migrate to deb/rpm package
This commit is contained in:
parent
e63c0f0493
commit
c0751f7be8
|
@ -1,49 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ ! -f /var/www/onlyoffice/Data/certs/dhparam.pem ]; then
|
||||
sudo openssl dhparam -out dhparam.pem 2048
|
||||
|
||||
mv dhparam.pem /var/www/onlyoffice/Data/certs/dhparam.pem;
|
||||
fi
|
||||
|
||||
DOCKER_ONLYOFFICE_SUBNET=$(ip -o -f inet addr show | awk '/scope global/ {print $4}');
|
||||
|
||||
cp /app/onlyoffice/config/nginx/onlyoffice-ssl default-onlyoffice-ssl.conf;
|
||||
|
||||
SSL_CERTIFICATE_PATH="/var/www/onlyoffice/Data/certs/onlyoffice.crt"
|
||||
SSL_KEY_PATH="/var/www/onlyoffice/Data/certs/onlyoffice.key"
|
||||
ONLYOFFICE_SERVICES_DIR="/var/www/onlyoffice/Services"
|
||||
|
||||
sed "s,{{SSL_CERTIFICATE_PATH}},${SSL_CERTIFICATE_PATH}," -i default-onlyoffice-ssl.conf;
|
||||
sed "s,{{SSL_KEY_PATH}},${SSL_KEY_PATH}," -i default-onlyoffice-ssl.conf;
|
||||
sed 's,{{SSL_DHPARAM_PATH}},/var/www/onlyoffice/Data/certs/dhparam.pem,' -i default-onlyoffice-ssl.conf;
|
||||
sed 's,{{SSL_VERIFY_CLIENT}},off,' -i default-onlyoffice-ssl.conf;
|
||||
sed '/{{CA_CERTIFICATES_PATH}}/d' -i default-onlyoffice-ssl.conf;
|
||||
sed 's/{{ONLYOFFICE_HTTPS_HSTS_MAXAGE}}/63072000/' -i default-onlyoffice-ssl.conf;
|
||||
sed 's,{{DOCKER_ONLYOFFICE_SUBNET}},'"${DOCKER_ONLYOFFICE_SUBNET}"',' -i default-onlyoffice-ssl.conf;
|
||||
sed 's/{{ONLYOFFICE_NIGNX_KEEPLIVE}}/64/g' -i default-onlyoffice-ssl.conf;
|
||||
|
||||
SSL_OCSP_CERTIFICATE_PATH="/var/www/onlyoffice/Data/certs/stapling.trusted.crt"
|
||||
|
||||
# if dhparam path is valid, add to the config, otherwise remove the option
|
||||
if [ -r "${SSL_OCSP_CERTIFICATE_PATH}" ]; then
|
||||
sed 's,{{SSL_OCSP_CERTIFICATE_PATH}},'"${SSL_OCSP_CERTIFICATE_PATH}"',' -i default-onlyoffice-ssl.conf;
|
||||
else
|
||||
sed '/ssl_stapling/d' -i default-onlyoffice-ssl.conf;
|
||||
sed '/ssl_stapling_verify/d' -i default-onlyoffice-ssl.conf;
|
||||
sed '/ssl_trusted_certificate/d' -i default-onlyoffice-ssl.conf;
|
||||
sed '/resolver/d' -i default-onlyoffice-ssl.conf;
|
||||
sed '/resolver_timeout/d' -i default-onlyoffice-ssl.conf;
|
||||
fi
|
||||
|
||||
# sed '/certificate/s/\(value\s*=\s*\"\).*\"/\1${SSL_CERTIFICATE_PATH}"\"/' -i ${ONLYOFFICE_SERVICES_DIR}/TeamLabSvc/TeamLabSvc.exe.Config
|
||||
# sed '/certificatePrivateKey/s/\(value\s*=\s*\"\).*\"/\1${SSL_KEY_PATH}"\"/' -i ${ONLYOFFICE_SERVICES_DIR}/TeamLabSvc/TeamLabSvc.exe.Config;
|
||||
# sed '/startTls/s/\(value\s*=\s*\"\).*\"/\1optional"\"/' -i ${ONLYOFFICE_SERVICES_DIR}/TeamLabSvc/TeamLabSvc.exe.Config;
|
||||
|
||||
sed '/mail\.default-api-scheme/s/\(value\s*=\s*\"\).*\"/\1https\"/' -i /var/www/onlyoffice/Services/MailAggregator/ASC.Mail.Aggregator.CollectionService.exe.config;
|
||||
|
||||
mv default-onlyoffice-ssl.conf /etc/nginx/sites-enabled/onlyoffice
|
||||
|
||||
service onlyofficeMailAggregator restart
|
||||
# service onlyofficeJabber restart
|
||||
service nginx reload
|
|
@ -1,12 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
cp /app/onlyoffice/config/nginx/onlyoffice default-onlyoffice.conf;
|
||||
|
||||
sed 's/{{ONLYOFFICE_NIGNX_KEEPLIVE}}/64/g' -i default-onlyoffice.conf;
|
||||
sed '/mail\.default-api-scheme/s/\(value\s*=\s*\"\).*\"/\1http\"/' -i /var/www/onlyoffice/Services/MailAggregator/ASC.Mail.Aggregator.CollectionService.exe.config;
|
||||
|
||||
mv default-onlyoffice.conf /etc/nginx/sites-enabled/onlyoffice
|
||||
|
||||
service onlyofficeMailAggregator restart
|
||||
service nginx reload
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
_domains="";
|
||||
|
||||
for arg; do
|
||||
_domains="$_domains -d $arg";
|
||||
done
|
||||
|
||||
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
||||
|
||||
certbot certonly --expand --webroot -w /var/www/onlyoffice/Data/certs --noninteractive --agree-tos --email support@$1 $_domains;
|
||||
|
||||
cp /etc/letsencrypt/live/$1/fullchain.pem /var/www/onlyoffice/Data/certs/onlyoffice.crt
|
||||
cp /etc/letsencrypt/live/$1/privkey.pem /var/www/onlyoffice/Data/certs/onlyoffice.key
|
||||
cp /etc/letsencrypt/live/$1/chain.pem /var/www/onlyoffice/Data/certs/stapling.trusted.crt
|
||||
|
||||
cat > /etc/cron.d/letsencrypt <<END
|
||||
@weekly root certbot renew >> /var/log/le-renew.log
|
||||
@weekly root cp /etc/letsencrypt/live/$1/fullchain.pem /var/www/onlyoffice/Data/certs/onlyoffice.crt
|
||||
@weekly root cp /etc/letsencrypt/live/$1/privkey.pem /var/www/onlyoffice/Data/certs/onlyoffice.key
|
||||
@weekly root cp /etc/letsencrypt/live/$1/chain.pem /var/www/onlyoffice/Data/certs/stapling.trusted.crt
|
||||
@weekly root nginx reload
|
||||
END
|
||||
|
||||
source $DIR/default-onlyoffice-ssl.sh
|
|
@ -1,32 +0,0 @@
|
|||
user nginx;
|
||||
worker_processes auto;
|
||||
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
pid /var/run/nginx.pid;
|
||||
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
|
||||
http {
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
access_log /var/log/nginx/access.log main;
|
||||
|
||||
sendfile on;
|
||||
#tcp_nopush on;
|
||||
|
||||
keepalive_timeout 65;
|
||||
|
||||
#gzip on;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
}
|
||||
|
|
@ -1,38 +0,0 @@
|
|||
upstream fastcgi_backend_apisystem {
|
||||
server unix:/var/run/onlyoffice/onlyofficeApiSystem.socket;
|
||||
keepalive 32;
|
||||
}
|
||||
|
||||
upstream fastcgi_backend {
|
||||
server unix:/var/run/onlyoffice/onlyoffice.socket;
|
||||
keepalive {{ONLYOFFICE_NIGNX_KEEPLIVE}};
|
||||
}
|
||||
|
||||
fastcgi_cache_path /var/cache/nginx/onlyoffice
|
||||
levels=1:2
|
||||
keys_zone=onlyoffice:16m
|
||||
max_size=256m
|
||||
inactive=1d;
|
||||
|
||||
map $http_host $this_host {
|
||||
"" $host;
|
||||
default $http_host;
|
||||
}
|
||||
|
||||
map $http_x_forwarded_proto $the_scheme {
|
||||
default $http_x_forwarded_proto;
|
||||
"" $scheme;
|
||||
}
|
||||
|
||||
map $http_x_forwarded_host $the_host {
|
||||
default $http_x_forwarded_host;
|
||||
"" $this_host;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
|
||||
include /etc/nginx/includes/onlyoffice-communityserver-*.conf;
|
||||
}
|
|
@ -1,43 +0,0 @@
|
|||
upstream fastcgi_backend {
|
||||
server unix:/var/run/onlyoffice/onlyoffice.socket;
|
||||
keepalive 32;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
|
||||
fastcgi_keep_conn on;
|
||||
fastcgi_index Default.aspx;
|
||||
fastcgi_intercept_errors on;
|
||||
|
||||
|
||||
include fastcgi_params;
|
||||
|
||||
fastcgi_param HTTP_X_REWRITER_URL $http_x_rewriter_url;
|
||||
fastcgi_param SERVER_NAME $host;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO "";
|
||||
|
||||
fastcgi_read_timeout 600;
|
||||
fastcgi_send_timeout 600;
|
||||
|
||||
|
||||
location / {
|
||||
root /var/www/onlyoffice/WebStudio/;
|
||||
expires 0;
|
||||
add_header Cache-Control no-cache;
|
||||
rewrite ^(.*)$ /StartConfigure.htm break;
|
||||
}
|
||||
|
||||
location /api {
|
||||
fastcgi_pass fastcgi_backend;
|
||||
break;
|
||||
}
|
||||
|
||||
location ~* ^/(warmup[2-9]?)/ {
|
||||
rewrite /warmup([^/]*)/(.*) /$2 break;
|
||||
fastcgi_pass unix:/var/run/onlyoffice/onlyoffice$1.socket;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -1,120 +0,0 @@
|
|||
upstream fastcgi_backend_apisystem {
|
||||
server unix:/var/run/onlyoffice/onlyofficeApiSystem.socket;
|
||||
keepalive 32;
|
||||
}
|
||||
|
||||
upstream fastcgi_backend {
|
||||
server unix:/var/run/onlyoffice/onlyoffice.socket;
|
||||
keepalive {{ONLYOFFICE_NIGNX_KEEPLIVE}};
|
||||
}
|
||||
|
||||
fastcgi_cache_path /var/cache/nginx/onlyoffice
|
||||
levels=1:2
|
||||
keys_zone=onlyoffice:16m
|
||||
max_size=256m
|
||||
inactive=1d;
|
||||
|
||||
geo $ip_external {
|
||||
default 1;
|
||||
{{DOCKER_ONLYOFFICE_SUBNET}} 0;
|
||||
127.0.0.1 0;
|
||||
}
|
||||
|
||||
map $http_host $this_host {
|
||||
"" $host;
|
||||
default $http_host;
|
||||
}
|
||||
|
||||
map $http_x_forwarded_proto $the_scheme {
|
||||
default $http_x_forwarded_proto;
|
||||
"" $scheme;
|
||||
}
|
||||
|
||||
map $http_x_forwarded_host $the_host {
|
||||
default $http_x_forwarded_host;
|
||||
"" $this_host;
|
||||
}
|
||||
|
||||
## Normal HTTP host
|
||||
server {
|
||||
listen 0.0.0.0:80;
|
||||
listen [::]:80 default_server;
|
||||
server_name _;
|
||||
server_tokens off;
|
||||
|
||||
root /nowhere; ## root doesn't have to be a valid path since we are redirecting
|
||||
|
||||
location / {
|
||||
if ($ip_external) {
|
||||
## Redirects all traffic to the HTTPS host
|
||||
rewrite ^ https://$host$request_uri? permanent;
|
||||
}
|
||||
|
||||
|
||||
client_max_body_size 100m;
|
||||
|
||||
proxy_pass https://127.0.0.1;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Host $server_name;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_ssl_verify off;
|
||||
}
|
||||
}
|
||||
|
||||
## HTTPS host
|
||||
server {
|
||||
listen 0.0.0.0:443 ssl http2;
|
||||
listen [::]:443 ssl http2 default_server;
|
||||
server_tokens off;
|
||||
root /usr/share/nginx/html;
|
||||
|
||||
## Increase this if you want to upload large attachments
|
||||
client_max_body_size 100m;
|
||||
|
||||
## Strong SSL Security
|
||||
## https://cipherli.st/
|
||||
ssl on;
|
||||
ssl_certificate {{SSL_CERTIFICATE_PATH}};
|
||||
ssl_certificate_key {{SSL_KEY_PATH}};
|
||||
ssl_verify_client {{SSL_VERIFY_CLIENT}};
|
||||
ssl_client_certificate {{CA_CERTIFICATES_PATH}};
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_tickets off; # Requires nginx >= 1.5.9
|
||||
|
||||
add_header Strict-Transport-Security "max-age={{ONLYOFFICE_HTTPS_HSTS_MAXAGE}}; includeSubDomains; preload" always;
|
||||
# add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
|
||||
## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
|
||||
## Replace with your ssl_trusted_certificate. For more info see:
|
||||
## - https://medium.com/devops-programming/4445f4862461
|
||||
## - https://www.ruby-forum.com/topic/4419319
|
||||
## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_trusted_certificate {{SSL_OCSP_CERTIFICATE_PATH}};
|
||||
resolver 8.8.8.8 8.8.4.4 127.0.0.11 valid=300s; # Can change to your DNS resolver if desired
|
||||
resolver_timeout 10s;
|
||||
|
||||
## [Optional] Generate a stronger DHE parameter:
|
||||
## cd /etc/ssl/certs
|
||||
## sudo openssl dhparam -out dhparam.pem 4096
|
||||
##
|
||||
ssl_dhparam {{SSL_DHPARAM_PATH}};
|
||||
|
||||
include /etc/nginx/includes/onlyoffice-communityserver-*.conf;
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -150,13 +150,13 @@ fi
|
|||
# fi
|
||||
# fi
|
||||
|
||||
cp ${SYSCONF_TEMPLATES_DIR}/nginx/nginx.conf ${NGINX_ROOT_DIR}/nginx.conf
|
||||
cp ${NGINX_ROOT_DIR}/includes/onlyoffice-communityserver-nginx.conf.template ${NGINX_ROOT_DIR}/nginx.conf
|
||||
|
||||
sed 's/^worker_processes.*/'"worker_processes ${NGINX_WORKER_PROCESSES};"'/' -i ${NGINX_ROOT_DIR}/nginx.conf
|
||||
sed 's/worker_connections.*/'"worker_connections ${NGINX_WORKER_CONNECTIONS};"'/' -i ${NGINX_ROOT_DIR}/nginx.conf
|
||||
|
||||
|
||||
cp ${SYSCONF_TEMPLATES_DIR}/nginx/onlyoffice-init ${NGINX_CONF_DIR}/onlyoffice
|
||||
cp ${NGINX_ROOT_DIR}/includes/onlyoffice-communityserver-common-init.conf.template ${NGINX_CONF_DIR}/onlyoffice
|
||||
rm -f ${NGINX_ROOT_DIR}/conf.d/*.conf
|
||||
|
||||
rsyslogd
|
||||
|
@ -435,7 +435,7 @@ done
|
|||
|
||||
# setup HTTPS
|
||||
if [ -f "${SSL_CERTIFICATE_PATH}" -a -f "${SSL_KEY_PATH}" ]; then
|
||||
cp ${SYSCONF_TEMPLATES_DIR}/nginx/onlyoffice-ssl ${SYSCONF_TEMPLATES_DIR}/nginx/prepare-onlyoffice
|
||||
cp ${NGINX_ROOT_DIR}/includes/onlyoffice-communityserver-common-ssl.conf.template ${SYSCONF_TEMPLATES_DIR}/nginx/prepare-onlyoffice
|
||||
|
||||
mkdir -p ${LOG_DIR}/nginx
|
||||
|
||||
|
@ -484,7 +484,7 @@ if [ -f "${SSL_CERTIFICATE_PATH}" -a -f "${SSL_KEY_PATH}" ]; then
|
|||
sed '/mail\.default-api-scheme/s/\(value\s*=\s*\"\).*\"/\1https\"/' -i ${ONLYOFFICE_SERVICES_DIR}/MailAggregator/ASC.Mail.Aggregator.CollectionService.exe.config;
|
||||
|
||||
else
|
||||
cp ${SYSCONF_TEMPLATES_DIR}/nginx/onlyoffice ${SYSCONF_TEMPLATES_DIR}/nginx/prepare-onlyoffice;
|
||||
cp ${NGINX_ROOT_DIR}/includes/onlyoffice-communityserver-common.conf.template ${SYSCONF_TEMPLATES_DIR}/nginx/prepare-onlyoffice;
|
||||
fi
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue