initial commit of file from CVS for smeserver-onlyoffice on Sat Sep 7 20:48:46 AEST 2024

2024-09-07 20:48:46 +10:00
parent d22c871bff
commit fde7aef164
32 changed files with 1286 additions and 2 deletions
--- a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/Onlyoffice/00Setup
+++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/Onlyoffice/00Setup
@@ -0,0 +1,10 @@
+{
+    use esmith::DomainsDB;
+    # Convert the passed hash for the domain object back into an object.
+    $domain = bless \%domain, 'esmith::DB::db::Record';
+
+    # Make scalars from some of the properties of the domain
+    $virtualHost = $domain->key;
+    $virtualHostContent = $domain->prop('Content');
+    $OUT = "";
+}
--- a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/Onlyoffice/80VirtualHostOnlyoffice
+++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/Onlyoffice/80VirtualHostOnlyoffice
@@ -0,0 +1,66 @@
+{
+
+#return "# onlyoffice proxy disabled, no domain set" unless  $onlyoffice{'VirtualHost'};
+if (($port eq "80") ){
+    $OUT = <<"_EOL";
+        # PORT FORWARD FROM 80 TO: 443
+        ServerName  $onlyoffice{'VirtualHost'}
+_EOL
+
+    $OUT .= <<_EOL;
+        ServerAlias
+        SSLProxyEngine On
+        RewriteEngine on
+        RewriteCond %\{REQUEST_URI\} !^/.well-known/acme-challenge [NC]
+        RewriteCond %\{HTTPS\} off
+        RewriteRule ^/(.*) https://%\{HTTP_HOST\}/$1 [NC,R,L]
+_EOL
+
+}
+else {
+
+    use esmith::DomainsDB;
+    my $domains = esmith::DomainsDB->open_ro;
+    my $ssl_file_crt = $domains->get_prop($virtualHost, "DomainSSLCertificateFile") || "disabled";
+    my $ssl_file_key = $domains->get_prop($virtualHost, "DomainSSLCertificateKeyFile") || "disabled";
+    my $ssl_file_chain = $domains->get_prop($virtualHost, "DomainSSLCertificateChainFile") || "disabled";
+
+
+    $OUT = <<"_EOL"; 
+    ServerName $onlyoffice{'VirtualHost'} 
+    SSLEngine On
+    SSLCompression off
+_EOL
+
+    $OUT .= "    SSLCertificateFile $ssl_file_crt\n" unless $ssl_file_crt eq 'disabled';
+    $OUT .= "    SSLCertificateChainFile $ssl_file_chain\n" unless $ssl_file_chain eq 'disabled';
+    $OUT .= "    SSLCertificateKeyFile $ssl_file_key\n" unless ( $ssl_file_key eq 'disabled' || ! -e $ssl_file_chain );
+
+    $OUT .= <<_EOL;
+    RewriteEngine on
+    RewriteRule ^(/)?\$ /welcome/ [NC,R,L]
+
+    SetEnvIf Host "^(.*)\$" THE_HOST=\$1
+    #needs apache 2.4.7
+    #RequestHeader setifempty X-Forwarded-Proto https
+    #RequestHeader setifempty X-Forwarded-Host \%{THE_HOST}e
+    RequestHeader set X-Forwarded-Proto https
+    RequestHeader set X-Forwarded-Host \%{THE_HOST}e
+    ProxyAddHeaders Off
+
+    ProxyPass /.well-known/acme-challenge !
+_EOL
+
+    my $OOport = 48000; 
+    $OUT .= <<"_EOL";
+    #ProxyPassMatch (.*)(\/websocket)\$ "ws://localhost:$OOport/\$1\$2"
+    RewriteCond %\{HTTP:Upgrade\} websocket [NC]
+    RewriteCond %\{HTTP:Connection\} upgrade [NC]
+    RewriteRule ^/?(.*) "ws://localhost:$OOport/\$1" [P,L]
+    ProxyPass / "http://localhost:$OOport/"
+    ProxyPassReverse / "http://localhost:$OOport/"
+_EOL
+
+}
+
+}
--- a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/Onlyoffice/template-begin
+++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/Onlyoffice/template-begin
@@ -0,0 +1,2 @@
+
+<VirtualHost {$ipAddress}:{$port}>
--- a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/Onlyoffice/template-end
+++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/Onlyoffice/template-end
@@ -0,0 +1,2 @@
+</VirtualHost>
+
--- a/root/etc/e-smith/templates/etc/nginx/conf.d/ds.conf/10base
+++ b/root/etc/e-smith/templates/etc/nginx/conf.d/ds.conf/10base
@@ -0,0 +1,49 @@
+include /etc/nginx/includes/http-common.conf;
+
+## HTTPS host
+server \{
+{
+$OUT .= "  listen 127.0.0.1:8083;\n";
+$OUT .= "  listen 0.0.0.0:$onlyoffice{'TCPPort'} ssl;\n";
+$OUT .= "  listen [::]:$onlyoffice{'TCPPort'} ssl default_server;\n";
+}
+  server_tokens off;
+  root /usr/share/nginx/html;
+
+  ## Strong SSL Security
+  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+  ssl_certificate /etc/nginx/certificate.crt;
+  ssl_certificate_key /etc/nginx/certificate.crt;
+  ssl_verify_client off;
+
+  ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+  ssl_session_cache  builtin:1000  shared:SSL:10m;
+
+  ssl_prefer_server_ciphers   on;
+
+  add_header Strict-Transport-Security max-age=31536000;
+  # add_header X-Frame-Options SAMEORIGIN;
+  add_header X-Content-Type-Options nosniff;
+
+  ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
+  ## Replace with your ssl_trusted_certificate. For more info see:
+  ## - https://medium.com/devops-programming/4445f4862461
+  ## - https://www.ruby-forum.com/topic/4419319
+  ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
+  # ssl_stapling on;
+  # ssl_stapling_verify on;
+  # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
+  # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
+  # resolver_timeout 10s;
+
+  ## [Optional] Generate a stronger DHE parameter:
+  ##   cd /etc/ssl/certs
+  ##   sudo openssl dhparam -out dhparam.pem 4096
+  ##
+  # ssl_dhparam /etc/ssl/certs/dhparam.pem;
+  set $secure_link_secret  { $onlyoffice{'secretString'} || "how-to-configure-ocsp-stapling-on-apache"   };
+  include /etc/nginx/includes/ds-*.conf;
+
+\}
--- a/root/etc/e-smith/templates/etc/nginx/includes/http-common.conf/10base
+++ b/root/etc/e-smith/templates/etc/nginx/includes/http-common.conf/10base
@@ -0,0 +1,38 @@
+upstream docservice \{
+  server localhost:48000;
+\}
+
+upstream spellchecker \{
+  server localhost:48080;
+\}
+
+upstream example \{
+  server localhost:3000;
+\}
+
+map $http_host $this_host \{
+    "" $host;
+    default $http_host;
+\}
+
+map $http_x_forwarded_proto $the_scheme \{
+     default $http_x_forwarded_proto;
+     "" $scheme;
+\}
+
+map $http_x_forwarded_host $the_host \{
+    default $http_x_forwarded_host;
+    "" $this_host;
+\}
+
+map $http_upgrade $proxy_connection \{
+  default upgrade;
+  "" close;
+\}
+
+proxy_set_header Host $http_host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $proxy_connection;
+proxy_set_header X-Forwarded-Host $the_host;
+proxy_set_header X-Forwarded-Proto $the_scheme;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
--- a/root/etc/e-smith/templates/var/lib/pgsql/data/pg_hba.conf/15onlyoffice
+++ b/root/etc/e-smith/templates/var/lib/pgsql/data/pg_hba.conf/15onlyoffice
@@ -0,0 +1,2 @@
+host all all 127.0.0.1/32 trust
+host all all ::1/128 trust