antilopa
f7e825f45c
Part of a group of PR's rewriting and cleaning up Nginx headers. Co-authored-by: antilopa <antilopa@disroot.org> Co-authored-by: muppeth <muppeth@disroot.org> Co-authored-by: meaz <meaz@disroot.org> Reviewed-on: #17 Reviewed-by: muppeth <muppeth@no-reply@disroot.org> Reviewed-by: meaz <meaz@no-reply@disroot.org> Co-authored-by: antilopa <antilopa@no-reply@disroot.org> Co-committed-by: antilopa <antilopa@no-reply@disroot.org>
40 lines
1.3 KiB
Django/Jinja
40 lines
1.3 KiB
Django/Jinja
{% extends "core.j2" %}
|
|
|
|
{% block location %}
|
|
|
|
## LOCATIONS
|
|
location / {
|
|
proxy_pass {{ item.upstream_proto }}://{{ item.upstream_name }}:{{ item.upstream_port}};
|
|
# Add cache for static files
|
|
if ($request_uri ~* ^/(img|css|font|js)/) {
|
|
add_header Expires "Thu, 31 Dec 2037 23:55:55 GMT";
|
|
add_header Cache-Control "public, max-age=315360000";
|
|
}
|
|
|
|
# HTTPS only header, improves security
|
|
add_header Strict-Transport-Security "max-age=15768000";
|
|
|
|
add_header Permissions-Policy "geolocation=(),interest-cohort=()";
|
|
add_header Referrer-Policy no-referrer;
|
|
{% if item.secure_cookie is defined %}
|
|
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
|
{% endif %}
|
|
|
|
# Really important! Lufi uses WebSocket, it won't work without this
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
# If you want to log the remote port of the file senders, you'll need that
|
|
proxy_set_header X-Remote-Port $remote_port;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# We expect the downstream servers to redirect to the right hostname, so don't do any rewrites here.
|
|
proxy_redirect off;
|
|
}
|
|
{% endblock %}
|
|
|