From b9086690dc3254cf728316e611181430c1ef661a Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Thu, 12 Apr 2018 18:30:30 +0200 Subject: [PATCH] hackmd: LDAP and vhost --- roles/hackmd/templates/config.json.j2 | 11 ++++++----- roles/hackmd/templates/vhost.j2 | 5 ++++- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/roles/hackmd/templates/config.json.j2 b/roles/hackmd/templates/config.json.j2 index b7d7430..521d002 100644 --- a/roles/hackmd/templates/config.json.j2 +++ b/roles/hackmd/templates/config.json.j2 @@ -1,6 +1,6 @@ { "production": { - "_domain": "{{ hackmd_domain }}", + "domain": "{{ hackmd_domain }}", "_hsts": { "enable": true, "maxAgeSeconds": "31536000", @@ -10,6 +10,7 @@ "csp": { "enable": true, "directives": { + "imgSrc": ["self", "unsafe-inline"] }, "upgradeInsecureRequests": "auto", "addDefaults": true, @@ -30,12 +31,12 @@ "bindCredentials": "{{ ldap_bindpw }}", "searchBase": "{{ ldap_base }}", "searchFilter": "(uid={{ '{{' }}username{{ '}}' }})", - "searchAttributes": ["cn"], + "searchAttributes": ["cn", "uid"], "usernameField": "cn", "useridField": "uid", - "tlsOptions": { - "changeme": "See https://nodejs.org/api/tls.html#tls_tls_connect_options_callback" + "tlsca": "/etc/ldap/ssl/BKCA.crt" } - } + }, + "email": false } } diff --git a/roles/hackmd/templates/vhost.j2 b/roles/hackmd/templates/vhost.j2 index 9718af8..c1f92fb 100644 --- a/roles/hackmd/templates/vhost.j2 +++ b/roles/hackmd/templates/vhost.j2 @@ -23,10 +23,13 @@ server { ssl_certificate_key /etc/nginx/ssl/{{ hackmd_domain }}.key; ssl_certificate /etc/nginx/ssl/{{ hackmd_domain }}.crt; - location / { proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://localhost:3000; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; } }