Commit da016e43 authored by Jean's avatar Jean Committed by Agate

Nginx support for http local reverse proxy (i.e. TLS reverse higher up the chain)

parent 52311bfb
...@@ -26,20 +26,27 @@ funkwhale_database_port: 5432 ...@@ -26,20 +26,27 @@ funkwhale_database_port: 5432
#funkwhale_database_url: postgresql://{{ funkwhale_database_user }}[:{{ funkwhale_database_password }}]@[{{ funkwhale_database_host_app }}]:{{ funkwhale_database_port | default(5432) }}/{{ funkwhale_database_name }} #funkwhale_database_url: postgresql://{{ funkwhale_database_user }}[:{{ funkwhale_database_password }}]@[{{ funkwhale_database_host_app }}]:{{ funkwhale_database_port | default(5432) }}/{{ funkwhale_database_name }}
funkwhale_nginx_managed: true funkwhale_nginx_managed: true
# If you have an hTTPS reverse proxy higher up, set this to true
funkwhale_nginx_tls_termination: true
funkwhale_nginx_max_body_size: 100M funkwhale_nginx_max_body_size: 100M
funkwhale_nginx_use_compression: true
funkwhale_ssl_cert_path:
funkwhale_ssl_key_path:
funkwhale_protocol: https
funkwhale_letsencrypt_certbot_flags:
funkwhale_letsencrypt_enabled: true
funkwhale_letsencrypt_skip_cert: false
funkwhale_redis_managed: true funkwhale_redis_managed: true
funkwhale_api_ip: 127.0.0.1 funkwhale_api_ip: 127.0.0.1
funkwhale_api_port: 5000 funkwhale_api_port: 5000
funkwhale_web_workers: 1 funkwhale_web_workers: 1
funkwhale_protocol: https
funkwhale_settings_module: config.settings.production funkwhale_settings_module: config.settings.production
funkwhale_env_vars: [] funkwhale_env_vars: []
funkwhale_systemd_managed: true funkwhale_systemd_managed: true
funkwhale_systemd_after: redis.service postgresql.service funkwhale_systemd_after: redis.service postgresql.service
funkwhale_systemd_service_name: funkwhale funkwhale_systemd_service_name: funkwhale
funkwhale_letsencrypt_certbot_flags:
funkwhale_letsencrypt_enabled: true
funkwhale_letsencrypt_skip_cert: false
funkwhale_ssl_cert_path: funkwhale_ssl_cert_path:
funkwhale_ssl_key_path: funkwhale_ssl_key_path:
funkwhale_custom_settings: funkwhale_custom_settings:
......
...@@ -2,12 +2,14 @@ ...@@ -2,12 +2,14 @@
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
{% if not funkwhale_nginx_tls_termination -%}
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Port $server_port;
proxy_redirect off; proxy_redirect off;
{% endif -%}
# websocket support # websocket support
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection "upgrade";
# {{ ansible_managed }} # {{ ansible_managed }}
{% if funkwhale_protocol == 'https' -%} {% if funkwhale_nginx_tls_termination -%}
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
...@@ -8,17 +8,11 @@ server { ...@@ -8,17 +8,11 @@ server {
} }
{% endif -%} {% endif -%}
# required for websocket support
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server { server {
listen {% if funkwhale_protocol == 'https' %}443 ssl http2{% else %}80{% endif %}; listen {% if funkwhale_nginx_tls_termination %}443 ssl http2{% else %}80{% endif %};
listen [::]:{% if funkwhale_protocol == 'https' %}443 ssl http2{% else -%}80{% endif %}; listen [::]:{% if funkwhale_nginx_tls_termination %}443 ssl http2{% else -%}80{% endif %};
server_name {{ funkwhale_hostname }}; server_name {{ funkwhale_hostname }};
{% if funkwhale_protocol == 'https' -%} {% if funkwhale_nginx_tls_termination -%}
{% if funkwhale_ssl_key_path -%} {% if funkwhale_ssl_key_path -%}
ssl_certificate {{ funkwhale_ssl_cert_path }}; ssl_certificate {{ funkwhale_ssl_cert_path }};
ssl_certificate_key {{ funkwhale_ssl_key_path }}; ssl_certificate_key {{ funkwhale_ssl_key_path }};
...@@ -36,12 +30,12 @@ server { ...@@ -36,12 +30,12 @@ server {
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; preload"; add_header Strict-Transport-Security "max-age=63072000; preload";
{% endif -%} {% endif %}
root {{ funkwhale_frontend_path }}; root {{ funkwhale_frontend_path }};
# compression settings # compression settings
{% if funkwhale_nginx_use_compression -%}
gzip on; gzip on;
gzip_comp_level 5; gzip_comp_level 5;
gzip_min_length 256; gzip_min_length 256;
...@@ -66,6 +60,9 @@ server { ...@@ -66,6 +60,9 @@ server {
text/vtt text/vtt
text/x-component text/x-component
text/x-cross-domain-policy; text/x-cross-domain-policy;
{% else -%}
gzip off;
{% endif %}
# end of compression settings # end of compression settings
location / { location / {
...@@ -118,7 +115,7 @@ server { ...@@ -118,7 +115,7 @@ server {
internal; internal;
alias {{ funkwhale_media_path }}; alias {{ funkwhale_media_path }};
} }
{% endif -%} {% endif %}
location /_protected/music { location /_protected/music {
# this is an internal location that is used to serve # this is an internal location that is used to serve
...@@ -133,11 +130,11 @@ server { ...@@ -133,11 +130,11 @@ server {
# django static files # django static files
alias {{ funkwhale_static_path }}/; alias {{ funkwhale_static_path }}/;
} }
{% if funkwhale_disable_django_admin -%}
{% if funkwhale_disable_django_admin -%}
location /api/admin/ { location /api/admin/ {
# disable access to API admin dashboard # disable access to API admin dashboard
return 403; return 403;
} }
{% endif -%} {% endif -%}
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment