Merge branch 'develop' into openidc

2025-06-18 10:06:26 +00:00 · 2024-08-22 23:19:50 +01:00
parent a91dcb144d 63d06da8a8
commit 694d8a0f21
230 changed files with 8881 additions and 18148 deletions
--- a/backend/templates/_access.conf
+++ b/backend/templates/_access.conf
@ -0,0 +1,25 @@
+{% if access_list_id > 0 %}
+    {% if access_list.items.length > 0 %}
+    # Authorization
+    auth_basic            "Authorization required";
+    auth_basic_user_file  /data/access/{{ access_list_id }};
+
+    {% if access_list.pass_auth == 0 %}
+    proxy_set_header Authorization "";
+    {% endif %}
+
+    {% endif %}
+
+    # Access Rules: {{ access_list.clients | size }} total
+    {% for client in access_list.clients %}
+    {{client | nginxAccessRule}}
+    {% endfor %}
+    deny all;
+
+    # Access checks must...
+    {% if access_list.satisfy_any == 1 %}
+    satisfy any;
+    {% else %}
+    satisfy all;
+    {% endif %}
+{% endif %}
--- a/backend/templates/_hsts.conf
+++ b/backend/templates/_hsts.conf
@ -2,7 +2,7 @@
 {% if ssl_forced == 1 or ssl_forced == true %}
 {% if hsts_enabled == 1 or hsts_enabled == true %}
  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
-  add_header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
+  add_header Strict-Transport-Security $hsts_header always;
 {% endif %}
 {% endif %}
 {% endif %}
--- a/backend/templates/_hsts_map.conf
+++ b/backend/templates/_hsts_map.conf
@ -0,0 +1,3 @@
+map $scheme $hsts_header {
+    https   "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload";
+}
--- a/backend/templates/_listen.conf
+++ b/backend/templates/_listen.conf
@ -5,9 +5,9 @@
  #listen [::]:80;
 {% endif %}
 {% if certificate -%}
-  listen 443 ssl{% if http2_support %} http2{% endif %};
+  listen 443 ssl{% if http2_support == 1 or http2_support == true %} http2{% endif %};
 {% if ipv6 -%}
-  listen [::]:443 ssl{% if http2_support %} http2{% endif %};
+  listen [::]:443 ssl{% if http2_support == 1 or http2_support == true %} http2{% endif %};
 {% else -%}
  #listen [::]:443;
 {% endif %}
--- a/backend/templates/_location.conf
+++ b/backend/templates/_location.conf
@ -1,36 +1,16 @@
  location {{ path }} {
-    set              $upstream {{ forward_scheme }}://{{ forward_host }}:{{ forward_port }}{{ forward_path }};
+    {{ advanced_config }}
+
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP		$remote_addr;
-    proxy_pass       $upstream;
-
-    {% if access_list_id > 0 %}
-    {% if access_list.items.length > 0 %}
-    # Authorization
-    auth_basic            "Authorization required";
-    auth_basic_user_file  /data/access/{{ access_list_id }};
- 
-    {{ access_list.passauth }}
-    {% endif %}
- 
-    # Access Rules
-    {% for client in access_list.clients %}
-    {{- client.rule -}};
-    {% endfor %}deny all;
- 
-    # Access checks must...
-    {% if access_list.satisfy %}
-    {{ access_list.satisfy }};
-    {% endif %}
- 
-    {% endif %}
+    proxy_pass       {{ forward_scheme }}://{{ forward_host }}:{{ forward_port }}{{ forward_path }};

+    {% include "_access.conf" %}
    {% include "_assets.conf" %}
    {% include "_exploits.conf" %}
-
    {% include "_forced_ssl.conf" %}
    {% include "_hsts.conf" %}

@ -39,8 +19,5 @@
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;
    {% endif %}
-
-
-    {{ advanced_config }}
  }

--- a/backend/templates/dead_host.conf
+++ b/backend/templates/dead_host.conf
@ -1,6 +1,9 @@
 {% include "_header_comment.conf" %}

 {% if enabled %}
+
+{% include "_hsts_map.conf" %}
+
 server {
 {% include "_listen.conf" %}
 {% include "_certificates.conf" %}
--- a/backend/templates/default.conf
+++ b/backend/templates/default.conf
@ -7,9 +7,9 @@
 server {
  listen 80 default;
 {% if ipv6 -%}
-  listen [::]:80;
+  listen [::]:80 default;
 {% else -%}
-  #listen [::]:80;
+  #listen [::]:80 default;
 {% endif %}
  server_name default-host.localhost;
  access_log /data/logs/default-host_access.log combined;
@ -24,6 +24,12 @@ server {
  }
 {% endif %}

+{%- if value == "444" %}
+  location / {
+    return 444;
+  }
+{% endif %}
+
 {%- if value == "redirect" %}
  location / {
    return 301 {{ meta.redirect }};
--- a/backend/templates/proxy_host.conf
+++ b/backend/templates/proxy_host.conf
@ -1,6 +1,9 @@
 {% include "_header_comment.conf" %}

 {% if enabled %}
+
+{% include "_hsts_map.conf" %}
+
 server {
  set $forward_scheme {{ forward_scheme }};
  set $server         "{{ forward_host }}";
@ -52,6 +55,7 @@ proxy_http_version 1.1;
    {% endif %}

    {% include "_openid_connect.conf" %}
+    {% include "_access.conf" %}
    {% include "_hsts.conf" %}

    {% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %}
--- a/backend/templates/redirection_host.conf
+++ b/backend/templates/redirection_host.conf
@ -1,6 +1,9 @@
 {% include "_header_comment.conf" %}

 {% if enabled %}
+
+{% include "_hsts_map.conf" %}
+
 server {
 {% include "_listen.conf" %}
 {% include "_certificates.conf" %}