From a666658e0b537ede4348c52fc7c4e77944d5900c Mon Sep 17 00:00:00 2001
From: Siarhei Siniak <siarheisiniak@gmail.com>
Date: Wed, 3 Sep 2025 13:44:24 +0300
Subject: [PATCH] [+] update nginx config

  1. allow http only
    for servers with a flag set;
  1.1. by default revert
    to redirecting to https;
---
 Makefile           | 25 +++++++++++++++++++++++++
 d1/nginx_config.py | 35 +++++++++++++++++++++++++++++------
 2 files changed, 54 insertions(+), 6 deletions(-)

diff --git a/Makefile b/Makefile
index 5cc8827..e34a7fb 100644
--- a/Makefile
+++ b/Makefile
@@ -135,3 +135,28 @@ mypy:
 	. .venv/bin/activate && \
 	mypy --strict --follow-imports silent \
 	$(MYPY_SOURCES)
+
+COMPOSE ?= sudo docker-compose
+
+nginx_config_http:
+	$(COMPOSE) exec app \
+		python3 \
+		d1/nginx_config.py \
+		tmp/cache/forward.nginx.json \
+		/etc/nginx/nginx.conf
+
+nginx_config_https:
+	$(COMPOSE) exec ssl-app \
+		python3 \
+		d1/nginx_config.py ssl \
+		tmp/d1/ssl.nginx.json \
+		/etc/nginx/nginx.conf
+
+nginx_config: nginx_config_https nginx_config_http
+
+nginx_reload_common:
+	$(COMPOSE) exec $(NGINX_SERVICE) nginx -s reload
+
+nginx_reload:
+	make nginx_reload_common NGINX_SERVICE=ssl-app
+	make nginx_reload_common NGINX_SERVICE=app
diff --git a/d1/nginx_config.py b/d1/nginx_config.py
index f722554..3c44990 100644
--- a/d1/nginx_config.py
+++ b/d1/nginx_config.py
@@ -348,10 +348,34 @@ server {
         )
 
     for server in ssl_nginx['servers']:
+        location_proxy_app = r'''
+  location ^~ / {
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+    proxy_redirect off;
+    proxy_buffering off;
+    proxy_http_version 1.1;
+    proxy_pass http://app:80;
+  }
+        '''
+
+        location_forward_ssl = r'''
+  location ~ {
+    #return 444;
+    return 301 https://$host$request_uri;
+  }
+        '''
+
+        if server.get('allow_http') in [True]:
+          http_location = location_proxy_app
+        else:
+          http_location = location_forward_ssl
+
         servers.append(
             r'''
-
-
 server {
   set $t1 $remote_addr;
   if ($http_x_forwarded_for)
@@ -368,10 +392,7 @@ server {
     try_files $uri =404;
   }
 
-  location ~ {
-    #return 444;
-    return 301 https://$host$request_uri;
-  }
+  {http_location}
 }
 
 server {
@@ -411,6 +432,8 @@ server {
                   '{domain_key}', server['domain_key'],
               ).replace(
                   '{ssl_port}', '%d' % ssl_port,
+              ).replace(
+                  '{http_location}', http_location
               )
         )