Select Git revision
-
nimrod authored
The service replies with the message in the request. This can be used as an attack vector as the reply is determined by the request and is coming from a shore.co.il domain. So the following precautions are taken: - Limit the request length to limit the usefulness of the response. - Set the response MIME type to plain text and set the `X-Content-Type-Options` header to `nosniff` so the browser won't guess the content type. - Set CORS headers.
nimrod authoredThe service replies with the message in the request. This can be used as an attack vector as the reply is determined by the request and is coming from a shore.co.il domain. So the following precautions are taken: - Limit the request length to limit the usefulness of the response. - Set the response MIME type to plain text and set the `X-Content-Type-Options` header to `nosniff` so the browser won't guess the content type. - Set CORS headers.
docker-compose.yml 1.86 KiB
---
version: '3.5'
services:
proxy:
build:
context: ./
# command: ["nginx", "-g", "daemon off;"]
hostname: &hostname nextcloud.shore.co.il
networks:
default:
aliases:
- nextcloud.shore.co.il
- git.shore.co.il
- lam.shore.co.il
- mta-sts.shore.co.il
ports:
- '80:80'
- '443:443'
restart: always
volumes:
- '/var/www/www.shore.co.il/.well-known/acme-challenge:/var/www/www.shore.co.il/.well-known/acme-challenge:ro'
- '/var/www/mail.shore.co.il/.well-known/acme-challenge:/var/www/mail.shore.co.il/.well-known/acme-challenge:ro'
- '/var/www/www.shore.co.il/blog:/var/www/www.shore.co.il/blog:ro'
- '/var/www/www.shore.co.il/resume:/var/www/www.shore.co.il/resume:ro'
- '/var/ssl/site.key:/var/ssl/site.key:ro'
- '/var/ssl/site.crt:/var/ssl/site.crt:ro'
- '/var/ssl/mail.key:/var/ssl/mail.key:ro'
- '/var/ssl/mail.crt:/var/ssl/mail.crt:ro'
- '/var/ssl/dhparams:/var/ssl/dhparams:ro'
vouch:
environment:
OAUTH_AUTH_URL: https://nextcloud.shore.co.il/apps/oauth2/authorize
OAUTH_CALLBACK_URLS: https://vouch.shore.co.il/auth
OAUTH_CLIENT_ID: "${VOUCH_OAUTH_CLIENT_ID}"
# yamllint disable-line rule:line-length
OAUTH_CLIENT_SECRET: "${VOUCH_OAUTH_CLIENT_SECRET}" # pragma: allowlist secret
OAUTH_PROVIDER: nextcloud
OAUTH_SCOPES: 'openid,email.profile'
OAUTH_TOKEN_URL: https://nextcloud.shore.co.il/apps/oauth2/api/v1/token
# yamllint disable-line rule:line-length
OAUTH_USER_INFO_URL: https://nextcloud.shore.co.il/ocs/v2.php/cloud/user?format=json
VOUCH_DOMAINS: shore.co.il
VOUCH_JWT_SECRET: "${VOUCH_JWT_SECRET}" # pragma: allowlist secret
image: registry.hub.docker.com/voucher/vouch-proxy:alpine-0.23.1
restart: always
networks:
default:
name: shore