes nginx's default server. - nginx_conf += make_domain_config(env['PRIMARY_HOSTNAME'], [template0, template1, template2], ssl_certificates, env) + nginx_conf += make_domain_config(env['PRIMARY_HOSTNAME'], [template0, template1, template2_nextcloud, template2], ssl_certificates, env) # Add configuration all other web domains. has_root_proxy_or_redirect = get_web_domains_with_root_overrides(env)