1.0 - Improved vhost creation and headers (#68)

Ton of changes. Mainly:
  - Improved vhost creation - vhosts are not created for https when no certificate present
  - Updated nextcloud template
  - Updated akkoma template
  - Improved header section for core and proxy templates

Co-authored-by: meaz <meaz@disroot.org>
Reviewed-on: #68
Reviewed-by: meaz <meaz@no-reply@disroot.org>
Co-authored-by: muppeth <muppeth@disroot.org>
Co-committed-by: muppeth <muppeth@disroot.org>

tasks/onion_vhost.yml

@@ -1,12 +1,12 @@
 ---
 
-- name: '[ONION] - register onion address'
+- name: '[ONION] - register onion address for {{ item.name }}'
   slurp:
     src: "/var/lib/tor/{{ item.name }}/hostname"
   register: "onion_address"
   when: item.state is defined and item.onion is defined and item.onion == 'true'
 
-- name: "[ONION] - Create vhosts"
+- name: "[ONION] - Create vhosts for {{ item.name }}"
   template:
     src: etc/nginx/sites-available/{{ item.template }}.j2
     dest: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}.onion"
@@ -14,7 +14,7 @@
       - reload nginx
   when: item.state is defined and item.onion is defined and item.onion == 'true'
 
-- name: "[ONION] - Delete vhosts"
+- name: "[ONION] - Delete vhosts for {{ item.name }}"
   file:
     path: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}.onion"
     state: absent
@@ -23,7 +23,7 @@
   when: item.state is defined and item.state == 'delete' and item.onion is defined and item.onion == 'true'
 
 
-- name: "[ONION] - Enable vhosts"
+- name: "[ONION] - Enable vhosts for {{ item.name }}"
   file:
     src: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}.onion"
     dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item.name }}.onion"
@@ -33,7 +33,7 @@
   when: item.state is defined and item.state == 'enable' and item.onion is defined and item.onion == 'true'
 
 
-- name: "[ONION] - Disable vhosts"
+- name: "[ONION] - Disable vhosts for {{ item.name }}"
   file:
     path: "{{ nginx_etc_dir}}/sites-enabled/{{ item.name }}.onion"
     state: absent

tasks/ssl.yml

@@ -22,7 +22,7 @@
   notify:
     - reload nginx
 
-- name: "[NGINX] - Create SSL keys subfolder"
+- name: "[NGINX] - Create SSL keys subfolder for {{ item.name }}"
   file:
     path: "{{ nginx_ssl_dir }}/{{ item.ssl_name }}"
     state: directory
@@ -31,7 +31,7 @@
   when: item.copy_ssl is defined
   notify: reload nginx
 
-- name: "[NGINX] - Deploy SSL keys"
+- name: "[NGINX] - Deploy SSL keys for {{ item.name }}"
   copy:
     src: "{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem"
     dest: "{{ nginx_ssl_dir}}/{{ item.ssl_name }}/privkey.pem"
@@ -40,7 +40,7 @@
   when: item.copy_ssl is defined
   notify: reload nginx
 
-- name: "[NGINX] - Deploy SSL certs"
+- name: "[NGINX] - Deploy SSL certs for {{ item.name }}"
   copy:
     src: "{{ ssl_src_path }}/{{ item.ssl_name }}/fullchain.pem"
     dest: "{{ nginx_ssl_dir}}/{{ item.ssl_name }}/fullchain.pem"
@@ -70,7 +70,7 @@
   with_items: "{{ nginx_vhosts }}"
   when: item.selfsigned is defined and item.selfsigned == 'true' and ansible_python.executable == '/usr/bin/python3'
 
-- name: "[SELFSIGNED] - Create Key folder"
+- name: "[SELFSIGNED] - Create Key folder for {{ item.name }}"
   file:
     path: "{{ nginx_ssl_dir }}/{{ item.ssl_name }}"
     state: directory
@@ -79,7 +79,7 @@
   when: item.selfsigned is defined and item.selfsigned == 'true'
   notify: reload nginx
 
-- name: '[SELFSIGNED] - Create a self-signed key'
+- name: '[SELFSIGNED] - Create a self-signed key for {{ item.name }}'
   openssl_privatekey:
     path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem'
     size: 2048
@@ -88,7 +88,7 @@
   when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
   notify: reload nginx
 
-- name: '[SELFSIGNED] - Generate OpenSSL Certificate Signing Request (CSR)'
+- name: '[SELFSIGNED] - Generate OpenSSL Certificate Signing Request (CSR) for {{ item.name }}'
   openssl_csr:
     path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/selfsigned.crs'
     privatekey_path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem'
@@ -96,7 +96,7 @@
   when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
   notify: reload nginx
 
-- name: '[SELFSIGNED] - Create a self-signed certificate'
+- name: '[SELFSIGNED] - Create a self-signed certificate for {{ item.name }}'
   openssl_certificate:
     path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/fullchain.pem'
     privatekey_path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem'

tasks/vhost.yml

@@ -1,46 +1,92 @@
 ---
-- name: '[ONION] - register onion address'
+- name: '[ONION] - register onion address for {{ item.name }}'
   slurp:
     src: "/var/lib/tor/{{ item.name }}/hostname"
   register: "onion_address"
-  when:  item.onion is defined and item.onion == 'true'
+  when:  
+    - item.onion is defined 
+    - item.onion == 'true'
 
 - name: "[NGINX] - Set fact"
   set_fact:
     enable_tor: 'false'
+    
+- name: "[NGINX] - Check if the certificate for the vhost exists for {{ item.name }}"
+  stat:
+    path: '{{ nginx_ssl_dir }}/{{ item.ssl_name }}/privkey.pem'
+  register: cert_exists
+  when:
+    - item.ssl_name is defined
 
-- name: "[NGINX] - Create vhosts"
+- name: "[NGINX] - Create HTTPS vhosts for {{ item.name }}"
   template:
     src: etc/nginx/sites-available/{{ item.template }}.j2
     dest: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
   notify:
       - reload nginx
-  when: item.state is defined and item.state != 'delete'
+  when: 
+    - item.ssl_name is defined
+    - cert_exists is defined
+    - cert_exists.stat.exists 
+    - item.state is defined 
+    - item.state != 'delete'
 
-- name: "[NGINX] - Delete vhosts"
+- name: "[NGINX] - Create HTTP vhosts for {{ item.name }}"
+  template:
+    src: etc/nginx/sites-available/{{ item.template }}.j2
+    dest: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
+  notify:
+      - reload nginx
+  when: 
+    - item.ssl_name is not defined
+    - item.state is defined 
+    - item.state != 'delete'
+
+- name: "[NGINX] - Delete vhosts for {{ item.name }}"
   file:
     path: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
     state: absent
   notify:
       - reload nginx
-  when: item.state is defined and item.state == 'delete'
+  when: 
+    - item.state is defined
+    - item.state == 'delete'
 
-- name: "[NGINX] - Enable vhosts"
+- name: "[NGINX] - Enable HTTPS vhosts for {{ item.name }}"
   file:
     src: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
     dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item.name }}"
     state: link
   notify:
       - reload nginx
-  when: item.state is defined and item.state == 'enable'
+  when:
+    - item.ssl_name is defined
+    - cert_exists is defined
+    - cert_exists.stat.exists
+    - item.state is defined
+    - item.state == 'enable'
 
-- name: "[NGINX] - Disable vhosts"
+- name: "[NGINX] - Enable HTTP vhosts for {{ item.name }}"
+  file:
+    src: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
+    dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item.name }}"
+    state: link
+  notify:
+      - reload nginx
+  when:
+    - item.ssl_name is not defined 
+    - item.state is defined
+    - item.state == 'enable'
+
+- name: "[NGINX] - Disable vhosts for {{ item.name }}"
   file:
     path: "{{ nginx_etc_dir}}/sites-enabled/{{ item.name }}"
     state: absent
   notify:
       - reload nginx
-  when: item.state is defined and (item.state == 'disable' or item.state == 'delete')
+  when: 
+    - item.state is defined
+    - item.state == 'disable' or item.state == 'delete'
 
 - name: "[NGINX] - Delete default vhost when explicitely defined"
   file:
@@ -50,10 +96,30 @@
     - reload nginx
   when: nginx_default_vhost is not none
 
-- name: "[NGINX] - Create maintenance vhosts"
+- name: "[NGINX] - Create HTTPS maintenance vhosts for {{ item.name }}"
   template:
     src: etc/nginx/sites-available/maintenance.j2
     dest: "{{ nginx_etc_dir }}/sites-available/maintenance-{{ item.name }}"
   notify:
       - reload nginx
-  when: (item.state is defined) and (item.state != 'delete') and (item.maintenance is defined) and (item.maintenance == 'true') 
+  when: 
+    - item.ssl_name is defined
+    - cert_exists is defined
+    - cert_exists.stat.exists
+    - item.state is defined
+    - item.state != 'delete'
+    - item.maintenance is defined
+    - item.maintenance == 'true' 
+
+- name: "[NGINX] - Create HTTP maintenance vhosts for {{ item.name }}"
+  template:
+    src: etc/nginx/sites-available/maintenance.j2
+    dest: "{{ nginx_etc_dir }}/sites-available/maintenance-{{ item.name }}"
+  notify:
+      - reload nginx
+  when: 
+    - item.ssl_name is not defined
+    - item.state is defined
+    - item.state != 'delete'
+    - item.maintenance is defined
+    - item.maintenance == 'true' 

templates/etc/nginx/sites-available/core.j2

@@ -94,10 +94,10 @@ server {
 {% else %}
   add_header X-Robots-Tag "{{ item.header_robots | default('none') }}";
 {% endif %}
-{% endif %}
 {% if item.header_frame_ancestors is defined and item.header_frame_ancestors == 'true' %}
   add_header Content-Security-Policy "frame-ancestors 'self';";
 {% endif %}
+{% endif %}
 {% endblock %}
 
 {% block location %}

templates/etc/nginx/sites-available/cryptpad.j2

@@ -5,6 +5,10 @@
 {% extends "core.j2" %}
 
 {% block app_specific %}
+
+    # Include mime.types to be able to support .mjs files (see "types" below)
+    include mime.types;
+
     # CryptPad serves static assets over these two domains.
     # `main_domain` is what users will enter in their address bar.
     # Privileged computation such as key management is handled in this scope
@@ -113,11 +117,6 @@
     # We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope
     if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
 
-    # draw.io uses inline script tags in it's index.html. The hashes are added here.
-    if ($uri ~ ^\/components\/drawio\/src\/main\/webapp\/index.html.*$) {
-        set $scriptSrc "'self' 'sha256-dLMFD7ijAw6AVaqecS7kbPcFFzkxQ+yeZSsKpOdLxps=' 'sha256-6g514VrT/cZFZltSaKxIVNFF46+MFaTSDTPB8WfYK+c=' resource: https://${main_domain}";
-    }
-
     # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
     if ($unsafe) {
         set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
@@ -126,6 +125,11 @@
     # Finally, set all the rules you composed above.
     add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";
 
+    # Add support for .mjs files used by pdfjs
+    types {
+        application/javascript mjs;
+    }
+
 {% endblock %}
 
 {% block root %}

templates/etc/nginx/sites-available/nextcloud.j2

@@ -2,131 +2,127 @@
 
 {% block extra_upstreams %}
 upstream php-handler {
-  server {{ item.fastcgi_pass }};
+  server {{ item.php_handler }};
+}
+
+# Set the `immutable` cache control options only for assets with a cache busting `v` argument
+map $arg_v $asset_immutable {
+  "" "";
+  default ", immutable";
 }
 {% endblock %}
 
 {% block root %}
   root {{ nginx_www_dir }}{{ item.root }};
-  index {{ item.index | default('index.html index.htm') }};
 
-  error_page 403 /core/templates/403.php;
-  error_page 404 /core/templates/404.php;
 {% endblock %}
 
 {% block headers %}
-
-## HEADERS 
-  add_header Permissions-Policy "geolocation=(),interest-cohort=()";
-  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-  add_header Referrer-Policy                      "no-referrer"   always;
-  add_header X-Content-Type-Options               "nosniff"       always;
-  add_header X-Download-Options                   "noopen"        always;
-  add_header X-Frame-Options                      "SAMEORIGIN"    always;
-  add_header X-Permitted-Cross-Domain-Policies    "none"          always;
-  add_header X-Robots-Tag                         "none"          always;
-  add_header X-XSS-Protection                     "1; mode=block" always;
-
-  # Remove X-Powered-By, which is an information leak
-  fastcgi_hide_header X-Powered-By;
+  # HTTP response headers borrowed from Nextcloud `.htaccess`
+  add_header Referrer-Policy                   "no-referrer"       always;
+  add_header X-Content-Type-Options            "nosniff"           always;
+  add_header X-Frame-Options                   "SAMEORIGIN"        always;
+  add_header X-Permitted-Cross-Domain-Policies "none"              always;
+  add_header X-Robots-Tag                      "noindex, nofollow" always;
+  add_header X-XSS-Protection                  "1; mode=block"     always;
 {% endblock %}
 
 {% block location %}
-  # Path to the root of your installation
+  # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+  location = / {
+    if ( $http_user_agent ~ ^DavClnt ) {
+      return 302 /remote.php/webdav/$is_args$args;
+    }
+  }
+
   location = /robots.txt {
-  {% if item.robot_txt is defined %}  
     allow all;
     log_not_found off;
     access_log off;
-  {% else %}
-    deny all;
-    log_not_found off;
-    access_log off;
-  {% endif %}
-  }
-{% for app in nc_apps %}
-{% if app.name == 'user_webfinger' and app.state == 'enabled' %}
-  # The following 2 rules are only needed for the user_webfinger app.
-  rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-  rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
-{% endif %}
-{% if app.name == 'social' and app.state == 'enabled'%}
-  # The following rule is only needed for the Social app.
-  rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
-{% endif %}
-{% endfor %}
-
-  location = /.well-known/carddav {
-    return 301 $scheme://$host:$server_port/remote.php/dav;
-  }
-  location = /.well-known/caldav {
-    return 301 $scheme://$host:$server_port/remote.php/dav;
   }
 
-  location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
-    deny all;
-  }
-  location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
-    deny all;
+  # Make a regex exception for `/.well-known` so that clients can still
+  # access it despite the existence of the regex rule
+  # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+  # for `/.well-known`.
+  location ^~ /.well-known {
+    # The rules in this block are an adaptation of the rules
+    # in `.htaccess` that concern `/.well-known`.
+    location = /.well-known/carddav { return 301 /remote.php/dav/; }
+    location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+    location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+    location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+    # Let Nextcloud's API for `/.well-known` URIs handle all other
+    # requests by passing them to the front-end controller.
+    return 301 /index.php$request_uri;
   }
 
-  location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
-    fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+  # Rules borrowed from `.htaccess` to hide certain paths from clients
+  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+  # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+  # which handle static assets (as seen below). If this block is not declared first,
+  # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+  # to the URI, resulting in a HTTP 500 error response.
+  location ~ \.php(?:$|/) {
+    # Required for legacy support
+    rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
+
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+    set $path_info $fastcgi_path_info;
+
     try_files $fastcgi_script_name =404;
+
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-    fastcgi_param PATH_INFO $fastcgi_path_info;
+    fastcgi_param PATH_INFO $path_info;
     fastcgi_param HTTPS on;
-    # Avoid sending the security headers twice
-    fastcgi_param modHeadersAvailable true;
-    # Enable pretty urls
-    fastcgi_param front_controller_active true;
+
+    fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+    fastcgi_param front_controller_active true;     # Enable pretty urls
     fastcgi_pass php-handler;
+
     fastcgi_intercept_errors on;
     fastcgi_request_buffering off;
+    fastcgi_max_temp_file_size 0;
   }
 
-  location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
-    try_files $uri/ =404;
-    index index.php;
-  }
-
-  # Adding the cache control header for js, css and map files
-  # Make sure it is BELOW the PHP block
-  location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+  # Serve static files
+  location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
     try_files $uri /index.php$request_uri;
-    add_header Cache-Control "public, max-age=15778463";
-    # Add headers to serve security related headers (It is intended to
-    # have those duplicated to the ones above)
-    # Before enabling Strict-Transport-Security headers please read into
-    # this topic first.
-    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-    #
-    # WARNING: Only add the preload option once you read about
-    # the consequences in https://hstspreload.org/. This option
-    # will add the domain to a hardcoded list that is shipped
-    # in all major browsers and getting removed from this list
-    # could take several months.
-    add_header Referrer-Policy "no-referrer" always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-Download-Options "noopen" always;
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-Permitted-Cross-Domain-Policies "none" always;
-    add_header X-Robots-Tag "none" always;
-    add_header X-XSS-Protection "1; mode=block" always;
-
-    # Optional: Don't log access to assets
-    access_log off;
+    # HTTP response headers borrowed from Nextcloud `.htaccess`
+    add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
+    add_header Referrer-Policy                   "no-referrer"       always;
+    add_header X-Content-Type-Options            "nosniff"           always;
+    add_header X-Frame-Options                   "SAMEORIGIN"        always;
+    add_header X-Permitted-Cross-Domain-Policies "none"              always;
+    add_header X-Robots-Tag                      "noindex, nofollow" always;
+    add_header X-XSS-Protection                  "1; mode=block"     always;
+    access_log off;     # Optional: Don't log access to assets
   }
 
-  location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+  location ~ \.woff2?$ {
     try_files $uri /index.php$request_uri;
-    # Optional: Don't log access to other assets
-    access_log off;
+    expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+    access_log off;     # Optional: Don't log access to assets
+  }
+
+  # Rule borrowed from `.htaccess`
+  location /remote {
+    return 301 /remote.php$request_uri;
+  }
+
+  location / {
+    try_files $uri $uri/ /index.php$request_uri;
   }
 {% endblock %}
 
 {% block app_specific %}
+  # set max upload size and increase upload timeout:
+  client_body_timeout 300s;
   fastcgi_buffers 64 4K;
 
   # Enable gzip but do not remove ETag headers
@@ -135,6 +131,40 @@ upstream php-handler {
   gzip_comp_level 4;
   gzip_min_length 256;
   gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-  gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+  gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+  # Pagespeed is not supported by Nextcloud, so if your server is built
+  # with the `ngx_pagespeed` module, uncomment this line to disable it.
+  #pagespeed off;
+
+  # The settings allows you to optimize the HTTP2 bandwidth.
+  # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+  # for tuning hints
+  client_body_buffer_size 512k;
+
+  # Remove X-Powered-By, which is an information leak
+  fastcgi_hide_header X-Powered-By;
+
+  # Set .mjs and .wasm MIME types
+  # Either include it in the default mime.types list
+  # and include that list explicitly or add the file extension
+  # only for Nextcloud like below:
+  include mime.types;
+  types {
+    text/javascript js mjs;
+    application/wasm wasm;
+  }
+
+  # Specify how to handle directories -- specifying `/index.php$request_uri`
+  # here as the fallback means that Nginx always exhibits the desired behaviour
+  # when a client requests a path that corresponds to a directory that exists
+  # on the server. In particular, if that directory contains an index.php file,
+  # that file is correctly served; if it doesn't, then the request is passed to
+  # the front-end controller. This consistent behaviour means that we don't need
+  # to specify custom rules for certain paths (e.g. images and other assets,
+  # `/updater`, `/ocs-provider`), and thus
+  # `try_files $uri $uri/ /index.php$request_uri`
+  # always provides the desired behaviour.
+  index index.php index.html /index.php$request_uri;
 
 {% endblock %}

templates/etc/nginx/sites-available/pleroma.j2

@@ -2,24 +2,28 @@
 
 {% block extra_upstreams %}
 
+{% if item.mainsite is defined and item.mainsite == 'true' %}
 proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g inactive=720m use_temp_path=off;
 
 upstream phoenix {
   server {{ item.upstream_name }}:4000 max_fails=5 fail_timeout=60s;
 }
+{% endif %}
 {% endblock %}
 
 {% block location %}
 
+{% if item.mainsite is defined and item.mainsite == 'true' %}
   location / {
     proxy_pass http://phoenix;
 {% if item.mangane is defined and item.mangane == 'true' %}
     proxy_hide_header Content-Security-Policy;
     add_header Content-Security-Policy "upgrade-insecure-requests;script-src 'self';connect-src 'self' blob:     https://{{ item.name }} wss://{{ item.name }};media-src 'self' https:;img-src 'self' data: blob: https:;default-   src 'none';base-uri 'self';frame-ancestors 'none';style-src 'self' 'unsafe-inline';font-src 'self';manifest-src  'self';" always;
 {% endif %}
-
   }
+{% endif %}
 
+{% if item.mediasite == 'true' %}
   location ~ ^/(media|proxy) {
     proxy_cache        pleroma_media_cache;
     slice              1m;
@@ -32,7 +36,12 @@ upstream phoenix {
     chunked_transfer_encoding on;
     proxy_pass         http://phoenix;
   }
-
+{% endif %}
+{% if item.mediasite is defined and item.mediasite == 'false' %}
+  location ~ ^/(media) {
+    rewrite ^/(.*)$ https://{{ item.mediasiteurl }}$1 permanent;
+  }
+{% endif %}
 {% endblock %}
 {% block app_specific %}
 

templates/etc/nginx/sites-available/proxy.j2

@@ -9,11 +9,17 @@
     proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
     proxy_redirect off;
 {% if item.secure_cookie is defined %}
     proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
 {% endif %}
+{% if item.location_extra_options is defined %}
+{% for option in item.location_extra_options %}
+    {{ option }}
+{% endfor %}
+{% endif %}
 {% if item.root_custom_headers is defined %}
     #headers
 {% if header.permission_policy is defined and header.permission_policy == 'none' %}