From 1c2764dbb86abc92466c93ba82149f680f08b769 Mon Sep 17 00:00:00 2001
From: yflory <yann.flory@xwiki.com>
Date: Tue, 5 Sep 2023 13:02:27 +0200
Subject: [PATCH] Revert revert "have 2 distinctives Nginx examples, default &
 advanced"

This reverts commit 9fa981cfd8925176844daae9029ec5dc2e05fab8.
---
 docs/example.nginx.conf | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/docs/example.nginx.conf b/docs/example.nginx.conf
index c3eea6066..256fe28bd 100644
--- a/docs/example.nginx.conf
+++ b/docs/example.nginx.conf
@@ -12,14 +12,35 @@ server {
     include letsencrypt-webroot;
 
     # CryptPad serves static assets over these two domains.
-    # `your-main-domain` is what users will enter in their address bar.
+    # `main_domain` is what users will enter in their address bar.
     # Privileged computation such as key management is handled in this scope
-    # UI content is loaded via the `your-sandbox-domain`.
+    # UI content is loaded via the `sandbox_domain`.
     # "Content Security Policy" headers prevent content loaded via the sandbox
     # from accessing privileged information.
-    # This setup allows to take advantage of CryptPad's sandboxing techniques.
+    # These variables must be different to take advantage of CryptPad's sandboxing techniques.
     # In the event of an XSS vulnerability in CryptPad's front-end code
     # this will limit the amount of information accessible to attackers.
+    set $main_domain "your-main-domain.com";
+    set $sandbox_domain "your-sandbox-domain.com";
+
+    # By default CryptPad forbids remote domains from embedding CryptPad documents in iframes.
+    # The sandbox domain must always be permitted in order for the platform to function.
+    # If you wish to enable remote embedding you may change the value below to "*"
+    # as per the commented value.
+    set $allowed_origins "https://${sandbox_domain}";
+    #set $allowed_origins "*";
+
+    # CryptPad's dynamic content (websocket traffic and encrypted blobs)
+    # can be served over separate domains. Using dedicated domains (or subdomains)
+    # for these purposes allows you to move them to a separate machine at a later date
+    # if you find that a single machine cannot handle all of your users.
+    # If you don't use dedicated domains, this can be the same as $main_domain
+    # If you do, they can be added as exceptions to any rules which block connections to remote domains.
+    # You can find these variables referenced below in the relevant places
+    set $api_domain "api.your-main-domain.com";
+    set $files_domain "files.your-main-domain.com";
+
+    # nginx doesn't let you set server_name via variables, so you need to hardcode your domains here
     server_name your-main-domain.com your-sandbox-domain.com;
 
     # You'll need to Set the path to your certificates and keys here