AnrDaemon/cloud.rootdir.org-proxy.conf

## cloud.rootdir.org-proxy.conf
server {
    server_name
        cloud.rootdir.org
        cloud.darkdragon.lan
        ;

    error_log syslog error;
    access_log off;

    listen 80;
    return 301 https://$host$request_uri;
}

server {
    server_name
        cloud.rootdir.org
        ;

    listen 443 ssl http2;
    ssl_certificate "/etc/ssl/cloud.rootdir.org.crt";
    ssl_certificate_key "/etc/ssl/private/cloud.rootdir.org.key";

    error_log syslog error;
    access_log off;

    # Local filter block.
    #include extras/access_local;

    location / {
        proxy_pass http://cloud.darkdragon.lan/;

        include extras/proxy_pass;
        include extras/fix-http-destination;

        client_max_body_size 512M;

        proxy_read_timeout 60s;
    }
}

## extras_fix-http-destination
set $fixed_destination $http_destination;
if ( $http_destination ~* ^https(.*)$ ) {
    set $fixed_destination http$1;
}
proxy_set_header Destination $fixed_destination;

## extras_forward_x_map
# Define default protocols' ports
map $scheme $def_port {
    "http" ":80";
    "https" ":443";
    default "";
}

# Assert trusted remote address.
geo $realip_remote_addr $x_trusted {
    127.0.0.0/8 1;
    192.168.1.6 1;
    default 0;
}

map $x_trusted $x_tmp_proto {
    1 $http_x_forwarded_proto;
    default $scheme;
}
map $x_tmp_proto $x_forwarded_proto {
    "" $scheme;
    default $x_tmp_proto;
}

map $x_trusted $x_tmp_host {
    1 $http_x_forwarded_host;
    default $host:$server_port;
}
map $x_tmp_host $x_forwarded_host {
    "" $host:$server_port;
    default $x_tmp_host;
}

map $x_trusted $x_tmp_port {
    1 $http_x_forwarded_port;
    default $server_port;
}
map $x_tmp_port $x_forwarded_port {
    "" $server_port;
    default $x_tmp_port;
}

## extras_proxy_pass
# Force proxy keepalives.
proxy_http_version 1.1;

set $use_port ":$server_port";
if ( "$use_port" = "$def_port" ) {
    set $use_port "";
}

# Force rewrite of common mislocations.
proxy_redirect default;
proxy_redirect "//$host:$proxy_port/" "$scheme://$host$use_port/";
proxy_redirect "http://$host:$proxy_port/" "$scheme://$host$use_port/";
proxy_redirect "https://$host:$proxy_port/" "$scheme://$host$use_port/";

# Set origin headers for proxied server.
proxy_set_header Host $host;
proxy_set_header Connection "";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Host $x_forwarded_host;
proxy_set_header X-Forwarded-Port $x_forwarded_port;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;

## extras_proxy_upstream
# Trust this upstream.
set_real_ip_from  127.0.0.0/8;
set_real_ip_from  192.168.1.5;
set_real_ip_from  192.168.1.6;
real_ip_header    X-Forwarded-For;
real_ip_recursive on;
	server {
	server_name
	cloud.rootdir.org
	cloud.darkdragon.lan
	;

	error_log syslog error;
	access_log off;

	listen 80;
	return 301 https://$host$request_uri;
	}

	server {
	server_name
	cloud.rootdir.org
	;

	listen 443 ssl http2;
	ssl_certificate "/etc/ssl/cloud.rootdir.org.crt";
	ssl_certificate_key "/etc/ssl/private/cloud.rootdir.org.key";

	error_log syslog error;
	access_log off;

	# Local filter block.
	#include extras/access_local;

	location / {
	proxy_pass http://cloud.darkdragon.lan/;

	include extras/proxy_pass;
	include extras/fix-http-destination;

	client_max_body_size 512M;

	proxy_read_timeout 60s;
	}
	}
	set $fixed_destination $http_destination;
	if ( $http_destination ~* ^https(.*)$ ) {
	set $fixed_destination http$1;
	}
	proxy_set_header Destination $fixed_destination;
	# Define default protocols' ports
	map $scheme $def_port {
	"http" ":80";
	"https" ":443";
	default "";
	}

	# Assert trusted remote address.
	geo $realip_remote_addr $x_trusted {
	127.0.0.0/8 1;
	192.168.1.6 1;
	default 0;
	}

	map $x_trusted $x_tmp_proto {
	1 $http_x_forwarded_proto;
	default $scheme;
	}
	map $x_tmp_proto $x_forwarded_proto {
	"" $scheme;
	default $x_tmp_proto;
	}

	map $x_trusted $x_tmp_host {
	1 $http_x_forwarded_host;
	default $host:$server_port;
	}
	map $x_tmp_host $x_forwarded_host {
	"" $host:$server_port;
	default $x_tmp_host;
	}

	map $x_trusted $x_tmp_port {
	1 $http_x_forwarded_port;
	default $server_port;
	}
	map $x_tmp_port $x_forwarded_port {
	"" $server_port;
	default $x_tmp_port;
	}
	# Force proxy keepalives.
	proxy_http_version 1.1;

	set $use_port ":$server_port";
	if ( "$use_port" = "$def_port" ) {
	set $use_port "";
	}

	# Force rewrite of common mislocations.
	proxy_redirect default;
	proxy_redirect "//$host:$proxy_port/" "$scheme://$host$use_port/";
	proxy_redirect "http://$host:$proxy_port/" "$scheme://$host$use_port/";
	proxy_redirect "https://$host:$proxy_port/" "$scheme://$host$use_port/";

	# Set origin headers for proxied server.
	proxy_set_header Host $host;
	proxy_set_header Connection "";
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	proxy_set_header X-Forwarded-Host $x_forwarded_host;
	proxy_set_header X-Forwarded-Port $x_forwarded_port;
	proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
	# Trust this upstream.
	set_real_ip_from 127.0.0.0/8;
	set_real_ip_from 192.168.1.5;
	set_real_ip_from 192.168.1.6;
	real_ip_header X-Forwarded-For;
	real_ip_recursive on;