From be641e3c9dd687b5d77f567c93ac3b34f028f371 Mon Sep 17 00:00:00 2001 From: Mark Ts Date: Thu, 20 May 2021 14:08:57 +0300 Subject: [PATCH 1/5] removed deprecated 'ssl on' directive --- templates/reverseproxy_ssl.conf.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/reverseproxy_ssl.conf.j2 b/templates/reverseproxy_ssl.conf.j2 index a8acce1..fb8f073 100644 --- a/templates/reverseproxy_ssl.conf.j2 +++ b/templates/reverseproxy_ssl.conf.j2 @@ -69,7 +69,6 @@ server { access_log /var/log/nginx/{{ item.key }}_access.log; error_log /var/log/nginx/{{ item.key }}_error.log error; - ssl on; {% if not __skip_letsencrypt | default(false) and item.value.letsencrypt is defined and item.value.letsencrypt %} ssl_certificate /etc/letsencrypt/live/{{ item.key }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ item.key }}/privkey.pem; From 5ad4856ef515f799bdbaf925b8b4689e4e30686d Mon Sep 17 00:00:00 2001 From: Mark Ts Date: Tue, 13 Jul 2021 11:42:48 +0300 Subject: [PATCH 2/5] Added Access-Control-Allow-Origin --- defaults/main.yml | 1 + templates/reverseproxy.conf.j2 | 5 +++++ templates/reverseproxy_ssl.conf.j2 | 6 ++++++ 3 files changed, 12 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index dc8e63a..aa3987e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -14,6 +14,7 @@ nginx_revproxy_sites: # List of sites to hsts_max_age: 63072000 # Set HSTS header with max-age defined letsencrypt: false # Set to True if you want use letsencrypt letsencrypt_email: "" # Set email for letencrypt cert + allow_cors: false # Set to True if you want to allow Cross-Origin requests nginx_revproxy_certbot_auto: false diff --git a/templates/reverseproxy.conf.j2 b/templates/reverseproxy.conf.j2 index 3439de9..c6efaf3 100644 --- a/templates/reverseproxy.conf.j2 +++ b/templates/reverseproxy.conf.j2 @@ -27,6 +27,11 @@ server { listen [::]:{{ item.value.listen | default(80) }}; server_name {{ item.value.domains | join(' ') }}; +{% if item.value.allow_cors is defined and item.value.allow_cors %} + add_header 'Access-Control-Allow-Origin' $http_origin; + add_header 'Access-Control-Max-Age' 1728000; +{% endif %} + location / { gzip off; client_max_body_size {{ item.value.client_max_body_size | default('50M') }}; diff --git a/templates/reverseproxy_ssl.conf.j2 b/templates/reverseproxy_ssl.conf.j2 index fb8f073..85d717f 100644 --- a/templates/reverseproxy_ssl.conf.j2 +++ b/templates/reverseproxy_ssl.conf.j2 @@ -66,6 +66,12 @@ server { add_header Strict-Transport-Security "max-age={{ item.value.hsts_max_age }}; includeSubDomains; preload" always; {% endif %} +{% if item.value.allow_cors is defined and item.value.allow_cors %} + add_header 'Access-Control-Allow-Origin' $http_origin; + add_header 'Access-Control-Max-Age' 1728000; +{% endif %} + + access_log /var/log/nginx/{{ item.key }}_access.log; error_log /var/log/nginx/{{ item.key }}_error.log error; From 496c1c4c012c6489fbcc9b1ab715280c06b0ed8c Mon Sep 17 00:00:00 2001 From: Mark Ts Date: Tue, 13 Jul 2021 14:06:44 +0300 Subject: [PATCH 3/5] Access-Control-Max-Age Chromium (prior to v76) caps at 10 minutes (600 seconds) --- templates/reverseproxy.conf.j2 | 2 +- templates/reverseproxy_ssl.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/reverseproxy.conf.j2 b/templates/reverseproxy.conf.j2 index c6efaf3..09e1444 100644 --- a/templates/reverseproxy.conf.j2 +++ b/templates/reverseproxy.conf.j2 @@ -29,7 +29,7 @@ server { {% if item.value.allow_cors is defined and item.value.allow_cors %} add_header 'Access-Control-Allow-Origin' $http_origin; - add_header 'Access-Control-Max-Age' 1728000; + add_header 'Access-Control-Max-Age' 600; {% endif %} location / { diff --git a/templates/reverseproxy_ssl.conf.j2 b/templates/reverseproxy_ssl.conf.j2 index 85d717f..323dea7 100644 --- a/templates/reverseproxy_ssl.conf.j2 +++ b/templates/reverseproxy_ssl.conf.j2 @@ -68,7 +68,7 @@ server { {% if item.value.allow_cors is defined and item.value.allow_cors %} add_header 'Access-Control-Allow-Origin' $http_origin; - add_header 'Access-Control-Max-Age' 1728000; + add_header 'Access-Control-Max-Age' 600; {% endif %} From d74ed8779e586cc78bf77071a552910ef043e520 Mon Sep 17 00:00:00 2001 From: Mark Ts Date: Tue, 13 Jul 2021 14:08:02 +0300 Subject: [PATCH 4/5] removed extra new line --- templates/reverseproxy_ssl.conf.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/reverseproxy_ssl.conf.j2 b/templates/reverseproxy_ssl.conf.j2 index 323dea7..6b095c5 100644 --- a/templates/reverseproxy_ssl.conf.j2 +++ b/templates/reverseproxy_ssl.conf.j2 @@ -71,7 +71,6 @@ server { add_header 'Access-Control-Max-Age' 600; {% endif %} - access_log /var/log/nginx/{{ item.key }}_access.log; error_log /var/log/nginx/{{ item.key }}_error.log error; From 6ef5f36bd54c74330af0866a7968dae09c155628 Mon Sep 17 00:00:00 2001 From: Mark Ts Date: Tue, 13 Jul 2021 15:49:56 +0300 Subject: [PATCH 5/5] added proxy_http_version 1.1; when doing upgrade --- templates/reverseproxy.conf.j2 | 1 + templates/reverseproxy_ssl.conf.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/templates/reverseproxy.conf.j2 b/templates/reverseproxy.conf.j2 index 3439de9..a9fe484 100644 --- a/templates/reverseproxy.conf.j2 +++ b/templates/reverseproxy.conf.j2 @@ -33,6 +33,7 @@ server { proxy_read_timeout {{ item.value.proxy_read_timeout | default('300') }}; proxy_set_header Upgrade $http_upgrade; {% if item.value.conn_upgrade is not defined or item.value.conn_upgrade %} + proxy_http_version 1.1; proxy_set_header Connection "upgrade"; {% endif %} proxy_set_header Host $http_host; diff --git a/templates/reverseproxy_ssl.conf.j2 b/templates/reverseproxy_ssl.conf.j2 index fb8f073..09d80dd 100644 --- a/templates/reverseproxy_ssl.conf.j2 +++ b/templates/reverseproxy_ssl.conf.j2 @@ -93,6 +93,7 @@ server { proxy_read_timeout {{ item.value.proxy_read_timeout | default('300') }}; proxy_set_header Upgrade $http_upgrade; {% if item.value.conn_upgrade is not defined or item.value.conn_upgrade %} + proxy_http_version 1.1; proxy_set_header Connection "upgrade"; {% endif %} proxy_set_header Host $http_host;