From 2e7f9a374b0b5f088e0fc013941a7646dc4e7005 Mon Sep 17 00:00:00 2001
From: Cassowary <cassowary@aldercone.studio>
Date: Mon, 15 Dec 2025 10:45:40 -0800
Subject: [PATCH] Switch the sandbox domain to an explicit choice on the users
 part

This allows subdomains or separate domains - a convenience for setups that have a wildcard pointing at the CC server.
---
 .env.sample | 4 ++++
 compose.yml | 8 ++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/.env.sample b/.env.sample
index 857df8f..3ed4f3b 100644
--- a/.env.sample
+++ b/.env.sample
@@ -1,7 +1,11 @@
 TYPE=cryptpad
 
+
 DOMAIN=cryptpad.example.com
 
+# This is a separate domain for the secure side of Cryptpad. It can be any other domain (subdomain or separate domain)
+SANDBOX_DOMAIN=sandbox.cryptpad.example.com
+
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.cryptpad.example.com`'
 LETS_ENCRYPT_ENV=production
diff --git a/compose.yml b/compose.yml
index bc2515f..f27d01c 100644
--- a/compose.yml
+++ b/compose.yml
@@ -8,7 +8,7 @@ services:
       - proxy
     environment:
       - "CPAD_MAIN_DOMAIN=${DOMAIN}"
-      - "CPAD_SANDBOX_DOMAIN=sandbox.${DOMAIN}"
+      - "CPAD_SANDBOX_DOMAIN=${SANDBOX_DOMAIN}"
       # Traefik can't use HTTP2 to communicate with cryptpat_websocket
       # A workaroung is disabling HTTP2 in Nginx
       - "CPAD_HTTP2_DISABLE=true"
@@ -32,11 +32,11 @@ services:
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`, `sandbox.${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`, `${SANDBOX_DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-          #        - "traefik.http.routers.${STACK_NAME}.tls.domains[0].main=${DOMAIN}"
-          #        - "traefik.http.routers.${STACK_NAME}.tls.domains[0].sans=sandbox.${DOMAIN}"
+        - "traefik.http.routers.${STACK_NAME}.tls.domains[0].main=${DOMAIN}"
+        - "traefik.http.routers.${STACK_NAME}.tls.domains[0].sans=${SANDBOX_DOMAIN}"
         ## Redirect from EXTRA_DOMAINS to DOMAIN
         #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"