infra/roles/firefly/templates/01-firefly.conf.j2

{% if firefly_nginx|default(false) == true %}

server {
  listen 443 ssl http2;
  #listen   [::]:443 ssl; # listen for ipv6
  {% if inventory_hostname in wg_clients -%}
  listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
  {% endif -%}

  include /etc/nginx/authelia_internal.conf;
  include /etc/nginx/listen-proxy-protocol.conf;
  server_name {{ firefly_url }};

  # doesnt seem to work for some reason
  sub_filter 'http://' 'https://';
  sub_filter '/js/app.js?' '/js/app.js?id=$request_id&';
  sub_filter_once off;
  sub_filter_types '*';

  location / {

    include /etc/nginx/require_auth.conf;
    include /etc/nginx/require_auth_proxy.conf;

    proxy_pass         http://127.0.0.1:{{ firefly_port }};

    #proxy_redirect     off;
    proxy_set_header   Host $host;
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Host $server_name;
    proxy_set_header   X-Forwarded-Proto "https";

    proxy_set_header FIREFLY_EMAIL $authelia_email;

    proxy_set_header Connection "upgrade";
    proxy_set_header Upgrade $http_upgrade;

    #add_header email "$authelia_email" always;
    # https://github.com/firefly-iii/firefly-iii/issues/1739
    proxy_http_version 1.1;
    proxy_buffering off;

    # Mitigate httpoxy attack (see README for details)
    proxy_set_header Proxy "";
  }

  access_log /var/log/nginx/access_{{ firefly_url }}.log main;
  error_log /var/log/nginx/error_{{ firefly_url }}.log warn;

  ssl_session_timeout 5m;

  ssl_certificate /usr/local/etc/certs/{{ firefly_url }}/fullchain.pem;
  ssl_certificate_key /usr/local/etc/certs/{{ firefly_url }}/privkey.pem;

  #add_header Referrer-Policy "no-referrer" always;
  #add_header X-Download-Options "noopen" always;
  #add_header X-Robots-Tag "none" always;
  #add_header Content-Security-Policy "frame-ancestors 'self' https://*.{{ domain }};" always;


  #fastcgi_hide_header X-Powered-By;
}

{% endif %}