Skip to content
Snippets Groups Projects
Commit 2019c988 authored by Eliot Berriot's avatar Eliot Berriot
Browse files

Merge branch 'mr_nginx_http_only' into 'master'

Nginx support for http local reverse proxy (i.e. TLS reverse higher up the chain)

See merge request !10
parents 52311bfb da016e43
No related branches found
No related tags found
1 merge request!10Nginx support for http local reverse proxy (i.e. TLS reverse higher up the chain)
Pipeline #9733 passed
......@@ -26,20 +26,27 @@ funkwhale_database_port: 5432
#funkwhale_database_url: postgresql://{{ funkwhale_database_user }}[:{{ funkwhale_database_password }}]@[{{ funkwhale_database_host_app }}]:{{ funkwhale_database_port | default(5432) }}/{{ funkwhale_database_name }}
funkwhale_nginx_managed: true
# If you have an hTTPS reverse proxy higher up, set this to true
funkwhale_nginx_tls_termination: true
funkwhale_nginx_max_body_size: 100M
funkwhale_nginx_use_compression: true
funkwhale_ssl_cert_path:
funkwhale_ssl_key_path:
funkwhale_protocol: https
funkwhale_letsencrypt_certbot_flags:
funkwhale_letsencrypt_enabled: true
funkwhale_letsencrypt_skip_cert: false
funkwhale_redis_managed: true
funkwhale_api_ip: 127.0.0.1
funkwhale_api_port: 5000
funkwhale_web_workers: 1
funkwhale_protocol: https
funkwhale_settings_module: config.settings.production
funkwhale_env_vars: []
funkwhale_systemd_managed: true
funkwhale_systemd_after: redis.service postgresql.service
funkwhale_systemd_service_name: funkwhale
funkwhale_letsencrypt_certbot_flags:
funkwhale_letsencrypt_enabled: true
funkwhale_letsencrypt_skip_cert: false
funkwhale_ssl_cert_path:
funkwhale_ssl_key_path:
funkwhale_custom_settings:
......
......@@ -2,12 +2,14 @@
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
{% if not funkwhale_nginx_tls_termination -%}
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Port $server_port;
proxy_redirect off;
{% endif -%}
# websocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Connection "upgrade";
# {{ ansible_managed }}
{% if funkwhale_protocol == 'https' -%}
{% if funkwhale_nginx_tls_termination -%}
server {
listen 80;
listen [::]:80;
......@@ -8,17 +8,11 @@ server {
}
{% endif -%}
# required for websocket support
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen {% if funkwhale_protocol == 'https' %}443 ssl http2{% else %}80{% endif %};
listen [::]:{% if funkwhale_protocol == 'https' %}443 ssl http2{% else -%}80{% endif %};
listen {% if funkwhale_nginx_tls_termination %}443 ssl http2{% else %}80{% endif %};
listen [::]:{% if funkwhale_nginx_tls_termination %}443 ssl http2{% else -%}80{% endif %};
server_name {{ funkwhale_hostname }};
{% if funkwhale_protocol == 'https' -%}
{% if funkwhale_nginx_tls_termination -%}
{% if funkwhale_ssl_key_path -%}
ssl_certificate {{ funkwhale_ssl_cert_path }};
ssl_certificate_key {{ funkwhale_ssl_key_path }};
......@@ -36,12 +30,12 @@ server {
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; preload";
{% endif -%}
{% endif %}
root {{ funkwhale_frontend_path }};
# compression settings
{% if funkwhale_nginx_use_compression -%}
gzip on;
gzip_comp_level 5;
gzip_min_length 256;
......@@ -66,6 +60,9 @@ server {
text/vtt
text/x-component
text/x-cross-domain-policy;
{% else -%}
gzip off;
{% endif %}
# end of compression settings
location / {
......@@ -118,7 +115,7 @@ server {
internal;
alias {{ funkwhale_media_path }};
}
{% endif -%}
{% endif %}
location /_protected/music {
# this is an internal location that is used to serve
......@@ -133,8 +130,8 @@ server {
# django static files
alias {{ funkwhale_static_path }}/;
}
{% if funkwhale_disable_django_admin -%}
location /api/admin/ {
# disable access to API admin dashboard
return 403;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment