diff --git a/.gitignore b/.gitignore index 7a6353d..f1d97b0 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .envrc +.idea diff --git a/abra.sh b/abra.sh index a9a8715..17960dc 100644 --- a/abra.sh +++ b/abra.sh @@ -1 +1,3 @@ export CONFIG_VERSION=v2 +export CONFIG_JS_VERSION=v1 +export NGINX_CONF_VERSION=v1 diff --git a/compose.yml b/compose.yml index 4617c01..0665e3a 100644 --- a/compose.yml +++ b/compose.yml @@ -3,9 +3,9 @@ version: "3.8" services: app: - image: cryptpad/cryptpad:version-2024.3.0 + image: cryptpad/cryptpad:version-2025.9.0 networks: - - proxy + - backend environment: - "CPAD_MAIN_DOMAIN=${DOMAIN}" - "CPAD_SANDBOX_DOMAIN=${SANDBOX_DOMAIN}" @@ -14,7 +14,8 @@ services: - "CPAD_HTTP2_DISABLE=true" - "CPAD_REALIP_RECURSIVE=on" - "CPAD_REALIP_HEADER=X-Real-Ip" - - CPAD_CONF=/cryptpad/config/config.js + - "CPAD_TRUST_PROXY=1" + - "CPAD_CONF=/cryptpad/config/config.js" volumes: - cryptpad_blob:/cryptpad/blob @@ -31,13 +32,16 @@ services: restart_policy: condition: on-failure labels: - - "traefik.enable=true" - - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80" - - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`, `${SANDBOX_DOMAIN}`${EXTRA_DOMAINS})" - - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - - "traefik.http.routers.${STACK_NAME}.tls.domains[0].main=${DOMAIN}" - - "traefik.http.routers.${STACK_NAME}.tls.domains[0].sans=${SANDBOX_DOMAIN}" + - "traefik.enable=false" + - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" + - "coop-cloud.${STACK_NAME}.version=0.4.0+version-2025.9.0" +# - "traefik.enable=true" +# - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80" +# - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`, `${SANDBOX_DOMAIN}`${EXTRA_DOMAINS})" +# - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" +# - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" +# - "traefik.http.routers.${STACK_NAME}.tls.domains[0].main=${DOMAIN}" +# - "traefik.http.routers.${STACK_NAME}.tls.domains[0].sans=${SANDBOX_DOMAIN}" ## Redirect from EXTRA_DOMAINS to DOMAIN #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect" #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" @@ -50,9 +54,32 @@ services: # retries: 10 # start_period: 1m + web: + image: nginx:1.25 + configs: + - source: nginx_conf + target: /etc/nginx/conf.d/default.conf + networks: + proxy: + backend: + depends_on: + - app + environment: + - STACK_NAME + deploy: + labels: + - "traefik.enable=true" + - "traefik.docker.network=proxy" + - "traefik.http.routers.${STACK_NAME}.tls=true" + - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8083" + - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}` `${SANDBOX_DOMAIN}` ${EXTRA_DOMAINS})" + - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" + - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" + networks: proxy: external: true + backend: volumes: cryptpad_blob: @@ -67,3 +94,7 @@ configs: name: ${STACK_NAME}_config_${CONFIG_VERSION} file: config.js.tmpl template_driver: golang + nginx_conf: + name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION} + file: nginx.conf.tmpl + template_driver: golang diff --git a/config.js.tmpl b/config.js.tmpl index 3dda44d..706470e 100644 --- a/config.js.tmpl +++ b/config.js.tmpl @@ -46,7 +46,8 @@ module.exports = { * cryptpad/docs/example.nginx.conf (see the $main_domain variable) * */ - httpUnsafeOrigin: 'https://{{ env "CPAD_MAIN_DOMAIN" }}', + //httpUnsafeOrigin: 'https://{{ env "CPAD_MAIN_DOMAIN" }}', + httpUnsafeOrigin: 'http://localhost:3000', /* httpSafeOrigin is the URL that is used for the 'sandbox' described above. * If you're testing or developing with CryptPad on your local machine then @@ -67,7 +68,8 @@ module.exports = { * * CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS. */ - httpSafeOrigin: 'https://{{ env "CPAD_SANDBOX_DOMAIN" }}', + //httpSafeOrigin: 'https://{{ env "CPAD_SANDBOX_DOMAIN" }}', + //httpSafeOrigin: 'http://localhost:3001', /* httpAddress specifies the address on which the nodejs server * should be accessible. By default it will listen on 127.0.0.1 diff --git a/nginx.conf.tmpl b/nginx.conf.tmpl new file mode 100644 index 0000000..b4017c0 --- /dev/null +++ b/nginx.conf.tmpl @@ -0,0 +1,48 @@ +upstream cryptpad_app { + server {{ env "STACK_NAME" }}_app:3000; +} + +upstream cryptpad_ws { + #server {{ env "STACK_NAME" }}_app:3003; + server {{ env "STACK_NAME" }}_app:3000; +} + +server { + listen 8083; + server_name localhost; + + access_log /var/log/cpad.log; + error_log /var/log/cpad-error.log; + #access_log /dev/null; + #error_log /dev/null emerg; + + # Main CryptPad app + location / { + proxy_pass http://cryptpad_app; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + client_max_body_size 150m; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; + } + + # WebSocket endpoint + location ^~ /cryptpad_websocket { + proxy_pass http://cryptpad_ws; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; + } +} \ No newline at end of file