diff --git a/test/collabora/1.0.0/ix_values.yaml b/test/collabora/1.0.0/ix_values.yaml index 5120e01acf..4e07fa58fc 100644 --- a/test/collabora/1.0.0/ix_values.yaml +++ b/test/collabora/1.0.0/ix_values.yaml @@ -2,4 +2,9 @@ image: pullPolicy: IfNotPresent repository: collabora/code tag: 6.4.10.10 +nginx: + image: + pullPolicy: IfNotPresent + repository: nginx + tag: 1.21.3 updateStrategy: Recreate diff --git a/test/collabora/1.0.0/templates/nginx-conf.yaml b/test/collabora/1.0.0/templates/nginx-conf.yaml new file mode 100644 index 0000000000..d57c885386 --- /dev/null +++ b/test/collabora/1.0.0/templates/nginx-conf.yaml @@ -0,0 +1,136 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "nginx-config" + annotations: + rollme: {{ randAlphaNum 5 | quote }} +data: + config: |- + load_module modules/ngx_http_uploadprogress_module.so; + user www-data www-data; + worker_processes 1; + + events { + worker_connections 1024; + } + + http { + include mime.types; + default_type application/octet-stream; + + # Types to enable gzip compression on + gzip_types + text/plain + text/css + text/js + text/xml + text/javascript + application/javascript + application/x-javascript + application/json + application/xml + application/rss+xml + image/svg+xml; + + # reserve 1MB under the name 'proxied' to track uploads + upload_progress proxied 1m; + + sendfile on; + #tcp_nopush on; + client_max_body_size 1000m; + + #keepalive_timeout 0; + keepalive_timeout 65; + + # Disable tokens for security (#23684) + server_tokens off; + + gzip on; + #upload_store /var/tmp/firmware; + client_body_temp_path /var/tmp/firmware; + + error_log syslog:server=unix:/var/run/log,nohostname; + access_log syslog:server=unix:/var/run/log,nohostname; + + server { + server_name localhost; + listen 0.0.0.0:443 default_server ssl http2; + listen [::]:443 default_server ssl http2; + + ssl_certificate "/nginx.crt"; + ssl_certificate_key "/nginx.key"; + + ssl_session_timeout 120m; + ssl_session_cache shared:ssl:16m; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384; + add_header Strict-Transport-Security max-age=31536000; + + # Security Headers + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1"; + + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /loleaflet/*\n"; + } + + # static files + location ^~ /loleaflet { + set $upstream_collabora collabora; + proxy_pass http://$upstream_collabora:9980; + proxy_set_header Host $http_host; + } + + # WOPI discovery URL + location ^~ /hosting/discovery { + set $upstream_collabora collabora; + proxy_pass http://$upstream_collabora:9980; + proxy_set_header Host $http_host; + } + + # Capabilities + location ^~ /hosting/capabilities { + set $upstream_collabora collabora; + proxy_pass http://$upstream_collabora:9980; + proxy_set_header Host $http_host; + } + + # main websocket + location ~ ^/lool/(.*)/ws$ { + set $upstream_collabora collabora; + proxy_pass http://$upstream_collabora:9980; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + } + + # download, presentation and image upload + location ~ ^/lool { + set $upstream_collabora collabora; + proxy_pass http://$upstream_collabora:9980; + proxy_set_header Host $http_host; + } + + # Admin Console websocket + location ^~ /lool/adminws { + set $upstream_collabora collabora; + proxy_pass http://$upstream_collabora:9980; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + } + + } + server { + listen 0.0.0.0:80; + listen [::]:80; + server_name localhost; + return 307 https://$host:443$request_uri; + } + + }