|
|
|
@ -12,104 +12,53 @@ var _domain = 'http://localhost:3000/'; |
|
|
|
// to enable this feature, uncomment the line below:
|
|
|
|
// require('heapdump');
|
|
|
|
|
|
|
|
|
|
|
|
// we prepend a space because every usage expects it
|
|
|
|
// requiring admins to preserve it is unnecessarily confusing
|
|
|
|
var domain = ' ' + _domain; |
|
|
|
module.exports = { |
|
|
|
|
|
|
|
// the address you want to bind to, :: means all ipv4 and ipv6 addresses
|
|
|
|
// this may not work on all operating systems
|
|
|
|
httpAddress: '::', |
|
|
|
// Content-Security-Policy
|
|
|
|
var baseCSP = [ |
|
|
|
"default-src 'none'", |
|
|
|
"style-src 'unsafe-inline' 'self' " + domain, |
|
|
|
"script-src 'self'" + domain, |
|
|
|
"font-src 'self' data:" + domain, |
|
|
|
|
|
|
|
// the port on which your httpd will listen
|
|
|
|
/* child-src is used to restrict iframes to a set of allowed domains. |
|
|
|
* connect-src is used to restrict what domains can connect to the websocket. |
|
|
|
* |
|
|
|
* it is recommended that you configure these fields to match the |
|
|
|
* domain which will serve your CryptPad instance. |
|
|
|
*/ |
|
|
|
"child-src blob: *", |
|
|
|
// IE/Edge
|
|
|
|
"frame-src blob: *", |
|
|
|
|
|
|
|
/* CryptPad can be configured to send customized HTTP Headers |
|
|
|
* These settings may vary widely depending on your needs |
|
|
|
* Examples are provided below |
|
|
|
/* this allows connections over secure or insecure websockets |
|
|
|
if you are deploying to production, you'll probably want to remove |
|
|
|
the ws://* directive, and change '*' to your domain
|
|
|
|
*/ |
|
|
|
"connect-src 'self' ws: wss: blob:" + domain, |
|
|
|
|
|
|
|
httpHeaders: { |
|
|
|
"X-XSS-Protection": "1; mode=block", |
|
|
|
"X-Content-Type-Options": "nosniff", |
|
|
|
"Access-Control-Allow-Origin": "*" |
|
|
|
}, |
|
|
|
// data: is used by codemirror
|
|
|
|
"img-src 'self' data: blob:" + domain, |
|
|
|
"media-src * blob:", |
|
|
|
|
|
|
|
contentSecurity: [ |
|
|
|
"default-src 'none'", |
|
|
|
"style-src 'unsafe-inline' 'self' " + domain, |
|
|
|
"script-src 'self'" + domain, |
|
|
|
"font-src 'self' data:" + domain, |
|
|
|
|
|
|
|
/* child-src is used to restrict iframes to a set of allowed domains. |
|
|
|
* connect-src is used to restrict what domains can connect to the websocket. |
|
|
|
* |
|
|
|
* it is recommended that you configure these fields to match the |
|
|
|
* domain which will serve your CryptPad instance. |
|
|
|
*/ |
|
|
|
"child-src blob: *", |
|
|
|
// IE/Edge
|
|
|
|
"frame-src blob: *", |
|
|
|
|
|
|
|
"media-src * blob:", |
|
|
|
|
|
|
|
/* this allows connections over secure or insecure websockets |
|
|
|
if you are deploying to production, you'll probably want to remove |
|
|
|
the ws://* directive, and change '*' to your domain
|
|
|
|
*/ |
|
|
|
"connect-src 'self' ws: wss: blob:" + domain, |
|
|
|
|
|
|
|
// data: is used by codemirror
|
|
|
|
"img-src 'self' data: blob:" + domain, |
|
|
|
|
|
|
|
// for accounts.cryptpad.fr authentication and pad2 cross-domain iframe sandbox
|
|
|
|
"frame-ancestors *", |
|
|
|
].join('; '), |
|
|
|
|
|
|
|
// CKEditor requires significantly more lax content security policy in order to function.
|
|
|
|
padContentSecurity: [ |
|
|
|
"default-src 'none'", |
|
|
|
"style-src 'unsafe-inline' 'self'" + domain, |
|
|
|
// Unsafe inline, unsafe-eval are needed for ckeditor :(
|
|
|
|
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain, |
|
|
|
"font-src 'self'" + domain, |
|
|
|
|
|
|
|
/* See above under 'contentSecurity' as to how these values should be |
|
|
|
* configured for best effect. |
|
|
|
*/ |
|
|
|
"child-src *", |
|
|
|
// IE/Edge
|
|
|
|
"frame-src *", |
|
|
|
|
|
|
|
// see the comment above in the 'contentSecurity' section
|
|
|
|
"connect-src 'self' ws: wss:" + domain, |
|
|
|
|
|
|
|
// (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
|
|
|
|
"img-src * blob:", |
|
|
|
].join('; '), |
|
|
|
|
|
|
|
// OnlyOffice requires even more lax content security policy in order to function.
|
|
|
|
ooContentSecurity: [ |
|
|
|
"default-src 'none'", |
|
|
|
"style-src 'unsafe-inline' 'self'" + domain, |
|
|
|
// Unsafe inline, unsafe-eval are needed for ckeditor :(
|
|
|
|
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain, |
|
|
|
"font-src 'self'" + domain, |
|
|
|
// for accounts.cryptpad.fr authentication and cross-domain iframe sandbox
|
|
|
|
"frame-ancestors *", |
|
|
|
]; |
|
|
|
|
|
|
|
/* See above under 'contentSecurity' as to how these values should be |
|
|
|
* configured for best effect. |
|
|
|
*/ |
|
|
|
"child-src *", |
|
|
|
// IE/Edge
|
|
|
|
"frame-src *", |
|
|
|
|
|
|
|
// see the comment above in the 'contentSecurity' section
|
|
|
|
"connect-src 'self' blob: ws: wss:" + domain, |
|
|
|
module.exports = { |
|
|
|
|
|
|
|
// (insecure remote) images are included by users of the wysiwyg who embed photos in their pads
|
|
|
|
"img-src * blob: data:", |
|
|
|
].join('; '), |
|
|
|
/* ===================== |
|
|
|
* Infra setup |
|
|
|
* ===================== */ |
|
|
|
|
|
|
|
// the address you want to bind to, :: means all ipv4 and ipv6 addresses
|
|
|
|
// this may not work on all operating systems
|
|
|
|
httpAddress: '::', |
|
|
|
|
|
|
|
// the port on which your httpd will listen
|
|
|
|
httpPort: 3000, |
|
|
|
|
|
|
|
// This is for allowing the cross-domain iframe to function when developing
|
|
|
|
@ -131,15 +80,31 @@ module.exports = { |
|
|
|
*/ |
|
|
|
websocketPath: '/cryptpad_websocket', |
|
|
|
|
|
|
|
/* CryptPad can log activity to stdout |
|
|
|
* This may be useful for debugging |
|
|
|
/* CryptPad can be configured to send customized HTTP Headers |
|
|
|
* These settings may vary widely depending on your needs |
|
|
|
* Examples are provided below |
|
|
|
*/ |
|
|
|
logToStdout: false, |
|
|
|
httpHeaders: { |
|
|
|
"X-XSS-Protection": "1; mode=block", |
|
|
|
"X-Content-Type-Options": "nosniff", |
|
|
|
"Access-Control-Allow-Origin": "*" |
|
|
|
}, |
|
|
|
|
|
|
|
/* CryptPad supports verbose logging |
|
|
|
* (false by default) |
|
|
|
contentSecurity: baseCSP.join('; ') + |
|
|
|
"script-src 'self'" + domain, |
|
|
|
|
|
|
|
// CKEditor and OnlyOffice require significantly more lax content security policy in order to function.
|
|
|
|
padContentSecurity: baseCSP.join('; ') + |
|
|
|
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" + domain, |
|
|
|
|
|
|
|
/* it is recommended that you serve CryptPad over https |
|
|
|
* the filepaths below are used to configure your certificates |
|
|
|
*/ |
|
|
|
verbose: false, |
|
|
|
//privKeyAndCertFiles: [
|
|
|
|
// '/etc/apache2/ssl/my_secret.key',
|
|
|
|
// '/etc/apache2/ssl/my_public_cert.crt',
|
|
|
|
// '/etc/apache2/ssl/my_certificate_authorities_cert_chain.ca'
|
|
|
|
//],
|
|
|
|
|
|
|
|
/* Main pages |
|
|
|
* add exceptions to the router so that we can access /privacy.html |
|
|
|
@ -156,6 +121,10 @@ module.exports = { |
|
|
|
'faq' |
|
|
|
], |
|
|
|
|
|
|
|
/* ===================== |
|
|
|
* Subscriptions |
|
|
|
* ===================== */ |
|
|
|
|
|
|
|
/* Limits, Donations, Subscriptions and Contact |
|
|
|
* |
|
|
|
* By default, CryptPad limits every registered user to 50MB of storage. It also shows a |
|
|
|
@ -174,6 +143,15 @@ module.exports = { |
|
|
|
allowSubscriptions: true, |
|
|
|
removeDonateButton: false, |
|
|
|
|
|
|
|
/* |
|
|
|
* By default, CryptPad also contacts our accounts server once a day to check for changes in |
|
|
|
* the people who have accounts. This check-in will also send the version of your CryptPad |
|
|
|
* instance and your email so we can reach you if we are aware of a serious problem. We will |
|
|
|
* never sell it or send you marketing mail. If you want to block this check-in and remain |
|
|
|
* completely invisible, set this and allowSubscriptions both to false. |
|
|
|
*/ |
|
|
|
adminEmail: 'i.did.not.read.my.config@cryptpad.fr', |
|
|
|
|
|
|
|
/* Sales coming from your server will be identified by your domain |
|
|
|
* |
|
|
|
* If you are using CryptPad in a business context, please consider taking a support contract |
|
|
|
@ -214,6 +192,18 @@ module.exports = { |
|
|
|
*/ |
|
|
|
}, |
|
|
|
|
|
|
|
/* ===================== |
|
|
|
* STORAGE |
|
|
|
* ===================== */ |
|
|
|
|
|
|
|
/* Pads that are not 'pinned' by any registered user can be set to expire |
|
|
|
* after a configurable number of days of inactivity (default 90 days). |
|
|
|
* The value can be changed or set to false to remove expiration. |
|
|
|
* Expired pads can then be removed using a cron job calling the |
|
|
|
* `delete-inactive.js` script with node |
|
|
|
*/ |
|
|
|
inactiveTime: 90, // days
|
|
|
|
|
|
|
|
/* some features may require that the server be able to schedule tasks |
|
|
|
far into the future, such as: |
|
|
|
> "three months from now, this channel should expire" |
|
|
|
@ -221,43 +211,47 @@ module.exports = { |
|
|
|
*/ |
|
|
|
enableTaskScheduling: true, |
|
|
|
|
|
|
|
/* if you would like the list of scheduled tasks to be stored in |
|
|
|
a custom location, change the path below: |
|
|
|
*/ |
|
|
|
taskPath: './tasks', |
|
|
|
/* Setting this value to anything other than true will cause file upload |
|
|
|
* attempts to be rejected outright. |
|
|
|
*/ |
|
|
|
enableUploads: true, |
|
|
|
|
|
|
|
/* if you would like users' authenticated blocks to be stored in |
|
|
|
a custom location, change the path below: |
|
|
|
*/ |
|
|
|
blockPath: './block', |
|
|
|
/* If you have enabled file upload, you have the option of restricting it |
|
|
|
* to a list of users identified by their public keys. If this value is set |
|
|
|
* to true, your server will query a file (cryptpad/privileged.conf) when |
|
|
|
* users connect via RPC. Only users whose public keys can be found within |
|
|
|
* the file will be allowed to upload. |
|
|
|
* |
|
|
|
* privileged.conf uses '#' for line comments, and splits keys by newline. |
|
|
|
* This is a temporary measure until a better quota system is in place. |
|
|
|
* registered users' public keys can be found on the settings page. |
|
|
|
*/ |
|
|
|
restrictUploads: false, |
|
|
|
|
|
|
|
/* |
|
|
|
* By default, CryptPad also contacts our accounts server once a day to check for changes in |
|
|
|
* the people who have accounts. This check-in will also send the version of your CryptPad |
|
|
|
* instance and your email so we can reach you if we are aware of a serious problem. We will |
|
|
|
* never sell it or send you marketing mail. If you want to block this check-in and remain |
|
|
|
* completely invisible, set this and allowSubscriptions both to false. |
|
|
|
/* Max Upload Size (bytes) |
|
|
|
* this sets the maximum size of any one file uploaded to the server. |
|
|
|
* anything larger than this size will be rejected |
|
|
|
*/ |
|
|
|
adminEmail: 'i.did.not.read.my.config@cryptpad.fr', |
|
|
|
maxUploadSize: 20 * 1024 * 1024, |
|
|
|
|
|
|
|
/* ===================== |
|
|
|
* HARDWARE RELATED |
|
|
|
* ===================== */ |
|
|
|
|
|
|
|
/* |
|
|
|
You have the option of specifying an alternative storage adaptor. |
|
|
|
These status of these alternatives are specified in their READMEs, |
|
|
|
which are available at the following URLs: |
|
|
|
/* CryptPad's file storage adaptor closes unused files after a configurable |
|
|
|
* number of milliseconds (default 30000 (30 seconds)) |
|
|
|
*/ |
|
|
|
channelExpirationMs: 30000, |
|
|
|
|
|
|
|
mongodb: a noSQL database |
|
|
|
https://github.com/xwiki-labs/cryptpad-mongo-store
|
|
|
|
amnesiadb: in memory storage |
|
|
|
https://github.com/xwiki-labs/cryptpad-amnesia-store
|
|
|
|
leveldb: a simple, fast, key-value store |
|
|
|
https://github.com/xwiki-labs/cryptpad-level-store
|
|
|
|
sql: an adaptor for a variety of sql databases via knexjs |
|
|
|
https://github.com/xwiki-labs/cryptpad-sql-store
|
|
|
|
/* CryptPad's file storage adaptor is limited by the number of open files. |
|
|
|
* When the adaptor reaches openFileLimit, it will clean up older files |
|
|
|
*/ |
|
|
|
openFileLimit: 2048, |
|
|
|
|
|
|
|
For the most up to date solution, use the default storage adaptor. |
|
|
|
*/ |
|
|
|
storage: './storage/file', |
|
|
|
|
|
|
|
/* ===================== |
|
|
|
* DATABASE VOLUMES |
|
|
|
* ===================== */ |
|
|
|
|
|
|
|
/* |
|
|
|
CryptPad stores each document in an individual file on your hard drive. |
|
|
|
@ -273,13 +267,15 @@ module.exports = { |
|
|
|
*/ |
|
|
|
pinPath: './pins', |
|
|
|
|
|
|
|
/* Pads that are not 'pinned' by any registered user can be set to expire |
|
|
|
* after a configurable number of days of inactivity (default 90 days). |
|
|
|
* The value can be changed or set to false to remove expiration. |
|
|
|
* Expired pads can then be removed using a cron job calling the |
|
|
|
* `delete-inactive.js` script with node |
|
|
|
*/ |
|
|
|
inactiveTime: 90, // days
|
|
|
|
/* if you would like the list of scheduled tasks to be stored in |
|
|
|
a custom location, change the path below: |
|
|
|
*/ |
|
|
|
taskPath: './tasks', |
|
|
|
|
|
|
|
/* if you would like users' authenticated blocks to be stored in |
|
|
|
a custom location, change the path below: |
|
|
|
*/ |
|
|
|
blockPath: './block', |
|
|
|
|
|
|
|
/* CryptPad allows logged in users to upload encrypted files. Files/blobs |
|
|
|
* are stored in a 'blob-store'. Set its location here. |
|
|
|
@ -291,51 +287,25 @@ module.exports = { |
|
|
|
*/ |
|
|
|
blobStagingPath: './blobstage', |
|
|
|
|
|
|
|
/* CryptPad's file storage adaptor closes unused files after a configurable |
|
|
|
* number of milliseconds (default 30000 (30 seconds)) |
|
|
|
*/ |
|
|
|
channelExpirationMs: 30000, |
|
|
|
/* ===================== |
|
|
|
* Debugging |
|
|
|
* ===================== */ |
|
|
|
|
|
|
|
/* CryptPad's file storage adaptor is limited by the number of open files. |
|
|
|
* When the adaptor reaches openFileLimit, it will clean up older files |
|
|
|
/* CryptPad can log activity to stdout |
|
|
|
* This may be useful for debugging |
|
|
|
*/ |
|
|
|
openFileLimit: 2048, |
|
|
|
logToStdout: false, |
|
|
|
|
|
|
|
/* CryptPad's socket server can be extended to respond to RPC calls |
|
|
|
* you can configure it to respond to custom RPC calls if you like. |
|
|
|
* provide the path to your RPC module here, or `false` if you would |
|
|
|
* like to disable the RPC interface completely |
|
|
|
/* CryptPad supports verbose logging |
|
|
|
* (false by default) |
|
|
|
*/ |
|
|
|
rpc: './rpc.js', |
|
|
|
verbose: false, |
|
|
|
|
|
|
|
/* RPC errors are shown by default, but if you really don't care, |
|
|
|
* you can suppress them |
|
|
|
*/ |
|
|
|
suppressRPCErrors: false, |
|
|
|
|
|
|
|
/* Setting this value to anything other than true will cause file upload |
|
|
|
* attempts to be rejected outright. |
|
|
|
*/ |
|
|
|
enableUploads: true, |
|
|
|
|
|
|
|
/* If you have enabled file upload, you have the option of restricting it |
|
|
|
* to a list of users identified by their public keys. If this value is set |
|
|
|
* to true, your server will query a file (cryptpad/privileged.conf) when |
|
|
|
* users connect via RPC. Only users whose public keys can be found within |
|
|
|
* the file will be allowed to upload. |
|
|
|
* |
|
|
|
* privileged.conf uses '#' for line comments, and splits keys by newline. |
|
|
|
* This is a temporary measure until a better quota system is in place. |
|
|
|
* registered users' public keys can be found on the settings page. |
|
|
|
*/ |
|
|
|
//restrictUploads: false,
|
|
|
|
|
|
|
|
/* Max Upload Size (bytes) |
|
|
|
* this sets the maximum size of any one file uploaded to the server. |
|
|
|
* anything larger than this size will be rejected |
|
|
|
*/ |
|
|
|
maxUploadSize: 20 * 1024 * 1024, |
|
|
|
|
|
|
|
/* clients can use the /settings/ app to opt out of usage feedback |
|
|
|
* which informs the server of things like how much each app is being |
|
|
|
* used, and whether certain clientside features are supported by |
|
|
|
@ -343,21 +313,12 @@ module.exports = { |
|
|
|
* such that the service can be improved. Enable this with `true` |
|
|
|
* and ignore feedback with `false` or by commenting the attribute |
|
|
|
*/ |
|
|
|
//logFeedback: true,
|
|
|
|
logFeedback: false, |
|
|
|
|
|
|
|
/* If you wish to see which remote procedure calls clients request, |
|
|
|
* set this to true |
|
|
|
*/ |
|
|
|
//logRPC: true,
|
|
|
|
|
|
|
|
/* it is recommended that you serve CryptPad over https |
|
|
|
* the filepaths below are used to configure your certificates |
|
|
|
*/ |
|
|
|
//privKeyAndCertFiles: [
|
|
|
|
// '/etc/apache2/ssl/my_secret.key',
|
|
|
|
// '/etc/apache2/ssl/my_public_cert.crt',
|
|
|
|
// '/etc/apache2/ssl/my_certificate_authorities_cert_chain.ca'
|
|
|
|
//],
|
|
|
|
logRPC: false, |
|
|
|
|
|
|
|
/* You can get a repl for debugging the server if you want it. |
|
|
|
* to enable this, specify the debugReplName and then you can |
|
|
|
@ -366,4 +327,33 @@ module.exports = { |
|
|
|
* repl names. |
|
|
|
*/ |
|
|
|
//debugReplName: "cryptpad"
|
|
|
|
|
|
|
|
/* ===================== |
|
|
|
* DEPRECATED |
|
|
|
* ===================== */ |
|
|
|
/* |
|
|
|
You have the option of specifying an alternative storage adaptor. |
|
|
|
These status of these alternatives are specified in their READMEs, |
|
|
|
which are available at the following URLs: |
|
|
|
|
|
|
|
mongodb: a noSQL database |
|
|
|
https://github.com/xwiki-labs/cryptpad-mongo-store
|
|
|
|
amnesiadb: in memory storage |
|
|
|
https://github.com/xwiki-labs/cryptpad-amnesia-store
|
|
|
|
leveldb: a simple, fast, key-value store |
|
|
|
https://github.com/xwiki-labs/cryptpad-level-store
|
|
|
|
sql: an adaptor for a variety of sql databases via knexjs |
|
|
|
https://github.com/xwiki-labs/cryptpad-sql-store
|
|
|
|
|
|
|
|
For the most up to date solution, use the default storage adaptor. |
|
|
|
*/ |
|
|
|
storage: './storage/file', |
|
|
|
|
|
|
|
/* CryptPad's socket server can be extended to respond to RPC calls |
|
|
|
* you can configure it to respond to custom RPC calls if you like. |
|
|
|
* provide the path to your RPC module here, or `false` if you would |
|
|
|
* like to disable the RPC interface completely |
|
|
|
*/ |
|
|
|
rpc: './rpc.js', |
|
|
|
|
|
|
|
}; |