Cryptpad

last edited Wed, 24 Jul 2024 05:21:40 GMT
backlinks: null

Dependencies direct link to this section

• Git
• Nodejs with NPM, use the LTS release
• Docker engine

Installation with Docker direct link to this section

Essential scripts and templates are included in the repository. Clone the stable branch and build a docker img:

docker build -t cryptpad/cryptpad:version-2024.3.0 .

edit the following values in docker-compose.yml:

• CPAD_MAIN_DOMAIN
• CPAD_SANDBOX_DOMAIN
• CPAD_INSTALL_ONLYOFFICE

Make sure to copy the file in /config/exampleconfig.js and at the minimum, add your proper domains. Make sure that HTTPS is set to 0.0.0.0 or NGINX will throw a 502 error.

Set appropriate perms:

mkdir -p data customize onlyoffice-dist onlyoffice-conf
sudo chown -R 4001:4001 data customize onlyoffice-dist onlyoffice-conf

Now run docker compose up -d and docker compose logs cryptpad for the URL you will use to generate your admin key.

Customization direct link to this section

• create new admin account
• go to user -> Settings -> Account -> Public Signing Key and copy
• add the key to the adminKeys field in /cryptpad/config/config.js
• [username@domain.com/xxxxxxxxxxxxxxxxx=]

LetsEncrypt TLS certificates direct link to this section

make sure NGINX is stopped

systemctl stop nginx

systemctl start nginx

 acme.sh --issue --standalone -d example.com -k 4096

Generate DH parameter file as instructed in the docs:

sudo openssl dhparam -out /etc/ssl/dhparam.pem 4096
sudo systemctl restart nginx

NGINX setup direct link to this section

server {
    listen       80;
    listen       [::]:80;
    server_name main.domain.com sandbox.domain.com;

    location / {
        access_log off;
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # Let's Encrypt webroot
    # CHRIS: Deactivated
    # include letsencrypt-webroot;

    # Include mime.types to be able to support .mjs files (see "types" below)
    include mime.types;

    # CryptPad serves static assets over these two domains.
    # `your-main-domain` is what users will enter in their address bar.
    # Privileged computation such as key management is handled in this scope
    # UI content is loaded via the `your-sandbox-domain`.
    # "Content Security Policy" headers prevent content loaded via the sandbox
    # from accessing privileged information.
    # This setup allows to take advantage of CryptPad's sandboxing techniques.
    # In the event of an XSS vulnerability in CryptPad's front-end code
    # this will limit the amount of information accessible to attackers.
    server_name main.domain.com sandbox.domain.com;

    # You'll need to Set the path to your certificates and keys here
    # IMPORTANT: this config is intended to serve assets for at least two domains
    # (your main domain and your sandbox domain). As such, you'll need to generate a single SSL certificate
    # that includes both domains in order for things to work as expected.
    ssl_certificate         /etc/letsencrypt/live/cryptpad.halftheskynational.org/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/main.domain.com/privkey.pem;
 # diffie-hellman parameters are used to negotiate keys for your session
    # generate strong parameters using the following command
    # openssl dhparam -out /etc/nginx/dhparam.pem 4096
    ssl_dhparam /etc/ssl/dhparam.pem;

    # Speeds things up a little bit when resuming a session
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-S>    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

    # replace with the IP address of your resolver
    resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 208.67.222.222 208.67.220.220;

    location / {
        proxy_pass            http://localhost:3000;
        proxy_set_header      X-Real-IP $remote_addr;
        proxy_set_header      Host $host;
        proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
        client_max_body_size  150m;

        proxy_http_version    1.1;
        proxy_set_header      Upgrade $http_upgrade;
        proxy_set_header      Connection upgrade;
    }
}

References direct link to this section

• Cryptpad Docs