Fix and improve nginx redirects, akkounts headers

2024-10-16 12:39:34 +02:00 · 2024-10-16 12:39:34 +02:00 · d1097c7688
commit d1097c7688
parent 7949fd067c
4 changed files with 14 additions and 16 deletions
--- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
+++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
@ -14,6 +14,10 @@ server {
  listen [::]:443 ssl http2;
  server_name <%= @domain %>;

+  if ($host != $server_name) {
+    return 301 $scheme://$server_name$request_uri;
+  }
+
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;

@ -39,6 +43,9 @@ server {

  location @proxy {
    proxy_set_header Host $http_host;
+    set $x_forwarded_host $http_x_forwarded_host;
+    if ($x_forwarded_host = "") { set $x_forwarded_host $host; }
+    proxy_set_header X-Forwarded-Host $x_forwarded_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
--- a/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb
+++ b/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb
@ -10,16 +10,6 @@ upstream _<%= @app_name %> {
 # TODO use cookbook attribute when enabling
 # variables_hash_max_size 2048;

-server {
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80;
-  listen [::]:80;
-  server_name <%= @server_name %>;
-  # Redirect to https
-  location / {
-    return 301 https://<%= @server_name %>$request_uri;
-  }
-}
-
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
  listen [::]:443 ssl http2;
--- a/site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb
+++ b/site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb
@ -14,7 +14,5 @@ server {
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;

-  location / {
-    return <%= @http_status || 301 %> <%= @target %>;
-  }
+  return <%= @http_status || 307 %> <%= @target %>;
 }
--- a/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb
+++ b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb
@ -2,7 +2,7 @@

 server {
  server_name _;
-  listen 80 default_server;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80 default_server;

  location / {
    return 301 https://<%= @domain %>;
@ -14,6 +14,10 @@ server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server;

+  if ($host != $server_name) {
+    return 307 $scheme://$server_name;
+  }
+
  root /var/www/<%= @domain %>/public;

  access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
@ -22,14 +26,13 @@ server {
  gzip_static on;
  gzip_comp_level 5;

-  add_header 'Access-Control-Allow-Origin' '*';
-
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;

 <% if @accounts_url %>
  location ~ ^/.well-known/(webfinger|nostr|lnurlp|keysend) {
    proxy_ssl_server_name on;
+    proxy_set_header X-Forwarded-Host $host;
    proxy_pass https://accounts.kosmos.org;
  }
 <% end %>