| Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente |
| collabora:debian:installation [2019/04/16 07:11] – madko | collabora:debian:installation [2019/04/16 07:15] (Version actuelle) – madko |
|---|
| <code> | <code> |
| openssl genrsa -out /etc/loolwsd/key.pem 2048 | openssl genrsa -out /etc/loolwsd/key.pem 2048 |
| | openssl req -x509 -new -nodes -key /etc/loolwsd/root.key.pem -days 9131 -out /etc/loolwsd/ca-chain.cert.pem -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=Dummy Authority" |
| openssl req -key /etc/loolwsd/key.pem -new -sha256 -out /etc/loolwsd/localhost.csr.pem -subj "/C=FR/ST=Ile de France/L=Noisy Le Grand/O=DGFiP Authority/CN=localhost" | openssl req -key /etc/loolwsd/key.pem -new -sha256 -out /etc/loolwsd/localhost.csr.pem -subj "/C=FR/ST=Ile de France/L=Noisy Le Grand/O=DGFiP Authority/CN=localhost" |
| openssl x509 -req -in /etc/loolwsd/localhost.csr.pem -CA /etc/loolwsd/ca-chain.cert.pem -CAkey /etc/loolwsd/root.key.pem -CAcreateserial -out /etc/loolwsd/cert.pem -days 9131 | openssl x509 -req -in /etc/loolwsd/localhost.csr.pem -CA /etc/loolwsd/ca-chain.cert.pem -CAkey /etc/loolwsd/root.key.pem -CAcreateserial -out /etc/loolwsd/cert.pem -days 9131 |
| <property name="rotateOnOpen" desc="Enable/disable log file rotation on opening.">true</property> | <property name="rotateOnOpen" desc="Enable/disable log file rotation on opening.">true</property> |
| <property name="flush" desc="Enable/disable flushing after logging each line. May harm performance. Note that without flushing after each line, the log lines from the different processes will not appear in chronological order.">false</property> | <property name="flush" desc="Enable/disable flushing after logging each line. May harm performance. Note that without flushing after each line, the log lines from the different processes will not appear in chronological order.">false</property> |
| </file> | |
| <anonymize> | <anonymize> |
| <filenames type="bool" desc="Enable to anonymize/obfuscate filenames in logs. If default is true, it was forced at compile-time and cannot be disabled." default="false">false</filenames> | false</filenames> |
| <usernames type="bool" desc="Enable to anonymize/obfuscate usernames in logs. If default is true, it was forced at compile-time and cannot be disabled." default="false">false</usernames> | <usernames type="bool" desc="Enable to anonymize/obfuscate usernames in logs. If default is true, it was forced at compile-time and cannot be disabled." default="false">false</usernames> |
| </anonymize> | </anonymize> |
| </logging> | </logging> |
| |
| <loleaflet_logging desc="Logging in the browser console" default="false">false</loleaflet_logging> | <loleaflet_logging desc="Logging in the browser console" default="false">false</loleaflet_logging> |
| |
| <trace desc="Dump commands and notifications for replay. When 'snapshot' is true, the source file is copied to the path first." enable="false"> | <trace desc="Dump commands and notifications for replay. When 'snapshot' is true, the source file is copied to the path first." enable="false"> |
| <path desc="Output path to hold trace file and docs. Use '%' for timestamp to avoid overwriting. For example: /some/path/to/looltrace-%.gz" compress="true" snapshot="false"></path> | <path desc="Output path to hold trace file and docs. Use '%' for timestamp to avoid overwriting. For example: /some/path/to/looltrace-%.gz" compress="true" snapshot="false"></path> |
| <filter> | <filter> |
| <message desc="Regex pattern of messages to exclude"></message> | <message desc="Regex pattern of messages to exclude"></message> |
| </filter> | </filter> |
| <outgoing> | <outgoing> |
| <record desc="Whether or not to record outgoing messages" default="false">false</record> | <record desc="Whether or not to record outgoing messages" default="false">false</record> |
| </outgoing> | </outgoing> |
| </trace> | </trace> |
| |
| <net desc="Network settings"> | <net desc="Network settings"> |
| <proto type="string" default="all" desc="Protocol to use IPv4, IPv6 or all for both">all</proto> | <proto type="string" default="all" desc="Protocol to use IPv4, IPv6 or all for both">all</proto> |
| <listen type="string" default="any" desc="Listen address that loolwsd binds to. Can be 'any' or 'loopback'.">any</listen> | <listen type="string" default="any" desc="Listen address that loolwsd binds to. Can be 'any' or 'loopback'.">any</listen> |
| <service_root type="path" default="" desc="Prefix all the pages, websockets, etc. with this path."></service_root> | <service_root type="path" default="" desc="Prefix all the pages, websockets, etc. with this path."></service_root> |
| <post_allow desc="Allow/deny client IP address for POST(REST)." allow="true"> | <post_allow desc="Allow/deny client IP address for POST(REST)." allow="true"> |
| <host desc="The IPv4 private 192.168 block as plain IPv4 dotted decimal addresses.">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host> | <host desc="The IPv4 private 192.168 block as plain IPv4 dotted decimal addresses.">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host> |
| <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host> | <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host> |
| <host desc="The IPv4 loopback (localhost) address.">127\.0\.0\.1</host> | <host desc="The IPv4 loopback (localhost) address.">127\.0\.0\.1</host> |
| <host desc="Ditto, but as IPv4-mapped IPv6 address">::ffff:127\.0\.0\.1</host> | <host desc="Ditto, but as IPv4-mapped IPv6 address">::ffff:127\.0\.0\.1</host> |
| <host desc="The IPv6 loopback (localhost) address.">::1</host> | <host desc="The IPv6 loopback (localhost) address.">::1</host> |
| </post_allow> | </post_allow> |
| <frame_ancestors desc="Specify who is allowed to embed the LO Online iframe (loolwsd and WOPI host are always allowed). Separate multiple hosts by space."></frame_ancestors> | <frame_ancestors desc="Specify who is allowed to embed the LO Online iframe (loolwsd and WOPI host are always allowed). Separate multiple hosts by space."></frame_ancestors> |
| </net> | </net> |
| |
| <ssl desc="SSL settings"> | <ssl desc="SSL settings"> |
| <enable type="bool" desc="Controls whether SSL encryption is enable (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">true</enable> | <enable type="bool" desc="Controls whether SSL encryption is enable (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">true</enable> |
| <termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">false</termination> | <termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">false</termination> |
| <cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/cert.pem</cert_file_path> | <cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/cert.pem</cert_file_path> |
| <key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/key.pem</key_file_path> | <key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/key.pem</key_file_path> |
| <ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/ca-chain.cert.pem</ca_file_path> | <ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/ca-chain.cert.pem</ca_file_path> |
| <cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list> | <cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list> |
| <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false"> | <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false"> |
| <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age> | <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age> |
| <report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"></report_uri> | <report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"></report_uri> |
| <pins desc="Base64 encoded SPKI fingerprints of keys to be pinned"> | <pins desc="Base64 encoded SPKI fingerprints of keys to be pinned"> |
| <pin></pin> | <pin></pin> |
| </pins> | </pins> |
| </hpkp> | </hpkp> |
| </ssl> | </ssl> |
| |
| <security desc="Altering these defaults potentially opens you to significant risk"> | <security desc="Altering these defaults potentially opens you to significant risk"> |
| <seccomp desc="Should we use the seccomp system call filtering." type="bool" default="true">true</seccomp> | <seccomp desc="Should we use the seccomp system call filtering." type="bool" default="true">true</seccomp> |
| <capabilities desc="Should we require capabilities to isolate processes into chroot jails" type="bool" default="true">true</capabilities> | <capabilities desc="Should we require capabilities to isolate processes into chroot jails" type="bool" default="true">true</capabilities> |
| </security> | </security> |
| |
| <storage desc="Backend storage"> | <storage desc="Backend storage"> |
| <filesystem allow="false" /> | <filesystem allow="false" /> |
| <wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true"> | <wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true"> |
| <host desc="Regex pattern of hostname to allow or deny." allow="true">localhost</host> | <host desc="Regex pattern of hostname to allow or deny." allow="true">localhost</host> |
| <host desc="Regex pattern of hostname to allow or deny." allow="true">cloud\.nextcloud\.lan</host> | <host desc="Regex pattern of hostname to allow or deny." allow="true">cloud\.nextcloud\.lan</host> |
| <host desc="Regex pattern of hostname to allow or deny." allow="true">office2\.nextcloud\.lan</host> | <host desc="Regex pattern of hostname to allow or deny." allow="true">office2\.nextcloud\.lan</host> |
| <host desc="Regex pattern of hostname to allow or deny." allow="true">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host> | <host desc="Regex pattern of hostname to allow or deny." allow="true">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host> |
| <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host> | <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host> |
| <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host> | <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host> |
| <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host> | <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host> |
| <host desc="Regex pattern of hostname to allow or deny." allow="true">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host> | <host desc="Regex pattern of hostname to allow or deny." allow="true">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host> |
| <host desc="Regex pattern of hostname to allow or deny." allow="false">192\.168\.1\.1</host> | <host desc="Regex pattern of hostname to allow or deny." allow="false">192\.168\.1\.1</host> |
| <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size> | <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size> |
| </wopi> | </wopi> |
| <webdav desc="Allow/deny webdav storage. Mutually exclusive with wopi." allow="false"> | <webdav desc="Allow/deny webdav storage. Mutually exclusive with wopi." allow="false"> |
| <host desc="Hostname to allow" allow="false">localhost</host> | <host desc="Hostname to allow" allow="false">localhost</host> |
| </webdav> | </webdav> |
| </storage> | </storage> |
| |
| <tile_cache_persistent desc="Should the tiles persist between two editing sessions of the given document?" type="bool" default="true">true</tile_cache_persistent> | <tile_cache_persistent desc="Should the tiles persist between two editing sessions of the given document?" type="bool" default="true">true</tile_cache_persistent> |
| |
| <admin_console desc="Web admin console settings."> | <admin_console desc="Web admin console settings."> |
| <enable desc="Enable the admin console functionality" type="bool" default="true">true</enable> | <enable desc="Enable the admin console functionality" type="bool" default="true">true</enable> |
| <enable_pam desc="Enable admin user authentication with PAM" type="bool" default="false">false</enable_pam> | <enable_pam desc="Enable admin user authentication with PAM" type="bool" default="false">false</enable_pam> |
| <username desc="The username of the admin console. Ignored if PAM is enabled."></username> | <username desc="The username of the admin console. Ignored if PAM is enabled."></username> |
| <password desc="The password of the admin console. Deprecated on most platforms. Instead, use PAM or loolconfig to set up a secure password."></password> | <password desc="The password of the admin console. Deprecated on most platforms. Instead, use PAM or loolconfig to set up a secure password."></password> |
| </admin_console> | </admin_console> |
| |
| <monitors desc="Addresses of servers we connect to on start for monitoring"> | <monitors desc="Addresses of servers we connect to on start for monitoring"> |
| </monitors> | </monitors> |
| |
| </config> | </config> |