infra/roles/owntone/templates/01-owntone.conf.j2

# {{ ansible_managed }}

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
   listen 80;

   return 301 https://$host$request_uri;
}

server {
    add_header Server "";
    add_header Connection "";

    listen 443 ssl;
    http2 off;

    {% if inventory_hostname in wg_clients -%}
    listen {{ wg_clients[inventory_hostname].ip }}:443 ssl;
    {% endif -%}
    {% if ansible_default_ipv4.address is defined -%}
    # OwnTone won't read AirPlay advertisements or advertise an IP and connect to AirPlay
    # unless it's allowed to bind to it for some reason
    #  See: https://github.com/owntone/owntone-server/issues/1546
    #listen {{ ansible_default_ipv4.address }}:{{ owntone_port_tcp }} ssl;
    {% endif %}

    include /etc/nginx/authelia_internal.conf;
    include /etc/nginx/sudo-known.conf;
    include /etc/nginx/sec.conf;

    server_name {{ owntone_url }};

    access_log /var/log/nginx/access_{{ owntone_url }}.log main;
    error_log /var/log/nginx/error_{{ owntone_url }}.log warn;

    ssl_certificate /usr/local/etc/certs/{{ domain }}/fullchain.pem;
    ssl_certificate_key /usr/local/etc/certs/{{ domain }}/privkey.pem;

    # !
    #ssl_protocols TLSv1.2 TLSv1.3;
    #ssl_prefer_server_ciphers off;

    {# location /client {
     #     alias /var/www/owntone/htdocs/;
     # }
     # location ~ "^/client/api/(.*)$" {
     #     return 307 '/api/$1';
    # } #}


    location /bonob {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;

        proxy_pass http://{{ bridgewithdns.bonob }}:{{ bonob_port }};
    }
    location /navidrome {
        # uses proxy auth
        include /etc/nginx/require_auth.conf;
        include /etc/nginx/require_auth_proxy.conf;


        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_buffering off;

        proxy_pass http://{{ bridgewithdns.navidrome }}:4533;
    }

    location {{ icecast_baseurl }}/ {
        # https://stackoverflow.com/a/52284451
        #rewrite  ~*(ogg) https://{{ owntone_url }}{{ icecast_baseurl }}/ogg last;
        #rewrite  ~*([0-1][0-5]\d) https://{{ owntone_url }}{{ icecast_baseurl }}/128 last;
        #rewrite  ~*(?|([1][6-9]\d)|([2]\d\d)) https://{{ owntone_url }}{{ icecast_baseurl }}/192 last;
        #rewrite  ~*([3-9]\d\d) https://{{ owntone_url }}{{ icecast_baseurl }}/320 break;
        #return  https://{{ owntone_url }}/320;

        location {{ icecast_baseurl }}/admin/ {
            include /etc/nginx/require_auth.conf;
            {% set basic_cleartext = icecast_auth.admin.user ~ ":" ~ icecast_auth.admin.passwd -%}
            proxy_set_header Authorization "Basic {{ basic_cleartext | b64encode }}";
            proxy_pass http://127.0.0.1:{{ icecast_port }}/admin/;
        }

        sub_filter_types text/xhtml text/xml text/css audio/x-mpegurl;
        sub_filter 'href="/'  'href="{{ icecast_baseurl }}/';
        sub_filter 'url(/'  'url({{ icecast_baseurl }}/';
        sub_filter 'http://127.0.0.1:{{ icecast_port }}/' 'https://{{ owntone_url }}{{ icecast_baseurl }}/';
        sub_filter 'http://{{ owntone_url }}:{{ icecast_port }}/' 'https://{{ owntone_url }}{{ icecast_baseurl }}/';
        sub_filter_once off;
        sub_filter_last_modified on;
        proxy_pass http://127.0.0.1:{{ icecast_port }}/;
    }
    # FIXM: the syream doesnt match this regex so this block isnt used
    location ~ ^{{ icecast_baseurl }}/(owntone|ogg|128|192|320)$ {
        rewrite ^{{ icecast_baseurl }}/owntone$ {{ icecast_baseurl }}/owntone.mp3 redirect;
        # https://stackoverflow.com/a/52284451
        #proxy_bind $remote_addr transparent;

        types        { }
        default_type audio/mpeg;

        #proxy_pass http://127.0.0.1:{{ icecast_port }};
        proxy_pass http://127.0.0.1:{{ icecast_port }}/$1;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        #proxy_set_header Upgrade $http_upgrade;
        #proxy_set_header Connection "upgrade";
        proxy_pass_request_headers on;

        proxy_set_header Access-Control-Allow-Origin *;
        proxy_set_header Range bytes=0-;
        #proxy_buffering off;
        #proxy_buffering on;
        tcp_nodelay on;
        #tcp_nodelay off;
    }

    root /var/www/owntone/htdocs;
    location /ws {
         proxy_pass http://127.0.0.1:{{ owntone_port_ws }}/;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
    }
    location / {
        {# sub_filter 'owntone.local:3689' '{{ owntone_url }}';
         # sub_filter 'http%3A%2F%2Fowntone.local%3A3689' 'https%3A%2F%2F{{ owntone_url }}';
         # sub_filter 'http://owntone.local:3689' 'https://{{ owntone_url }}';
         # sub_filter_types '*';
         # sub_filter_once off; #}

        proxy_pass http://127.0.0.1:{{ owntone_port_tcp }}$request_uri;
        proxy_http_version 1.1;

        proxy_set_header Host {{ owntone_url }};
        #proxy_set_header Host "owntone.local:3689";
        #proxy_set_header Host $host;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}
server {
     {% if ansible_default_ipv4.address is defined -%}
     listen {{ ansible_default_ipv4.address }}:{{ owntone_port_ws }} ssl;
     # When turning ssl back on, also remember to uncomment proxy_set_header
     #listen {{ ansible_default_ipv4.address }}:{{ owntone_port_ws }};
     {% endif %}
     http2 off;

     server_name {{ owntone_url }};

     access_log /var/log/nginx/access_{{ owntone_url }}_{{ owntone_port_ws }}_ws.log main;
     error_log /var/log/nginx/error_{{ owntone_url }}_{{ owntone_port_ws }}_ws.log info;

     ssl_certificate /usr/local/etc/certs/{{ domain }}/fullchain.pem;
     ssl_certificate_key /usr/local/etc/certs/{{ domain }}/privkey.pem;

     # !!
     #ssl_protocols TLSv1.2 TLSv1.3;
     #ssl_prefer_server_ciphers off;

     location / {
         proxy_pass http://127.0.0.1:{{ owntone_port_ws }};
         #proxy_set_header Host $host;
         #proxy_set_header X-Real-IP $remote_addr;
         #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         #proxy_set_header X-Forwarded-Proto $scheme;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
         #proxy_set_header Connection $connection_upgrade;
     }

}