From c788582950fe2adbee00edc7663e02bac559e79a Mon Sep 17 00:00:00 2001 From: Ivan Reshetnikov Date: Sat, 2 Nov 2024 14:03:24 +0500 Subject: [PATCH] Fix small issues with nextcloud - HSTS header was not working - Disable log files - Specify trusted proxies --- roles/haproxy/files/haproxy.cfg | 40 +++++++++++++++++-------- roles/nextcloud/templates/config.php.j2 | 4 +++ 2 files changed, 31 insertions(+), 13 deletions(-) diff --git a/roles/haproxy/files/haproxy.cfg b/roles/haproxy/files/haproxy.cfg index 03ad930..7d26b11 100644 --- a/roles/haproxy/files/haproxy.cfg +++ b/roles/haproxy/files/haproxy.cfg @@ -25,24 +25,39 @@ defaults errorfile 503 /usr/local/etc/haproxy/errors/503.http errorfile 504 /usr/local/etc/haproxy/errors/504.http -frontend www + +frontend http mode http bind :80 - bind :443 ssl crt /usr/local/etc/haproxy/certs acl has_domain hdr_sub(host) -i comfycamp.space - http-request redirect scheme https if !{ ssl_fc } has_domain - http-request set-header X-Forwarded-Proto http if !{ ssl_fc } - http-request set-header X-Forwarded-Proto https if { ssl_fc } - http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" if { ssl_fc } has_domain - acl host_mastodon hdr(host) -i m.comfycamp.space + http-request set-header X-Forwarded-Proto http + acl host_mastodon_tor hdr(host) -i mcomfyzeyibt2unmkttoxa2li2dzpsljcp3sasrioqsks4ayrl5kk2ad.onion acl path_streaming_api path_beg /api/v1/streaming - use_backend mastodon_streaming if host_mastodon path_streaming_api use_backend mastodon_streaming if host_mastodon_tor path_streaming_api - use_backend mastodon if host_mastodon || host_mastodon_tor + use_backend mastodon if host_mastodon_tor + + acl host_peertube_tor hdr(host) -i vcomfyooxdbibyusen75qbzaunrjykw2cxkc6txm6qykkdv4z2danpid.onion + use_backend peertube if host_peertube_tor + + acl host_comfycamp_tor hdr(host) -i comfycgmgfvowbbw2ckkobuvk4cejo2e56uxrhznravxnrl7itftpkad.onion + use_backend comfycamp if host_comfycamp_tor + + +frontend https + mode http + bind :443 ssl crt /usr/local/etc/haproxy/certs + + http-request set-header X-Forwarded-Proto https + http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" + + acl host_mastodon hdr(host) -i m.comfycamp.space + acl path_streaming_api path_beg /api/v1/streaming + use_backend mastodon_streaming if host_mastodon path_streaming_api + use_backend mastodon if host_mastodon acl host_xmpp hdr(host) -i xmpp.comfycamp.space acl host_xmpp_uploads hdr(host) -i upload.comfycamp.space @@ -57,8 +72,7 @@ frontend www use_backend minio if host_s3 acl host_peertube hdr(host) -i v.comfycamp.space - acl host_peertube_tor hdr(host) -i vcomfyooxdbibyusen75qbzaunrjykw2cxkc6txm6qykkdv4z2danpid.onion - use_backend peertube if host_peertube || host_peertube_tor + use_backend peertube if host_peertube acl host_authentik hdr(host) -i auth.comfycamp.space use_backend authentik if host_authentik @@ -74,8 +88,7 @@ frontend www use_backend immich if host_immich acl host_comfycamp hdr(host) -i comfycamp.space - acl host_comfycamp_tor hdr(host) -i comfycgmgfvowbbw2ckkobuvk4cejo2e56uxrhznravxnrl7itftpkad.onion - use_backend comfycamp if host_comfycamp || host_comfycamp_tor + use_backend comfycamp if host_comfycamp acl host_vaultwarden hdr(host) -i vault.comfycamp.space use_backend vaultwarden if host_vaultwarden @@ -95,6 +108,7 @@ frontend www acl host_mta_sts hdr(host) -i mta-sts.comfycamp.space use_backend mta_sts if host_mta_sts + frontend matrix-federation bind :8448 ssl crt /usr/local/etc/haproxy/certs http-request set-header X-Forwarded-Proto https if { ssl_fc } diff --git a/roles/nextcloud/templates/config.php.j2 b/roles/nextcloud/templates/config.php.j2 index 71182e3..7e6d0a0 100644 --- a/roles/nextcloud/templates/config.php.j2 +++ b/roles/nextcloud/templates/config.php.j2 @@ -24,6 +24,7 @@ $CONFIG = array ( 'mail_smtppassword' => '{{ smtp_password }}', 'maintenance' => false, 'loglevel' => 2, + 'log_type' => 'errorlog', 'memcache.local' => '\\OC\\Memcache\\APCu', 'memcache.distributed' => '\\OC\\Memcache\\Redis', 'memcache.locking' => '\\OC\\Memcache\\Redis', @@ -39,6 +40,9 @@ $CONFIG = array ( '{{ domain }}', {% endfor %} ], + 'trusted_proxies' => [ + '172.24.0.0/16', + ], 'config_is_read_only' => true, 'ldapUserCleanupInterval' => 0, 'auth.storeCryptedPassword' => false,