From 624b6b3ed4feeee16242df282168d8c5e8932aeb Mon Sep 17 00:00:00 2001 From: Alexandre <44178713+alexbelgium@users.noreply.github.com> Date: Thu, 30 Jun 2022 15:32:14 +0200 Subject: [PATCH] Update ingress.conf --- .../rootfs/etc/nginx/servers/ingress.conf | 100 ++++++------------ 1 file changed, 33 insertions(+), 67 deletions(-) diff --git a/tandoor_recipes/rootfs/etc/nginx/servers/ingress.conf b/tandoor_recipes/rootfs/etc/nginx/servers/ingress.conf index 4c2d8a017..8e15351fd 100644 --- a/tandoor_recipes/rootfs/etc/nginx/servers/ingress.conf +++ b/tandoor_recipes/rootfs/etc/nginx/servers/ingress.conf @@ -1,72 +1,38 @@ -server -{ - listen %%interface%%:%%port%% default_server; - include /etc/nginx/includes/server_params.conf; - include /etc/nginx/includes/proxy_params.conf; - client_max_body_size 0; - proxy_buffering off; +server { + listen %%interface%%:%%port%% default_server; + include /etc/nginx/includes/server_params.conf; + include /etc/nginx/includes/proxy_params.conf; + client_max_body_size 0; - location / - { - # Security - ###################### - allow 172.30.32.2; - deny all; + location / { + proxy_pass http://127.0.0.1:8080; + proxy_buffering off; + proxy_read_timeout 30; + proxy_set_header Connection "Upgrade"; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $http_host; # try $host instead if this doesn't work + proxy_set_header X-Forwarded-Proto $scheme; # http or https + + # Allow ingress subpath + proxy_set_header X-Script-Name %%ingress_entry%%; + proxy_cookie_path / %%ingress_entry%%; - # Base - ###################### - proxy_bind $server_addr; - proxy_pass http://127.0.0.1:8080; - proxy_set_header Connection "Upgrade"; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # Rewrite url + sub_filter_once off; + sub_filter_types *; + sub_filter "/static" "%%ingress_entry%%/static"; + sub_filter "/media" "%%ingress_entry%%/media"; + sub_filter "/view" "%%ingress_entry%%/view"; + sub_filter "/search" "%%ingress_entry%%/search"; + sub_filter "/edit" "%%ingress_entry%%/edit"; + sub_filter "/api" "%%ingress_entry%%/api"; + sub_filter "%%ingress_entry%%/api/hassio" "/api/hassio"; - # Allow subpath - ###################### - proxy_set_header X-Script-Name %%ingress_entry%%/; - proxy_cookie_path / %%ingress_entry%%/; - - # Allow iframe - ###################### - proxy_hide_header X-Frame-Options; - add_header Access-Control-Allow-Origin *; - proxy_set_header Accept-Encoding ""; - - # Avoid mixed contents - ###################### - if ($http_referer ~* "^(http[s]?)://([^:]+):(\d*)(/.*)$") - { - set $x_scheme $1; - set $x_host $2; - set $x_port ":$3"; + # Allow frames + proxy_hide_header "Content-Security-Policy"; + add_header X-Frame-Options SAMEORIGIN; + add_header Access-Control-Allow-Origin *; + proxy_set_header Accept-Encoding ""; } - if ($http_referer ~* "^(http[s]?)://([^:]+)(/.*)$") - { - set $x_scheme $1; - set $x_host $2; - set $x_port ""; - } - proxy_set_header X-Scheme $x_scheme; - proxy_redirect http://$host/ $x_scheme://$x_host$x_port/; - proxy_redirect $x_scheme://$host/ $x_scheme://$x_host$x_port/; - - # Rewrite url - ###################### - sub_filter_once off; - sub_filter_types *; - sub_filter "%%ingress_entry%%//" "%%ingress_entry%%/"; - sub_filter "/static" "%%ingress_entry%%/static"; - sub_filter "/media" "%%ingress_entry%%/media"; - #sub_filter "/view" "%%ingress_entry%%/view"; - #sub_filter "/search" "%%ingress_entry%%/search"; - #sub_filter "/edit/" "%%ingress_entry%%/edit/"; - - # Tests - ###################### - #proxy_set_header X-Real-IP $remote_addr; - #proxy_set_header X-Forwarded-Host $server_name; - #proxy_set_header X-Forwarded-Proto $scheme; - } - + }