diff --git a/backend/templates/_location.conf b/backend/templates/_location.conf index 302bb50d..5ff7f054 100644 --- a/backend/templates/_location.conf +++ b/backend/templates/_location.conf @@ -1,17 +1,17 @@ location {{ path }} { - proxy_set_header Accept-Encoding ""; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Scheme $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_http_version 1.1; - proxy_pass {{ forward_scheme }}://{{ forward_host }}:{{ forward_port }}{{ forward_path }}; - + set $forward_path "{{ forward_path }}"; + {% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %} proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; {% endif %} + include conf.d/include/proxy-location.conf; + proxy_set_header X-Forwarded-Host $host{{ path }}; + if ($forward_path = "") { + rewrite ^{{ path }}(/.*)$ $1 break; + } + proxy_pass {{ forward_scheme }}://{{ forward_host }}:{{ forward_port }}{{ forward_path }}; + {{ advanced_config }} } diff --git a/backend/templates/proxy_host.conf b/backend/templates/proxy_host.conf index ddb35630..de13e7c1 100644 --- a/backend/templates/proxy_host.conf +++ b/backend/templates/proxy_host.conf @@ -25,18 +25,18 @@ server { include conf.d/include/acme-challenge.conf; include conf.d/include/block-exploits.conf; + {% if access_list_id > 0 %} + {% if access_list.items.length > 0 %} + {{ access_list.passauth }} + {% endif %} + {% endif %} + {{ advanced_config }} {% if use_default_location %} location / { include conf.d/include/acme-challenge.conf; - {% if access_list_id > 0 %} - {% if access_list.items.length > 0 %} - {{ access_list.passauth }} - {% endif %} - {% endif %} - {% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %} proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; @@ -44,6 +44,9 @@ server { # Proxy! include conf.d/include/proxy.conf; + + # custom locations + {{ locations }} } {% endif %} diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/proxy-location.conf b/rootfs/usr/local/nginx/conf/conf.d/include/proxy-location.conf new file mode 100644 index 00000000..94a39d65 --- /dev/null +++ b/rootfs/usr/local/nginx/conf/conf.d/include/proxy-location.conf @@ -0,0 +1,12 @@ +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Port $server_port; +proxy_set_header X-Forwarded-Scheme $scheme; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header Accept-Encoding ""; +proxy_set_header Host $host; + +proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; +proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + +proxy_http_version 1.1;