From d1097c76883de0755fbccada60578d04432fc27d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 16 Oct 2024 12:39:34 +0200 Subject: [PATCH] Fix and improve nginx redirects, akkounts headers --- .../kosmos-akkounts/templates/nginx_conf_akkounts.erb | 7 +++++++ .../templates/nginx_conf_liquor-cabinet.erb | 10 ---------- .../kosmos_website/templates/nginx_conf_redirect.erb | 4 +--- .../kosmos_website/templates/nginx_conf_website.erb | 9 ++++++--- 4 files changed, 14 insertions(+), 16 deletions(-) diff --git a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb index 36870a1..671c8f9 100644 --- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb +++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb @@ -14,6 +14,10 @@ server { listen [::]:443 ssl http2; server_name <%= @domain %>; + if ($host != $server_name) { + return 301 $scheme://$server_name$request_uri; + } + ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; @@ -39,6 +43,9 @@ server { location @proxy { proxy_set_header Host $http_host; + set $x_forwarded_host $http_x_forwarded_host; + if ($x_forwarded_host = "") { set $x_forwarded_host $host; } + proxy_set_header X-Forwarded-Host $x_forwarded_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; diff --git a/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb b/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb index fb4602e..48e6e96 100644 --- a/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb +++ b/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb @@ -10,16 +10,6 @@ upstream _<%= @app_name %> { # TODO use cookbook attribute when enabling # variables_hash_max_size 2048; -server { - listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80; - listen [::]:80; - server_name <%= @server_name %>; - # Redirect to https - location / { - return 301 https://<%= @server_name %>$request_uri; - } -} - server { listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; diff --git a/site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb b/site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb index d657d62..4fe42cc 100644 --- a/site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb +++ b/site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb @@ -14,7 +14,5 @@ server { ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; - location / { - return <%= @http_status || 301 %> <%= @target %>; - } + return <%= @http_status || 307 %> <%= @target %>; } diff --git a/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb index 47d8a24..2de554a 100644 --- a/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb +++ b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb @@ -2,7 +2,7 @@ server { server_name _; - listen 80 default_server; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80 default_server; location / { return 301 https://<%= @domain %>; @@ -14,6 +14,10 @@ server { listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; + if ($host != $server_name) { + return 307 $scheme://$server_name; + } + root /var/www/<%= @domain %>/public; access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log; @@ -22,14 +26,13 @@ server { gzip_static on; gzip_comp_level 5; - add_header 'Access-Control-Allow-Origin' '*'; - ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; <% if @accounts_url %> location ~ ^/.well-known/(webfinger|nostr|lnurlp|keysend) { proxy_ssl_server_name on; + proxy_set_header X-Forwarded-Host $host; proxy_pass https://accounts.kosmos.org; } <% end %>