hackmd: LDAP and vhost

2018-04-12 18:30:30 +02:00 · 2018-04-12 18:30:30 +02:00 · b9086690dc
commit b9086690dc
parent 344139e75c
2 changed files with 10 additions and 6 deletions
--- a/roles/hackmd/templates/config.json.j2
+++ b/roles/hackmd/templates/config.json.j2
@ -1,6 +1,6 @@
 {
    "production": {
-        "_domain": "{{ hackmd_domain }}",
+        "domain": "{{ hackmd_domain }}",
        "_hsts": {
            "enable": true,
            "maxAgeSeconds": "31536000",
@ -10,6 +10,7 @@
        "csp": {
            "enable": true,
            "directives": {
+                "imgSrc": ["self", "unsafe-inline"]
            },
            "upgradeInsecureRequests": "auto",
            "addDefaults": true,
@ -30,12 +31,12 @@
            "bindCredentials": "{{ ldap_bindpw }}",
            "searchBase": "{{ ldap_base }}",
            "searchFilter": "(uid={{ '{{' }}username{{ '}}' }})",
-            "searchAttributes": ["cn"],
+            "searchAttributes": ["cn", "uid"],
            "usernameField": "cn",
            "useridField": "uid",
-            "tlsOptions": {
-                "changeme": "See https://nodejs.org/api/tls.html#tls_tls_connect_options_callback"
-            }
+            "tlsca": "/etc/ldap/ssl/BKCA.crt"
            }
+        },
+        "email": false
    }
 }
--- a/roles/hackmd/templates/vhost.j2
+++ b/roles/hackmd/templates/vhost.j2
@ -23,10 +23,13 @@ server {
 	ssl_certificate_key /etc/nginx/ssl/{{ hackmd_domain }}.key;
 	ssl_certificate /etc/nginx/ssl/{{ hackmd_domain }}.crt;

-
 	location / {
 		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_pass http://localhost:3000;
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "Upgrade";
 	}

 }