From 6e380ade1768c8062a4e5da1ce8ce991bec1aa0f Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 16 Aug 2014 12:33:10 +0000
Subject: [PATCH] owncloud will only let users access it from the
 PRIMARY_HOSTNAME (due to its trusted_domains option being set statically), so
 only include /cloud in the nginx configuration for PRIMARY_HOSTNAME

---
 conf/nginx-primaryonly.conf | 41 ++++++++++++++++++++++++++++++++
 conf/nginx.conf             | 47 -------------------------------------
 management/web_update.py    | 21 ++++++++++-------
 3 files changed, 54 insertions(+), 55 deletions(-)
 create mode 100644 conf/nginx-primaryonly.conf

diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf
new file mode 100644
index 0000000..d7457ed
--- /dev/null
+++ b/conf/nginx-primaryonly.conf
@@ -0,0 +1,41 @@
+	# ownCloud configuration.
+	rewrite ^/cloud$ /cloud/ redirect;
+	rewrite ^/cloud/$ /cloud/index.php;
+	rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html;
+	location /cloud/ {
+		alias /usr/local/lib/owncloud/;
+		location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
+			deny all;
+	 	}
+	}
+	location ~ ^(/cloud)(/[^/]+\.php)(/.*)?$ {
+		# note: ~ has precendence over a regular location block
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$2;
+		fastcgi_param SCRIPT_NAME $1$2;
+		fastcgi_param PATH_INFO $3;
+		fastcgi_param MOD_X_ACCEL_REDIRECT_ENABLED on;
+		fastcgi_read_timeout 630;
+		fastcgi_pass php-fpm;
+		error_page 403 /cloud/core/templates/403.php;
+		error_page 404 /cloud/core/templates/404.php;
+		client_max_body_size 1G;
+		fastcgi_buffers 64 4K;
+	}
+	location ^~ /cloud/data {
+		# In order to support MOD_X_ACCEL_REDIRECT_ENABLED, we need to expose
+		# the data directory but only allow 'internal' redirects within nginx
+		# so that this is not exposed to the world.
+		internal;
+		alias $STORAGE_ROOT/owncloud;
+	}
+	location ~ ^/((caldav|carddav|webdav).*)$ {
+		# Z-Push doesn't like getting a redirect, and a plain rewrite didn't work either.
+		# Properly proxying like this seems to work fine.
+		proxy_pass https://$HOSTNAME/cloud/remote.php/$1;
+	}
+	rewrite ^/.well-known/host-meta /cloud/public.php?service=host-meta last;
+	rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last;
+	rewrite ^/.well-known/carddav /cloud/remote.php/carddav/ redirect;
+	rewrite ^/.well-known/caldav /cloud/remote.php/caldav/ redirect;
+
diff --git a/conf/nginx.conf b/conf/nginx.conf
index 3ed7556..4f343c5 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -31,12 +31,10 @@ server {
 		index index.php;
 		alias /usr/local/lib/roundcubemail/;
 	}
-
 	location ~ /mail/config/.* {
 		# A ~-style location is needed to give this precedence over the next block.
 		return 403;
 	}
-
 	location ~ /mail/.*\.php {
 		# note: ~ has precendence over a regular location block
 		include fastcgi_params;
@@ -47,51 +45,6 @@ server {
 		client_max_body_size 20M;
 	}
 
-	# ownCloud configuration.
-	rewrite ^/cloud$ /cloud/ redirect;
-	rewrite ^/cloud/$ /cloud/index.php;
-	rewrite ^(/cloud/core/doc/[^\/]+/)$ $1/index.html;
-	location /cloud/ {
-		alias /usr/local/lib/owncloud/;
-		location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
-			deny all;
-	 	}
-	}
-
-	location ~ ^(/cloud)(/[^/]+\.php)(/.*)?$ {
-		# note: ~ has precendence over a regular location block
-		include fastcgi_params;
-		fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$2;
-		fastcgi_param SCRIPT_NAME $1$2;
-		fastcgi_param PATH_INFO $3;
-		fastcgi_param MOD_X_ACCEL_REDIRECT_ENABLED on;
-		fastcgi_read_timeout 630;
-		fastcgi_pass php-fpm;
-		error_page 403 /cloud/core/templates/403.php;
-		error_page 404 /cloud/core/templates/404.php;
-		client_max_body_size 1G;
-		fastcgi_buffers 64 4K;
-	}
-	location ^~ /cloud/data {
-		# In order to support MOD_X_ACCEL_REDIRECT_ENABLED, we need to expose
-		# the data directory but only allow 'internal' redirects within nginx
-		# so that this is not exposed to the world.
-		internal;
-		alias $STORAGE_ROOT/owncloud;
-	}
-
-
-	location ~ ^/((caldav|carddav|webdav).*)$ {
-		# Z-Push doesn't like getting a redirect, and a plain rewrite didn't work either.
-		# Properly proxying like this seems to work fine.
-		proxy_pass https://$HOSTNAME/cloud/remote.php/$1;
-	}
-
-	rewrite ^/.well-known/host-meta /cloud/public.php?service=host-meta last;
-	rewrite ^/.well-known/host-meta.json /cloud/public.php?service=host-meta-json last;
-	rewrite ^/.well-known/carddav /cloud/remote.php/carddav/ redirect;
-	rewrite ^/.well-known/caldav /cloud/remote.php/caldav/ redirect;
-
 	# Webfinger configuration.
 	location = /.well-known/webfinger {
 		include fastcgi_params;
diff --git a/management/web_update.py b/management/web_update.py
index 0665156..3ef2856 100644
--- a/management/web_update.py
+++ b/management/web_update.py
@@ -43,9 +43,10 @@ def do_web_update(env):
 	nginx_conf = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-top.conf")).read()
 
 	# Add configuration for each web domain.
-	template = open(os.path.join(os.path.dirname(__file__), "../conf/nginx.conf")).read()
+	template1 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx.conf")).read()
+	template2 = open(os.path.join(os.path.dirname(__file__), "../conf/nginx-primaryonly.conf")).read()
 	for domain in get_web_domains(env):
-		nginx_conf += make_domain_config(domain, template, env)
+		nginx_conf += make_domain_config(domain, template1, template2, env)
 
 	# Did the file change? If not, don't bother writing & restarting nginx.
 	nginx_conf_fn = "/etc/nginx/conf.d/local.conf"
@@ -63,7 +64,7 @@ def do_web_update(env):
 
 	return "web updated\n"
 
-def make_domain_config(domain, template, env):
+def make_domain_config(domain, template, template_for_primaryhost, env):
 	# How will we configure this domain.
 
 	# Where will its root directory be for static files?
@@ -77,8 +78,13 @@ def make_domain_config(domain, template, env):
 	# available. Make a self-signed one now if one doesn't exist.
 	ensure_ssl_certificate_exists(domain, ssl_key, ssl_certificate, csr_path, env)
 
+	# Put pieces together.
+	nginx_conf_parts = re.split("\s*# ADDITIONAL DIRECTIVES HERE\s*", template)
+	nginx_conf = nginx_conf_parts[0] + "\n"
+	if domain == env['PRIMARY_HOSTNAME']:
+		nginx_conf += template_for_primaryhost + "\n"
+
 	# Replace substitution strings in the template & return.
-	nginx_conf = template
 	nginx_conf = nginx_conf.replace("$STORAGE_ROOT", env['STORAGE_ROOT'])
 	nginx_conf = nginx_conf.replace("$HOSTNAME", domain)
 	nginx_conf = nginx_conf.replace("$ROOT", root)
@@ -86,17 +92,16 @@ def make_domain_config(domain, template, env):
 	nginx_conf = nginx_conf.replace("$SSL_CERTIFICATE", ssl_certificate)
 
 	# Add in any user customizations.
-	nginx_conf_parts = re.split("(# ADDITIONAL DIRECTIVES HERE\n)", nginx_conf)
 	nginx_conf_custom_fn = os.path.join(env["STORAGE_ROOT"], "www/custom.yaml")
 	if os.path.exists(nginx_conf_custom_fn):
 		yaml = rtyaml.load(open(nginx_conf_custom_fn))
 		if domain in yaml:
 			yaml = yaml[domain]
 			if "proxy" in yaml:
-				nginx_conf_parts[1] += "\tlocation / {\n\t\tproxy_pass %s;\n\t}\n" % yaml["proxy"]
+				nginx_conf += "\tlocation / {\n\t\tproxy_pass %s;\n\t}\n" % yaml["proxy"]
 
-	# Put it all together.	
-	nginx_conf = "".join(nginx_conf_parts)
+	# Ending.
+	nginx_conf += nginx_conf_parts[1]
 
 	return nginx_conf