Surely this will not break right?

2023-04-05 00:53:01 -04:00 · 2023-04-05 00:53:01 -04:00 · a2ec9bbfda
commit a2ec9bbfda
parent 26e143501d
9 changed files with 34 additions and 32 deletions
--- a/nginx/configs/proxyheaders.conf
+++ b/nginx/configs/proxyheaders.conf
--- a/nginx/configs/securityheaders.conf
+++ b/nginx/configs/securityheaders.conf
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@ -63,31 +63,6 @@ http {
    # maximum time between packets nginx is allowed to pause when sending the client data
    send_timeout 10s;

-	# Connection header for WebSocket reverse proxy
-    map $http_upgrade $connection_upgrade {
-        default upgrade;
-        ""      close;
-    }
-
-    map $remote_addr $proxy_forwarded_elem {
-
-        # IPv4 addresses can be sent as-is
-        ~^[0-9.]+$        "for=$remote_addr";
-
-        # IPv6 addresses need to be bracketed and quoted
-        ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
-
-        # Unix domain socket names cannot be represented in RFC 7239 syntax
-        default           "for=unknown";
-    }
-
-    map $http_forwarded $proxy_add_forwarded {
-
-        # If the incoming Forwarded header is syntactically valid, append to it
-        "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
-
-        # Otherwise, replace it
-        default "$proxy_forwarded_elem";
-    }
+	include /etc/nginx/snippets/maps.conf;

 }
--- a/nginx/sites-available-archive/i.zzls.xyz.conf
+++ b/nginx/sites-available-archive/i.zzls.xyz.conf
@ -12,7 +12,7 @@ server {
    location / {
        client_max_body_size 51M;
        proxy_pass http://127.0.0.1:40007/;
-        include configs/proxyheaders.conf;
+        include configs/proxy.conf;
        proxy_intercept_errors on;
        error_page 404 = /error;
    }
--- a/nginx/sites-available-archive/paste.zzls.xyz.conf
+++ b/nginx/sites-available-archive/paste.zzls.xyz.conf
@ -7,7 +7,7 @@ server {

    location / {
        proxy_pass http://127.0.0.1:40005/;
-        include configs/proxyheaders.conf;
+        include configs/proxy.conf;
    }

    listen 443 ssl http2; # managed by Certbot
--- a/nginx/sites-available/logs.spanix.xyz.conf
+++ b/nginx/sites-available/logs.spanix.xyz.conf
@ -7,7 +7,7 @@ server {

    location / {
        proxy_pass http://127.0.0.1:40004;
-        include configs/proxyheaders.conf;
+        include configs/proxy.conf;
    }

    listen 443 ssl http2; # managed by Certbot
--- a/nginx/sites-available/logs.zzls.xyz.conf
+++ b/nginx/sites-available/logs.zzls.xyz.conf
@ -7,7 +7,7 @@ server {

    location / {
        proxy_pass http://127.0.0.1:40003;
-        include configs/proxyheaders.conf;
+        include configs/proxy.conf;

        #	location ~ ^/(channel/rubius|channelid/39276140)/ {
        #		return 401 "Los logs de Rubius han sido deshabilitados";
--- a/nginx/sites-available/lsf.spanix.team.conf
+++ b/nginx/sites-available/lsf.spanix.team.conf
@ -7,7 +7,7 @@ server {

    location / {
        proxy_pass http://127.0.0.1:40050;
-        include configs/proxyheaders.conf;
+        include configs/proxy.conf;
    }


--- a/nginx/snippets/maps.conf
+++ b/nginx/snippets/maps.conf
@ -0,0 +1,27 @@
+# Connection header for WebSocket reverse proxy
+
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ""      close;
+    }
+
+    map $remote_addr $proxy_forwarded_elem {
+
+        # IPv4 addresses can be sent as-is
+        ~^[0-9.]+$        "for=$remote_addr";
+
+        # IPv6 addresses need to be bracketed and quoted
+        ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
+
+        # Unix domain socket names cannot be represented in RFC 7239 syntax
+        default           "for=unknown";
+    }
+
+    map $http_forwarded $proxy_add_forwarded {
+
+        # If the incoming Forwarded header is syntactically valid, append to it
+        "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
+
+        # Otherwise, replace it
+        default "$proxy_forwarded_elem";
+    }