Merge branch 'mr_nginx_http_only' into 'master'

Nginx support for http local reverse proxy (i.e. TLS reverse higher up the chain)

See merge request !10

defaults/main.yml

@@ -26,20 +26,27 @@ funkwhale_database_port: 5432
 #funkwhale_database_url: postgresql://{{ funkwhale_database_user }}[:{{ funkwhale_database_password }}]@[{{ funkwhale_database_host_app }}]:{{ funkwhale_database_port | default(5432) }}/{{ funkwhale_database_name }}
 
 funkwhale_nginx_managed: true
+# If you have an hTTPS reverse proxy higher up, set this to true
+funkwhale_nginx_tls_termination: true
 funkwhale_nginx_max_body_size: 100M
+funkwhale_nginx_use_compression: true
+funkwhale_ssl_cert_path:
+funkwhale_ssl_key_path:
+funkwhale_protocol: https
+
+funkwhale_letsencrypt_certbot_flags:
+funkwhale_letsencrypt_enabled: true
+funkwhale_letsencrypt_skip_cert: false
+
 funkwhale_redis_managed: true
 funkwhale_api_ip: 127.0.0.1
 funkwhale_api_port: 5000
 funkwhale_web_workers: 1
-funkwhale_protocol: https
 funkwhale_settings_module: config.settings.production
 funkwhale_env_vars: []
 funkwhale_systemd_managed: true
 funkwhale_systemd_after: redis.service postgresql.service
 funkwhale_systemd_service_name: funkwhale
-funkwhale_letsencrypt_certbot_flags:
-funkwhale_letsencrypt_enabled: true
-funkwhale_letsencrypt_skip_cert: false
 funkwhale_ssl_cert_path:
 funkwhale_ssl_key_path:
 funkwhale_custom_settings:

templates/funkwhale_proxy.conf.j2

@@ -2,12 +2,14 @@
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+{% if not funkwhale_nginx_tls_termination -%}
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Forwarded-Host $host:$server_port;
 proxy_set_header X-Forwarded-Port $server_port;
 proxy_redirect off;
+{% endif -%}
 
 # websocket support
 proxy_http_version 1.1;
 proxy_set_header Upgrade $http_upgrade;
-proxy_set_header Connection $connection_upgrade;
+proxy_set_header Connection "upgrade";

templates/nginx.conf.j2

 # {{ ansible_managed }}
-{% if funkwhale_protocol == 'https' -%}
+{% if funkwhale_nginx_tls_termination -%}
 server {
     listen 80;
     listen [::]:80;
@@ -8,17 +8,11 @@ server {
 }
 {% endif -%}
 
-# required for websocket support
-map $http_upgrade $connection_upgrade {
-    default upgrade;
-    ''      close;
-}
-
 server {
-    listen {% if funkwhale_protocol == 'https' %}443 ssl http2{% else %}80{% endif %};
-    listen [::]:{% if funkwhale_protocol == 'https' %}443 ssl http2{% else -%}80{% endif %};
+    listen {% if funkwhale_nginx_tls_termination %}443 ssl http2{% else %}80{% endif %};
+    listen [::]:{% if funkwhale_nginx_tls_termination %}443 ssl http2{% else -%}80{% endif %};
     server_name {{ funkwhale_hostname }};
-    {% if funkwhale_protocol == 'https' -%}
+    {% if funkwhale_nginx_tls_termination -%}
     {% if funkwhale_ssl_key_path -%}
     ssl_certificate {{ funkwhale_ssl_cert_path }};
     ssl_certificate_key {{ funkwhale_ssl_key_path }};
@@ -36,12 +30,12 @@ server {
     ssl_stapling on;
     ssl_stapling_verify on;
     add_header Strict-Transport-Security "max-age=63072000; preload";
-    {% endif -%}
-
+    {% endif %}
 
     root {{ funkwhale_frontend_path }};
 
     # compression settings
+    {% if funkwhale_nginx_use_compression -%}
     gzip on;
     gzip_comp_level    5;
     gzip_min_length    256;
@@ -66,6 +60,9 @@ server {
         text/vtt
         text/x-component
         text/x-cross-domain-policy;
+    {% else -%}
+    gzip off;
+    {% endif %}
 
     # end of compression settings
     location / {
@@ -118,7 +115,7 @@ server {
         internal;
         alias   {{ funkwhale_media_path }};
     }
-    {% endif -%}
+    {% endif %}
 
     location /_protected/music {
         # this is an internal location that is used to serve
@@ -133,8 +130,8 @@ server {
         # django static files
         alias {{ funkwhale_static_path }}/;
     }
-
 {% if funkwhale_disable_django_admin -%}
+
     location /api/admin/ {
         # disable access to API admin dashboard
         return 403;