105 lines
3.6 KiB
Django/Jinja
105 lines
3.6 KiB
Django/Jinja
map $authelia_user $paperless_upstream {
|
|
{{ paperless_user }} {{ bridgewithdns['paperless-ngx-webserver'] }}:8000;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
{% if inventory_hostname in wg_clients -%}
|
|
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
|
|
{% endif -%}
|
|
|
|
root /var/www/{{ paperless_url }};
|
|
server_name {{ paperless_url }};
|
|
|
|
include listen-proxy-protocol.conf;
|
|
include /etc/nginx/authelia_internal.conf;
|
|
include /etc/nginx/sudo-known.conf;
|
|
|
|
resolver {{ pihole_dns }} ipv6=off;
|
|
|
|
# set_real_ip_from 10.0.0.0/8;
|
|
# set_real_ip_from 172.16.0.0/12;
|
|
# set_real_ip_from 192.168.0.0/16;
|
|
# set_real_ip_from fc00::/7;
|
|
# real_ip_header X-Forwarded-For;
|
|
# real_ip_recursive on;
|
|
|
|
include /etc/nginx/require_auth.conf;
|
|
|
|
location = / {
|
|
add_before_body /.sudo-known/header.html;
|
|
add_after_body /.sudo-known/footer.html;
|
|
|
|
add_header "paperless-user" $authelia_user always;
|
|
add_header "paperless-uri" $uri always;
|
|
add_header "paperless-proxy" "false" always;
|
|
add_header "paperless-location-root" "true" always;
|
|
|
|
# if there is no file '$authelia_user.html', nginx issues
|
|
# a redirect to /$authelia_user/ instead (via an internal
|
|
# location)
|
|
try_files /$authelia_user.html /_redirect?user=$authelia_user;
|
|
|
|
}
|
|
location / {
|
|
# this block serves files from the www root (/whoami, mostly), unless
|
|
# there is a directory with the same name as $uri is looking for (without
|
|
# the leading /, then it gets caught by the regexp location), then it will
|
|
# redirect to $uri/ which should be caught by the regexp block, otherwise
|
|
# a 404 is returned.
|
|
# theres no logic in the nginx config for this, it just depends on try_files
|
|
# finding a dir with the matching name, then nginx will issue a redirect, and
|
|
# is probably expecting to serve up files from that dir next.
|
|
|
|
add_header "paperless-user" $authelia_user always;
|
|
add_header "paperless-uri" $uri always;
|
|
add_header "paperless-proxy" "false" always;
|
|
add_header "paperless-location-root" "false" always;
|
|
|
|
try_files $uri $uri/ =404;
|
|
}
|
|
|
|
location /_redirect {
|
|
internal;
|
|
}
|
|
|
|
location ~* ^/(?<paperless_user>\w+)/(.*)$ {
|
|
include /etc/nginx/require_auth_proxy.conf;
|
|
|
|
# both work!
|
|
#set $paperless_user $authelia_user;
|
|
#set $paperless_user $1;
|
|
# this also works! (but not if you use return)
|
|
#add_header "paperless-authelia-user" $authelia_user always;
|
|
|
|
# rewrite ^ $request_uri;
|
|
rewrite '^/\w*(/ws/.*)$' $1 break;
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
proxy_redirect off;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Host $server_name;
|
|
|
|
add_header "paperless-user" $authelia_user always;
|
|
add_header "paperless-uri" $uri always;
|
|
add_header "paperless-proxy" "true" always;
|
|
add_header "paperless-upstream" $paperless_upstream always;
|
|
|
|
proxy_pass http://$paperless_upstream;
|
|
}
|
|
|
|
access_log /var/log/nginx/access_{{ paperless_url }}.log main;
|
|
error_log /var/log/nginx/error_{{ paperless_url }}.log warn;
|
|
|
|
ssl_session_timeout 5m;
|
|
ssl_certificate /usr/local/etc/certs/{{ paperless_url }}/fullchain.pem;
|
|
ssl_certificate_key /usr/local/etc/certs/{{ paperless_url }}/privkey.pem;
|
|
|
|
fastcgi_hide_header X-Powered-By;
|
|
}
|