cleanhands · January 28, 2025 18:31
diff --git a/[email protected] b/[email protected]
 [Unit]
 Description=Dufs daemon (%i instance)
 Wants=network-online.target
 After=network-online.target
 AssertPathExists=/srv/%i
 StartLimitIntervalSec=30
 StartLimitBurst=2

 [Service]
 User=%i
 DynamicUser=true
 Group=dufs
 Type=simple
 Environment="DUFS_CONFIG=/tmp/config.yaml"
 Environment="DUFS_BIND=/var/lib/dufs/%i.sock"
 Environment="DUFS_SERVE_PATH=/srv/%i"
 ExecStartPre=/usr/bin/touch /tmp/config.yaml
 ExecStartPre=-/usr/bin/cp /etc/dufs/config.yaml /tmp/config.yaml
 ExecStartPre=-/usr/bin/cp /etc/dufs/%i.yaml /tmp/config.yaml
 ExecStart=/usr/local/bin/dufs
 UMask=0002
 NoNewPrivileges=true
 MemoryDenyWriteExecute=true
 ProtectSystem=true
 PrivateTmp=true
 ExecStopPost=/usr/bin/rm /var/lib/dufs/%i.sock
 ReadWritePaths=/var/lib/dufs
 ReadWritePaths=/srv/%i
 Restart=always

 [Install]
 WantedBy=multi-user.target
diff --git a/example-nginx.conf b/example-nginx.conf
 map "$request_method:$request_uri" $pass_to_dufs {
  default 0;
  ~^GET:.*/$ 1;     # GET directories (ends with /)
  ~^GET:.*\? 1;     # GET with query string (has ? in uri)
  ~^GET:/__dufs 1;  # GET dufs resources (begins with /__dufs)
  ~^(?!GET) 1;      # all non-GET requests
 }

 server {
  location / {
    auth_basic            "Restricted Area";
    auth_basic_user_file  "/etc/nginx/htpasswd";

    # https://github.com/miquels/webdav-server-rs/blob/master/examples/nginx-proxy.conf
    # +https://www.dimoulis.net/posts/webdav-behind-reverse-proxy/
    proxy_http_version    1.1;
    proxy_buffering       off;
    client_max_body_size  0;
    proxy_read_timeout    120s;
    proxy_connect_timeout 90s;
    proxy_send_timeout    90s;
    proxy_redirect        off;
    proxy_set_header      Host $host;
    proxy_set_header      X-Real-IP $remote_addr;
    proxy_set_header      X-Forwarded-Host $host;
    proxy_set_header      X-Forwarded-Port $server_port;
    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header      X-Forwarded-Proto $scheme;
    proxy_set_header      X-Forwarded-Ssl on;
    proxy_set_header      Connection "";
    proxy_pass_header     Date;
    proxy_pass_header     Server;

    # MOVE and COPY methods use a Destination header that must match the scheme of Host (e.g. https for https and not http)
    set                   $dest $http_destination;
    proxy_set_header      Destination $dest;
    
    if ($http_destination ~ "^https://(?<myvar>(.+))") {
      set $dest http://$myvar;
    }
    #end

    proxy_set_header      Authorization  ""; # remove auth header to avoid configuring dufs with matching user:pass list
    if ($pass_to_dufs) {
      proxy_pass http://unix:/var/lib/dufs/$remote_user.sock;
    }
    root /srv/$remote_user;
  }

 }
	[Unit]
	Description=Dufs daemon (%i instance)
	Wants=network-online.target
	After=network-online.target
	AssertPathExists=/srv/%i
	StartLimitIntervalSec=30
	StartLimitBurst=2

	[Service]
	User=%i
	DynamicUser=true
	Group=dufs
	Type=simple
	Environment="DUFS_CONFIG=/tmp/config.yaml"
	Environment="DUFS_BIND=/var/lib/dufs/%i.sock"
	Environment="DUFS_SERVE_PATH=/srv/%i"
	ExecStartPre=/usr/bin/touch /tmp/config.yaml
	ExecStartPre=-/usr/bin/cp /etc/dufs/config.yaml /tmp/config.yaml
	ExecStartPre=-/usr/bin/cp /etc/dufs/%i.yaml /tmp/config.yaml
	ExecStart=/usr/local/bin/dufs
	UMask=0002
	NoNewPrivileges=true
	MemoryDenyWriteExecute=true
	ProtectSystem=true
	PrivateTmp=true
	ExecStopPost=/usr/bin/rm /var/lib/dufs/%i.sock
	ReadWritePaths=/var/lib/dufs
	ReadWritePaths=/srv/%i
	Restart=always

	[Install]
	WantedBy=multi-user.target
	map "$request_method:$request_uri" $pass_to_dufs {
	default 0;
	~^GET:.*/$ 1; # GET directories (ends with /)
	~^GET:.*\? 1; # GET with query string (has ? in uri)
	~^GET:/__dufs 1; # GET dufs resources (begins with /__dufs)
	~^(?!GET) 1; # all non-GET requests
	}

	server {
	location / {
	auth_basic "Restricted Area";
	auth_basic_user_file "/etc/nginx/htpasswd";

	# https://github.com/miquels/webdav-server-rs/blob/master/examples/nginx-proxy.conf
	# +https://www.dimoulis.net/posts/webdav-behind-reverse-proxy/
	proxy_http_version 1.1;
	proxy_buffering off;
	client_max_body_size 0;
	proxy_read_timeout 120s;
	proxy_connect_timeout 90s;
	proxy_send_timeout 90s;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Port $server_port;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-Ssl on;
	proxy_set_header Connection "";
	proxy_pass_header Date;
	proxy_pass_header Server;

	# MOVE and COPY methods use a Destination header that must match the scheme of Host (e.g. https for https and not http)
	set $dest $http_destination;
	proxy_set_header Destination $dest;

	if ($http_destination ~ "^https://(?<myvar>(.+))") {
	set $dest http://$myvar;
	}
	#end

	proxy_set_header Authorization ""; # remove auth header to avoid configuring dufs with matching user:pass list
	if ($pass_to_dufs) {
	proxy_pass http://unix:/var/lib/dufs/$remote_user.sock;
	}
	root /srv/$remote_user;
	}

	}