mirror of https://gerrit.hackerspace.pl/hscloud
hswaw/beyondspace: fix https redirect pollution for local non-https services
Change-Id: I86505b571695e1bbcfccf869817f627140d7b596 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1786 Reviewed-by: informatic <informatic@hackerspace.pl>changes/86/1786/3
parent
d0920a5a9a
commit
13e6052b93
|
@ -39,13 +39,19 @@ in with lib; {
|
||||||
'';
|
'';
|
||||||
|
|
||||||
services.nginx.virtualHosts."beyond.waw.hackerspace.pl" = {
|
services.nginx.virtualHosts."beyond.waw.hackerspace.pl" = {
|
||||||
forceSSL = true;
|
# NOTE: we *can't* use forceSSL here for services that do not use HTTPS in
|
||||||
|
# local network setups, since this will pollute browser's redirect cache...
|
||||||
|
addSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
|
||||||
serverAliases = attrNames beyondspaceDomains;
|
serverAliases = attrNames beyondspaceDomains;
|
||||||
|
|
||||||
locations."/oauth2/" = {
|
locations."/oauth2/" = {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
if ($scheme != https) {
|
||||||
|
return 302 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
proxy_pass http://127.0.0.1:4180;
|
proxy_pass http://127.0.0.1:4180;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
@ -56,6 +62,10 @@ in with lib; {
|
||||||
|
|
||||||
locations."= /oauth2/auth" = {
|
locations."= /oauth2/auth" = {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
if ($scheme != https) {
|
||||||
|
return 302 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
proxy_pass http://127.0.0.1:4180;
|
proxy_pass http://127.0.0.1:4180;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
@ -69,6 +79,10 @@ in with lib; {
|
||||||
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
if ($scheme != https) {
|
||||||
|
return 302 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
auth_request /oauth2/auth;
|
auth_request /oauth2/auth;
|
||||||
error_page 401 = /oauth2/sign_in;
|
error_page 401 = /oauth2/sign_in;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue