Update ingress.conf

2026-06-04 14:54:07 +02:00 · 2022-06-30 15:48:17 +02:00
parent 624b6b3ed4
commit f36063aab9
1 changed files with 56 additions and 26 deletions
--- a/tandoor_recipes/rootfs/etc/nginx/servers/ingress.conf
+++ b/tandoor_recipes/rootfs/etc/nginx/servers/ingress.conf
@@ -5,34 +5,64 @@ server {
    client_max_body_size 0;
    location / {
-       proxy_pass http://127.0.0.1:8080;
+    # Security
-       proxy_buffering off;
+    ######################
-       proxy_read_timeout 30;
+    allow 172.30.32.2;
-       proxy_set_header Connection "Upgrade";
+    deny all;
-       proxy_set_header Upgrade $http_upgrade;
+    
-       proxy_set_header Host $http_host;                   # try $host instead if this doesn't work
+    # Base
-       proxy_set_header X-Forwarded-Proto $scheme;         # http or https
+    ######################
-        
+    #proxy_bind $server_addr;
-       # Allow ingress subpath
+    proxy_pass http://127.0.0.1:8080;
-       proxy_set_header X-Script-Name %%ingress_entry%%;
+    proxy_set_header Connection "Upgrade";
-       proxy_cookie_path / %%ingress_entry%%;
+    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_buffering off;
    proxy_read_timeout 30;
-       # Rewrite url
+    # Avoid mixed contents
-       sub_filter_once off;
+    ######################
-       sub_filter_types *;
+    if ($http_referer ~* "^(http[s]?)://([^:]+):(\d*)(/.*)$")
-       sub_filter "/static" "%%ingress_entry%%/static";
+    {
-       sub_filter "/media" "%%ingress_entry%%/media";
+      set $x_scheme $1;
-       sub_filter "/view" "%%ingress_entry%%/view";
+      set $x_host $2;
-       sub_filter "/search" "%%ingress_entry%%/search";
+      set $x_port ":$3";
-       sub_filter "/edit" "%%ingress_entry%%/edit";
+    }
-       sub_filter "/api" "%%ingress_entry%%/api";
+    if ($http_referer ~* "^(http[s]?)://([^:]+)(/.*)$")
-       sub_filter "%%ingress_entry%%/api/hassio" "/api/hassio";
+    {
      set $x_scheme $1;
      set $x_host $2;
      set $x_port "";
    }
    proxy_set_header X-Scheme $x_scheme;
    proxy_redirect http://$host/ $x_scheme://$x_host$x_port/;
    proxy_redirect $x_scheme://$host/ $x_scheme://$x_host$x_port/;
-       # Allow frames
+    # Allow subpath
-       proxy_hide_header "Content-Security-Policy";
+    ######################
-       add_header X-Frame-Options SAMEORIGIN;
+    proxy_set_header X-Script-Name %%ingress_entry%%;
-       add_header Access-Control-Allow-Origin *;
+    proxy_cookie_path / %%ingress_entry%%;
-       proxy_set_header Accept-Encoding "";
+
    # Allow iframe
    ######################
    proxy_hide_header "Content-Security-Policy";
    proxy_hide_header X-Frame-Options;
    add_header Access-Control-Allow-Origin *;
    proxy_set_header Accept-Encoding "";
    # Rewrite url
    ######################
    sub_filter_once off;
    sub_filter_types *;
    sub_filter "/static" "%%ingress_entry%%/static";
    sub_filter "/media" "%%ingress_entry%%/media";
    sub_filter "/view" "%%ingress_entry%%/view";
    sub_filter "/search" "%%ingress_entry%%/search";
    #sub_filter "/edit" "%%ingress_entry%%/edit";
    #sub_filter "/api" "%%ingress_entry%%/api";
    #sub_filter "%%ingress_entry%%/api/hassio" "/api/hassio";
    }
 }