[+] update nginx config
1. allow http only
for servers with a flag set;
1.1. by default revert
to redirecting to https;
This commit is contained in:
parent
7f2f0cbda3
commit
a666658e0b
25
Makefile
25
Makefile
@ -135,3 +135,28 @@ mypy:
|
|||||||
. .venv/bin/activate && \
|
. .venv/bin/activate && \
|
||||||
mypy --strict --follow-imports silent \
|
mypy --strict --follow-imports silent \
|
||||||
$(MYPY_SOURCES)
|
$(MYPY_SOURCES)
|
||||||
|
|
||||||
|
COMPOSE ?= sudo docker-compose
|
||||||
|
|
||||||
|
nginx_config_http:
|
||||||
|
$(COMPOSE) exec app \
|
||||||
|
python3 \
|
||||||
|
d1/nginx_config.py \
|
||||||
|
tmp/cache/forward.nginx.json \
|
||||||
|
/etc/nginx/nginx.conf
|
||||||
|
|
||||||
|
nginx_config_https:
|
||||||
|
$(COMPOSE) exec ssl-app \
|
||||||
|
python3 \
|
||||||
|
d1/nginx_config.py ssl \
|
||||||
|
tmp/d1/ssl.nginx.json \
|
||||||
|
/etc/nginx/nginx.conf
|
||||||
|
|
||||||
|
nginx_config: nginx_config_https nginx_config_http
|
||||||
|
|
||||||
|
nginx_reload_common:
|
||||||
|
$(COMPOSE) exec $(NGINX_SERVICE) nginx -s reload
|
||||||
|
|
||||||
|
nginx_reload:
|
||||||
|
make nginx_reload_common NGINX_SERVICE=ssl-app
|
||||||
|
make nginx_reload_common NGINX_SERVICE=app
|
||||||
|
|||||||
@ -348,10 +348,34 @@ server {
|
|||||||
)
|
)
|
||||||
|
|
||||||
for server in ssl_nginx['servers']:
|
for server in ssl_nginx['servers']:
|
||||||
|
location_proxy_app = r'''
|
||||||
|
location ^~ / {
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
proxy_redirect off;
|
||||||
|
proxy_buffering off;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_pass http://app:80;
|
||||||
|
}
|
||||||
|
'''
|
||||||
|
|
||||||
|
location_forward_ssl = r'''
|
||||||
|
location ~ {
|
||||||
|
#return 444;
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
'''
|
||||||
|
|
||||||
|
if server.get('allow_http') in [True]:
|
||||||
|
http_location = location_proxy_app
|
||||||
|
else:
|
||||||
|
http_location = location_forward_ssl
|
||||||
|
|
||||||
servers.append(
|
servers.append(
|
||||||
r'''
|
r'''
|
||||||
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
set $t1 $remote_addr;
|
set $t1 $remote_addr;
|
||||||
if ($http_x_forwarded_for)
|
if ($http_x_forwarded_for)
|
||||||
@ -368,10 +392,7 @@ server {
|
|||||||
try_files $uri =404;
|
try_files $uri =404;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ {
|
{http_location}
|
||||||
#return 444;
|
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
@ -411,6 +432,8 @@ server {
|
|||||||
'{domain_key}', server['domain_key'],
|
'{domain_key}', server['domain_key'],
|
||||||
).replace(
|
).replace(
|
||||||
'{ssl_port}', '%d' % ssl_port,
|
'{ssl_port}', '%d' % ssl_port,
|
||||||
|
).replace(
|
||||||
|
'{http_location}', http_location
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user