jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
6,163 Commits 33 Branches 583 Tags
687ba0e2488db45147a2b7ea78bed3f7f4e57695
Commit Graph

44 Commits

Author SHA1 Message Date
Girish Ramakrishnan
014b77b7aa Fix LE cert renewal failures 
LE contacts the server by hostname and not by IP. This means that
when installing and reconfiguring the app it hits the default_server
route since nginx configs for the app are not generated at.

When doing in the daily cert renew, the nginx configs exist and we
are unable to renew the certs.
 2017-11-02 11:43:43 -07:00
Girish Ramakrishnan
6dd70c0ef2 acme challenges must be answered by default_server 
The challenge must be answered even before app nginx config
is available.
 2017-10-28 23:39:03 -07:00
Girish Ramakrishnan
3dedda32d4 Configure http server to only listen on known vhosts/IP 
For the rest it returns 404

Fixes #446
 2017-10-27 00:10:50 -07:00
Johannes Zellner
8b341e2bf8 Only make nginx listen on ipv6 connections if it is supported by the system 
Could not decide on the ejs formatting, never nice for me
 2017-09-29 19:43:37 +02:00
Johannes Zellner
e50e0f730b Make nginx listen on :: for ipv6 2017-09-20 16:33:25 +02:00
Girish Ramakrishnan
3aebf51360 Fix upload of large files to apps 
6a0ef7a1c1 broke the upload for apps

e2e test is being added
 2017-08-23 10:22:54 -07:00
Girish Ramakrishnan
6a0ef7a1c1 Allow larger files to be uploaded 
Note that other upload APIs like avatar are still limited to 1m by
the nginx config
 2017-08-20 19:15:54 -07:00
Girish Ramakrishnan
eb99f8b844 escape and quote the robotsTxt when templating 
for now, we restrict the string length to 4096 since that is what
nginx allows
 2017-07-23 19:56:28 -07:00
Dick Tang
67486b8177 add X-Forwarded-Port in nginx reverse proxy for jetpack 
jetpack require X-Forward for the port, or "requested method jetpack.jsonAPI does not exist"
ref: https://github.com/ViBiOh/docker-wordpress/issues/1
 2017-07-18 15:58:46 +00:00
Girish Ramakrishnan
acd00222e5 Allow per-app configuration of robots.txt 
https://developers.google.com/search/reference/robots_txt has
the specification

Part of #344
 2017-07-14 15:25:05 -05:00
Ian Fijolek
788004245a Add HTTP/2 support to NGINX configs 
This easy fix should improve performance with newer browsers especially
for applications that require many files to be sent over the wire
*cough*Nextcloud11*cough*

NGINX blog post about HTTP/2 support: https://www.nginx.com/blog/nginx-1-9-5/
 2017-05-02 22:00:55 +00:00
mehdi
fce2cdce7f Adding proxy_max_temp_file_size 0 to nginx config. 
Explanation:
When proxying an HTTP request, nginx first fills up the memory buffers (set by proxy_buffer_size and proxy_buffers).
When these are full, it then writes them to a temporary file in batches of proxy_temp_file_write_size until it reaches proxy_max_temp_file_size.
When proxy_max_temp_file_size is not set, and a very large file is being served, it reaches the maximum of 1GB, and nginx begins to behave weirdly.
 2017-04-10 22:47:19 +02:00
Girish Ramakrishnan
8f912d8a1b add note on how to view graphite browser 2017-04-04 12:35:29 -07:00
Girish Ramakrishnan
2c871705c7 Add a referrer policy 2017-03-31 16:11:54 -07:00
Girish Ramakrishnan
18e59c4754 Rate limit nginx routes that verify the password 
Also remove rate-limit middleware

Test using something like:

    ab -v 1 -n 1000 -c 10 -s 5 -m POST https://my.<doamain>/api/v1/developer/login

Part of #187
 2017-03-27 00:06:42 -07:00
Johannes Zellner
103cb10cad Ignore upstream headers for security headers we set in nginx 
Apps like nextcloud set their own security headers ending up with having
them set twice. I am not 100% sure if our headers should win or if we
should not inject headers with nginx if the upstream app sets them already.
This looks like the more permissive case where we simply enforce our
values, regardless what the apps sets.

This also fixes the nextcloud/owncloud security checks which were
failing because the header values were duplicated, which results in
string concatenation of values from same headers.
 2017-03-21 14:18:39 +01:00
Girish Ramakrishnan
6a523606ca Revert "Bump version to Nginx IPv6 support." 
This reverts commit 5555321cf5.
This reverts commit f087ebbee0.
This reverts commit d04f64d3d4.

Part of #264
 2017-03-19 14:25:30 -07:00
Jonah Aragon
d04f64d3d4 Add IPv6 listen directives 2017-03-17 19:12:25 +00:00
Girish Ramakrishnan
4b3ef33989 Add some basic secure headers 
Part of #249
 2017-03-08 22:14:44 -08:00
Girish Ramakrishnan
7f4f525551 dhparams.pem must be part of backup 2017-02-14 14:12:03 -08:00
Johannes Zellner
1d5465f21e Update the ssl ciphers and add dhparams.pem 
Fixes #218
 2017-02-13 00:28:22 +01:00
Girish Ramakrishnan
cd31e12bec Do not includeSubdomains in HSTS 
This prevents one from redirecting to some http-only subdomain.
For example, surfer in naked domain redirects to www subdomain
(which is on github pages...)
 2017-02-02 00:05:56 -08:00
Johannes Zellner
fd479d04a0 Fix nginx config to make non vhost configs default_server 
Nginx does not match on the ip as a vhost. This no basically replaces
the commented out section in the nginx.conf
 2017-01-06 22:09:10 +01:00
Johannes
d39a84ea53 Do not redirect on app upstream error but show static error page 
Fixes #4
 2016-11-21 16:25:23 +01:00
Girish Ramakrishnan
94037e5266 remove oauth proxy backend logic 2016-11-19 17:13:08 +05:30
Girish Ramakrishnan
b932a9be10 Set X-Forwarded-Ssl to on 
https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/nginx.md#supporting-proxied-ssl
http://stackoverflow.com/questions/16042647/whats-the-de-facto-standard-for-a-reverse-proxy-to-tell-the-backend-ssl-is-used
 2016-08-17 17:46:36 -07:00
Johannes Zellner
867e875707 Revert "Add basic 404 page" 
This reverts commit 3793220dd48356d5fe421312915a8392fcccca0e.
 2016-07-27 19:09:43 +02:00
Johannes Zellner
dcdca52dbd Add basic 404 page 2016-07-27 17:52:54 +02:00
Johannes Zellner
3331d1aa13 Ensure the X-Frame-Options header has a single string argument 2016-07-15 11:26:05 +02:00
Johannes Zellner
66049a9e2d Support x-frame-options in appconfig.ejs template 2016-07-14 16:28:59 +02:00
Johannes Zellner
ce116e56bf Remove webdav specific headers 
This is not actually doing anything in that directive
 2016-06-22 16:06:11 +02:00
Johannes Zellner
a37f87511b Prevent clickjacking by sending X-Frame-Options 2016-06-15 13:10:26 +02:00
Girish Ramakrishnan
dc31946e50 move webdav block outside location 
when inside location, nginx is redirecting to 127.0.0.1 (no clue why)
 2016-06-11 12:05:16 -07:00
Johannes Zellner
d06398dbfd Move webdav nginx fixes into app endpoint 
Not sure if this will now still work with oauth proxy though.
 2016-06-02 09:49:01 +02:00
Johannes Zellner
47978436c2 Set Destination header for webdav in nginx proxy 2016-06-01 18:49:50 +02:00
Girish Ramakrishnan
27d2daae93 leave a note in nginx config 2016-05-19 12:27:54 -07:00
Girish Ramakrishnan
4a04e0b52f use recommendation from raymii.org 2016-04-28 09:59:03 -07:00
girish@cloudron.io
ce0a24a95d comment out public graphite paths 2016-01-25 12:51:37 -08:00
girish@cloudron.io
6dc11edafe make exec route more debugging friedly 
allow upto 30 minutes of idle connection
 2016-01-18 12:49:06 -08:00
Johannes Zellner
8bd9a6c109 Do not serve up the status page for 500 upstream errors 2015-11-13 09:39:33 +01:00
Johannes Zellner
e81db9728a Set the cert and key dynamically when rendering nginx appconfig 2015-10-28 12:42:04 +01:00
Girish Ramakrishnan
2719c4240f Get oauth proxy port from the configs 2015-09-16 10:06:34 -07:00
Johannes Zellner
3d8b90f5c8 Redirect on app error to webadmin appstatus page 
Part of #436
 2015-07-28 13:46:58 +02:00
Girish Ramakrishnan
df9d321ac3 app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:10:36 -07:00