infra/roles/paperless-ngx/templates/01-paperless.j2

105 lines
3.6 KiB
Django/Jinja

map $authelia_user $paperless_upstream {
{{ paperless_user }} {{ bridgewithdns['paperless-ngx-webserver'] }}:8000;
}
server {
listen 443 ssl http2;
{% if inventory_hostname in wg_clients -%}
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
{% endif -%}
root /var/www/{{ paperless_url }};
server_name {{ paperless_url }};
include listen-proxy-protocol.conf;
include /etc/nginx/authelia_internal.conf;
include /etc/nginx/sudo-known.conf;
resolver {{ pihole_dns }} ipv6=off;
# set_real_ip_from 10.0.0.0/8;
# set_real_ip_from 172.16.0.0/12;
# set_real_ip_from 192.168.0.0/16;
# set_real_ip_from fc00::/7;
# real_ip_header X-Forwarded-For;
# real_ip_recursive on;
include /etc/nginx/require_auth.conf;
location = / {
add_before_body /.sudo-known/header.html;
add_after_body /.sudo-known/footer.html;
add_header "paperless-user" $authelia_user always;
add_header "paperless-uri" $uri always;
add_header "paperless-proxy" "false" always;
add_header "paperless-location-root" "true" always;
# if there is no file '$authelia_user.html', nginx issues
# a redirect to /$authelia_user/ instead (via an internal
# location)
try_files /$authelia_user.html /_redirect?user=$authelia_user;
}
location / {
# this block serves files from the www root (/whoami, mostly), unless
# there is a directory with the same name as $uri is looking for (without
# the leading /, then it gets caught by the regexp location), then it will
# redirect to $uri/ which should be caught by the regexp block, otherwise
# a 404 is returned.
# theres no logic in the nginx config for this, it just depends on try_files
# finding a dir with the matching name, then nginx will issue a redirect, and
# is probably expecting to serve up files from that dir next.
add_header "paperless-user" $authelia_user always;
add_header "paperless-uri" $uri always;
add_header "paperless-proxy" "false" always;
add_header "paperless-location-root" "false" always;
try_files $uri $uri/ =404;
}
location /_redirect {
internal;
}
location ~* ^/(?<paperless_user>\w+)/(.*)$ {
include /etc/nginx/require_auth_proxy.conf;
# both work!
#set $paperless_user $authelia_user;
#set $paperless_user $1;
# this also works! (but not if you use return)
#add_header "paperless-authelia-user" $authelia_user always;
# rewrite ^ $request_uri;
rewrite '^/\w*(/ws/.*)$' $1 break;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
add_header "paperless-user" $authelia_user always;
add_header "paperless-uri" $uri always;
add_header "paperless-proxy" "true" always;
add_header "paperless-upstream" $paperless_upstream always;
proxy_pass http://$paperless_upstream;
}
access_log /var/log/nginx/access_{{ paperless_url }}.log main;
error_log /var/log/nginx/error_{{ paperless_url }}.log warn;
ssl_session_timeout 5m;
ssl_certificate /usr/local/etc/certs/{{ paperless_url }}/fullchain.pem;
ssl_certificate_key /usr/local/etc/certs/{{ paperless_url }}/privkey.pem;
fastcgi_hide_header X-Powered-By;
}