Commit da016e43 authored by Jean's avatar Jean Committed by Agate

Nginx support for http local reverse proxy (i.e. TLS reverse higher up the chain)

parent 52311bfb
......@@ -26,20 +26,27 @@ funkwhale_database_port: 5432
#funkwhale_database_url: postgresql://{{ funkwhale_database_user }}[:{{ funkwhale_database_password }}]@[{{ funkwhale_database_host_app }}]:{{ funkwhale_database_port | default(5432) }}/{{ funkwhale_database_name }}
funkwhale_nginx_managed: true
# If you have an hTTPS reverse proxy higher up, set this to true
funkwhale_nginx_tls_termination: true
funkwhale_nginx_max_body_size: 100M
funkwhale_nginx_use_compression: true
funkwhale_ssl_cert_path:
funkwhale_ssl_key_path:
funkwhale_protocol: https
funkwhale_letsencrypt_certbot_flags:
funkwhale_letsencrypt_enabled: true
funkwhale_letsencrypt_skip_cert: false
funkwhale_redis_managed: true
funkwhale_api_ip: 127.0.0.1
funkwhale_api_port: 5000
funkwhale_web_workers: 1
funkwhale_protocol: https
funkwhale_settings_module: config.settings.production
funkwhale_env_vars: []
funkwhale_systemd_managed: true
funkwhale_systemd_after: redis.service postgresql.service
funkwhale_systemd_service_name: funkwhale
funkwhale_letsencrypt_certbot_flags:
funkwhale_letsencrypt_enabled: true
funkwhale_letsencrypt_skip_cert: false
funkwhale_ssl_cert_path:
funkwhale_ssl_key_path:
funkwhale_custom_settings:
......
......@@ -2,12 +2,14 @@
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
{% if not funkwhale_nginx_tls_termination -%}
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Port $server_port;
proxy_redirect off;
{% endif -%}
# websocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Connection "upgrade";
# {{ ansible_managed }}
{% if funkwhale_protocol == 'https' -%}
{% if funkwhale_nginx_tls_termination -%}
server {
listen 80;
listen [::]:80;
......@@ -8,17 +8,11 @@ server {
}
{% endif -%}
# required for websocket support
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen {% if funkwhale_protocol == 'https' %}443 ssl http2{% else %}80{% endif %};
listen [::]:{% if funkwhale_protocol == 'https' %}443 ssl http2{% else -%}80{% endif %};
listen {% if funkwhale_nginx_tls_termination %}443 ssl http2{% else %}80{% endif %};
listen [::]:{% if funkwhale_nginx_tls_termination %}443 ssl http2{% else -%}80{% endif %};
server_name {{ funkwhale_hostname }};
{% if funkwhale_protocol == 'https' -%}
{% if funkwhale_nginx_tls_termination -%}
{% if funkwhale_ssl_key_path -%}
ssl_certificate {{ funkwhale_ssl_cert_path }};
ssl_certificate_key {{ funkwhale_ssl_key_path }};
......@@ -36,12 +30,12 @@ server {
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; preload";
{% endif -%}
{% endif %}
root {{ funkwhale_frontend_path }};
# compression settings
{% if funkwhale_nginx_use_compression -%}
gzip on;
gzip_comp_level 5;
gzip_min_length 256;
......@@ -66,6 +60,9 @@ server {
text/vtt
text/x-component
text/x-cross-domain-policy;
{% else -%}
gzip off;
{% endif %}
# end of compression settings
location / {
......@@ -118,7 +115,7 @@ server {
internal;
alias {{ funkwhale_media_path }};
}
{% endif -%}
{% endif %}
location /_protected/music {
# this is an internal location that is used to serve
......@@ -133,11 +130,11 @@ server {
# django static files
alias {{ funkwhale_static_path }}/;
}
{% if funkwhale_disable_django_admin -%}
{% if funkwhale_disable_django_admin -%}
location /api/admin/ {
# disable access to API admin dashboard
return 403;
}
{% endif -%}
{% endif -%}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment