chore: Update Collabora config, add static IP, CSP scoped to /cloud, update remote URLs

.gitmodules

@@ -1,3 +1,3 @@
 [submodule "portfolio"]
 	path = portfolio
-	url = https://localdev.unboundedpress.org/code/mwinter/portfolio.git
+	url = https://unboundedpress.org/code/mwinter/portfolio.git

README.md

@@ -63,10 +63,17 @@ DOMAIN=unboundedpress.org
 # Comment out or remove: HTTPS_METHOD=noredirect
 ```
 
-### Step 2: Update Nextcloud Collabora URL
+### Step 2: Update Nextcloud Collabora URLs
 
 ```bash
-docker exec nextcloud occ config:app:set richdocuments public_wopi_url --value="https://unboundedpress.org/collab"
+# Internal URL (Nextcloud uses to talk to Collabora)
+docker exec nextcloud php occ config:app:set richdocuments wopi_url --value="http://collabora:9980"
+
+# External URL (browser uses to open Collabora)
+docker exec nextcloud php occ config:app:set richdocuments public_wopi_url --value="https://unboundedpress.org/collab"
+
+# Callback URL (Collabora uses to connect back to Nextcloud)
+docker exec nextcloud php occ config:app:set richdocuments wopi_callback_url --value="https://unboundedpress.org/cloud"
 ```
 
 ### Step 3: Restart Services

docker-compose.yml

@@ -3,6 +3,9 @@ services:
   nginx-proxy:
     build: ./nginx
     container_name: nginx-proxy
+    networks:
+      default:
+        ipv4_address: 172.18.0.5
     ports:
       - "80:80"
       - "443:443"
@@ -132,6 +135,8 @@ services:
       - VIRTUAL_HOST=${DOMAIN},www.${DOMAIN}
       - VIRTUAL_PATH=/cloud/
       - VIRTUAL_DEST=/
+    extra_hosts:
+      - "${DOMAIN}:172.18.0.5"
     depends_on:
       mysql-nextcloud:
         condition: service_healthy
@@ -148,10 +153,14 @@ services:
         condition: service_started
     cap_add:
      - MKNOD
+    extra_hosts:
+     - "${DOMAIN}:172.18.0.5"
     environment:
       - username=${USER}
       - password=${PASSWORD}
       - domain=${DOMAIN}
+      - server_name=${DOMAIN}
+      - aliasgroup1=https://${DOMAIN}:443
       - VIRTUAL_HOST=${DOMAIN},www.${DOMAIN}
       - VIRTUAL_PATH=/collab/
       - VIRTUAL_DEST=/
@@ -211,3 +220,10 @@ volumes:
   nginx:
   acme:
   portfolio:
+
+networks:
+  default:
+    ipam:
+      driver: default
+      config:
+        - subnet: 172.18.0.0/16

nginx/vhost.d/localdev.unboundedpress.org

@@ -1,43 +1,58 @@
+# CSP headers for Nextcloud - scoped to /cloud/ only
+location ^~ /cloud {
+    proxy_pass http://nextcloud:80;
+    proxy_hide_header Content-Security-Policy;
+    proxy_hide_header X-Content-Security-Policy;
+    proxy_hide_header X-WebKit-CSP;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://localdev.unboundedpress.org https://localdev.unboundedpress.org/collab; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' https://localdev.unboundedpress.org wss://localdev.unboundedpress.org; form-action 'self'; object-src 'none'; base-uri 'self'" always;
+}
+
 # Collabora routing for localdev.unboundedpress.org
 
+# Redirect /collab to Collabora
+location ^~ /collab {
+    proxy_pass http://collabora:9980;
+    proxy_set_header Host $http_host;
+}
+
 # static files
 location ^~ /browser {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+    proxy_pass http://collabora:9980;
-  proxy_set_header Host $http_host;
+    proxy_set_header Host $http_host;
 }
 
 # WOPI discovery URL
 location ^~ /hosting/discovery {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+    proxy_pass http://collabora:9980;
-  proxy_set_header Host $http_host;
+    proxy_set_header Host $http_host;
 }
 
 # Capabilities
 location ^~ /hosting/capabilities {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+    proxy_pass http://collabora:9980;
-  proxy_set_header Host $http_host;
+    proxy_set_header Host $http_host;
 }
 
 # main websocket
 location ~ ^/cool/(.*)/ws$ {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+    proxy_pass http://collabora:9980;
-  proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Upgrade $http_upgrade;
-  proxy_set_header Connection "Upgrade";
+    proxy_set_header Connection "Upgrade";
-  proxy_set_header Host $http_host;  
+    proxy_set_header Host $http_host;
-  proxy_read_timeout 36000s;
+    proxy_read_timeout 36000s;
 }
 
 # download, presentation and image upload
 location ~ ^/(c|l)ool {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+    proxy_pass http://collabora:9980;
-  proxy_set_header Host $http_host;
+    proxy_set_header Host $http_host;
 }
 
 # Admin Console websocket
 location ^~ /cool/adminws {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+    proxy_pass http://collabora:9980;
-  proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Upgrade $http_upgrade;
-  proxy_set_header Connection "Upgrade";
+    proxy_set_header Connection "Upgrade";
-  proxy_set_header Host $http_host;
+    proxy_set_header Host $http_host;
-  proxy_read_timeout 36000s;
+    proxy_read_timeout 36000s;
 }

nginx/vhost.d/unboundedpress.org

@@ -1,32 +1,41 @@
+# CSP headers for Nextcloud - scoped to /cloud/ only
+location ^~ /cloud {
+    proxy_pass http://nextcloud:80;
+    proxy_hide_header Content-Security-Policy;
+    proxy_hide_header X-Content-Security-Policy;
+    proxy_hide_header X-WebKit-CSP;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://unboundedpress.org https://unboundedpress.org/collab; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' https://unboundedpress.org wss://unboundedpress.org; form-action 'self'; object-src 'none'; base-uri 'self'" always;
+}
 
-# Allow HTTP for local development (DISABLED - now using HTTPS)
+# Collabora routing for unboundedpress.org
-#if ($host = 'localdev.unboundedpress.org') {
-#    set $do_not_redirect 1;
-#}
 
-# The following are all for collabora routing
+# Redirect /collab to Collabora
+location ^~ /collab {
+    proxy_pass http://collabora:9980;
+    proxy_set_header Host $http_host;
+}
 
 # static files
 location ^~ /browser {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
   proxy_set_header Host $http_host;
 }
 
 # WOPI discovery URL
 location ^~ /hosting/discovery {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
   proxy_set_header Host $http_host;
 }
 
 # Capabilities
 location ^~ /hosting/capabilities {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
   proxy_set_header Host $http_host;
 }
 
 # main websocket
 location ~ ^/cool/(.*)/ws$ {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "Upgrade";
   proxy_set_header Host $http_host;
@@ -35,13 +44,13 @@ location ~ ^/cool/(.*)/ws$ {
 
 # download, presentation and image upload
 location ~ ^/(c|l)ool {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
   proxy_set_header Host $http_host;
 }
 
 # Admin Console websocket
 location ^~ /cool/adminws {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "Upgrade";
   proxy_set_header Host $http_host;

portfolio

@@ -1 +1 @@
-Subproject commit 524fb74df5874bc519c67f4f2dc27c19bb258a1f
+Subproject commit 2268f0c38c7b056024f33fc60bea119d8c659565