chore: Update Collabora config, add static IP, CSP scoped to /cloud, update remote URLs

2026-02-27 09:16:37 +01:00 · 2026-02-27 09:16:37 +01:00 · 0d0c05b91f
parent a6b5c74873
commit 0d0c05b91f
6 changed files with 81 additions and 34 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -1,3 +1,3 @@
 [submodule "portfolio"]
 	path = portfolio
-	url = https://localdev.unboundedpress.org/code/mwinter/portfolio.git
+	url = https://unboundedpress.org/code/mwinter/portfolio.git
--- a/README.md
+++ b/README.md
@ -63,10 +63,17 @@ DOMAIN=unboundedpress.org
 # Comment out or remove: HTTPS_METHOD=noredirect
 ```

-### Step 2: Update Nextcloud Collabora URL
+### Step 2: Update Nextcloud Collabora URLs

 ```bash
-docker exec nextcloud occ config:app:set richdocuments public_wopi_url --value="https://unboundedpress.org/collab"
+# Internal URL (Nextcloud uses to talk to Collabora)
+docker exec nextcloud php occ config:app:set richdocuments wopi_url --value="http://collabora:9980"
+
+# External URL (browser uses to open Collabora)
+docker exec nextcloud php occ config:app:set richdocuments public_wopi_url --value="https://unboundedpress.org/collab"
+
+# Callback URL (Collabora uses to connect back to Nextcloud)
+docker exec nextcloud php occ config:app:set richdocuments wopi_callback_url --value="https://unboundedpress.org/cloud"
 ```

 ### Step 3: Restart Services
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -3,6 +3,9 @@ services:
  nginx-proxy:
    build: ./nginx
    container_name: nginx-proxy
+    networks:
+      default:
+        ipv4_address: 172.18.0.5
    ports:
      - "80:80"
      - "443:443"
@ -132,6 +135,8 @@ services:
      - VIRTUAL_HOST=${DOMAIN},www.${DOMAIN}
      - VIRTUAL_PATH=/cloud/
      - VIRTUAL_DEST=/
+    extra_hosts:
+      - "${DOMAIN}:172.18.0.5"
    depends_on:
      mysql-nextcloud:
        condition: service_healthy
@ -148,10 +153,14 @@ services:
        condition: service_started
    cap_add:
     - MKNOD
+    extra_hosts:
+     - "${DOMAIN}:172.18.0.5"
    environment:
      - username=${USER}
      - password=${PASSWORD}
      - domain=${DOMAIN}
+      - server_name=${DOMAIN}
+      - aliasgroup1=https://${DOMAIN}:443
      - VIRTUAL_HOST=${DOMAIN},www.${DOMAIN}
      - VIRTUAL_PATH=/collab/
      - VIRTUAL_DEST=/
@ -211,3 +220,10 @@ volumes:
  nginx:
  acme:
  portfolio:
+
+networks:
+  default:
+    ipam:
+      driver: default
+      config:
+        - subnet: 172.18.0.0/16
--- a/nginx/vhost.d/localdev.unboundedpress.org
+++ b/nginx/vhost.d/localdev.unboundedpress.org
@ -1,26 +1,41 @@
+# CSP headers for Nextcloud - scoped to /cloud/ only
+location ^~ /cloud {
+    proxy_pass http://nextcloud:80;
+    proxy_hide_header Content-Security-Policy;
+    proxy_hide_header X-Content-Security-Policy;
+    proxy_hide_header X-WebKit-CSP;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://localdev.unboundedpress.org https://localdev.unboundedpress.org/collab; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' https://localdev.unboundedpress.org wss://localdev.unboundedpress.org; form-action 'self'; object-src 'none'; base-uri 'self'" always;
+}
+
 # Collabora routing for localdev.unboundedpress.org

+# Redirect /collab to Collabora
+location ^~ /collab {
+    proxy_pass http://collabora:9980;
+    proxy_set_header Host $http_host;
+}
+
 # static files
 location ^~ /browser {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+    proxy_pass http://collabora:9980;
    proxy_set_header Host $http_host;
 }

 # WOPI discovery URL
 location ^~ /hosting/discovery {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+    proxy_pass http://collabora:9980;
    proxy_set_header Host $http_host;
 }

 # Capabilities
 location ^~ /hosting/capabilities {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+    proxy_pass http://collabora:9980;
    proxy_set_header Host $http_host;
 }

 # main websocket
 location ~ ^/cool/(.*)/ws$ {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+    proxy_pass http://collabora:9980;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $http_host;
@ -29,13 +44,13 @@ location ~ ^/cool/(.*)/ws$ {

 # download, presentation and image upload
 location ~ ^/(c|l)ool {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+    proxy_pass http://collabora:9980;
    proxy_set_header Host $http_host;
 }

 # Admin Console websocket
 location ^~ /cool/adminws {
-  proxy_pass http://localdev.unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+    proxy_pass http://collabora:9980;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $http_host;
--- a/nginx/vhost.d/unboundedpress.org
+++ b/nginx/vhost.d/unboundedpress.org
@ -1,32 +1,41 @@
+# CSP headers for Nextcloud - scoped to /cloud/ only
+location ^~ /cloud {
+    proxy_pass http://nextcloud:80;
+    proxy_hide_header Content-Security-Policy;
+    proxy_hide_header X-Content-Security-Policy;
+    proxy_hide_header X-WebKit-CSP;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://unboundedpress.org https://unboundedpress.org/collab; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' https://unboundedpress.org wss://unboundedpress.org; form-action 'self'; object-src 'none'; base-uri 'self'" always;
+}

-# Allow HTTP for local development (DISABLED - now using HTTPS)
-#if ($host = 'localdev.unboundedpress.org') {
-#    set $do_not_redirect 1;
-#}
+# Collabora routing for unboundedpress.org

-# The following are all for collabora routing
+# Redirect /collab to Collabora
+location ^~ /collab {
+    proxy_pass http://collabora:9980;
+    proxy_set_header Host $http_host;
+}

 # static files
 location ^~ /browser {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
  proxy_set_header Host $http_host;
 }

 # WOPI discovery URL
 location ^~ /hosting/discovery {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
  proxy_set_header Host $http_host;
 }

 # Capabilities
 location ^~ /hosting/capabilities {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
  proxy_set_header Host $http_host;
 }

 # main websocket
 location ~ ^/cool/(.*)/ws$ {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "Upgrade";
  proxy_set_header Host $http_host;
@ -35,13 +44,13 @@ location ~ ^/cool/(.*)/ws$ {

 # download, presentation and image upload
 location ~ ^/(c|l)ool {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
  proxy_set_header Host $http_host;
 }

 # Admin Console websocket
 location ^~ /cool/adminws {
-  proxy_pass http://unboundedpress.org-cd15914db06db1d6722abd3bcfd0beaa541bbc60;
+  proxy_pass http://collabora:9980;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "Upgrade";
  proxy_set_header Host $http_host;
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 524fb74df5874bc519c67f4f2dc27c19bb258a1f
+Subproject commit 2268f0c38c7b056024f33fc60bea119d8c659565