AnrDaemon · June 17, 2022 08:46 · Jun 17, 2022 · Jun 16, 2022 · Jun 16, 2022
diff --git a/extras_forward_x_map b/extras_forward_x_map
@@ -0,0 +1,40 @@
+# Define default protocols' ports
+map $scheme $def_port {
+    "http" ":80";
+    "https" ":443";
+    default "";
+}
+
+# Assert trusted remote address.
+geo $realip_remote_addr $x_trusted {
+    127.0.0.0/8 1;
+    192.168.1.6 1;
+    default 0;
+}
+
+map $x_trusted $x_tmp_proto {
+    1 $http_x_forwarded_proto;
+    default $scheme;
+}
+map $x_tmp_proto $x_forwarded_proto {
+    "" $scheme;
+    default $x_tmp_proto;
+}
+
+map $x_trusted $x_tmp_host {
+    1 $http_x_forwarded_host;
+    default $host:$server_port;
+}
+map $x_tmp_host $x_forwarded_host {
+    "" $host:$server_port;
+    default $x_tmp_host;
+}
+
+map $x_trusted $x_tmp_port {
+    1 $http_x_forwarded_port;
+    default $server_port;
+}
+map $x_tmp_port $x_forwarded_port {
+    "" $server_port;
+    default $x_tmp_port;
+}
diff --git a/extras_proxy_upstream b/extras_proxy_upstream
@@ -0,0 +1,6 @@
+# Trust this upstream.
+set_real_ip_from  127.0.0.0/8;
+set_real_ip_from  192.168.1.5;
+set_real_ip_from  192.168.1.6;
+real_ip_header    X-Forwarded-For;
+real_ip_recursive on;
diff --git a/extras_fix-http-destination b/extras_fix-http-destination
@@ -0,0 +1,5 @@
+set $fixed_destination $http_destination;
+if ( $http_destination ~* ^https(.*)$ ) {
+    set $fixed_destination http$1;
+}
+proxy_set_header Destination $fixed_destination;
diff --git a/extras_proxy_pass b/extras_proxy_pass
@@ -0,0 +1,22 @@
+# Force proxy keepalives.
+proxy_http_version 1.1;
+
+set $use_port ":$server_port";
+if ( "$use_port" = "$def_port" ) {
+    set $use_port "";
+}
+
+# Force rewrite of common mislocations.
+proxy_redirect default;
+proxy_redirect "//$host:$proxy_port/" "$scheme://$host$use_port/";
+proxy_redirect "http://$host:$proxy_port/" "$scheme://$host$use_port/";
+proxy_redirect "https://$host:$proxy_port/" "$scheme://$host$use_port/";
+
+# Set origin headers for proxied server.
+proxy_set_header Host $host;
+proxy_set_header Connection "";
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+proxy_set_header X-Forwarded-Host $x_forwarded_host;
+proxy_set_header X-Forwarded-Port $x_forwarded_port;
+proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
diff --git a/cloud.rootdir.org-proxy.conf b/cloud.rootdir.org-proxy.conf
@@ -0,0 +1,39 @@
+server {
+    server_name
+        cloud.rootdir.org
+        cloud.darkdragon.lan
+        ;
+
+    error_log syslog error;
+    access_log off;
+
+    listen 80;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    server_name
+        cloud.rootdir.org
+        ;
+
+    listen 443 ssl http2;
+    ssl_certificate "/etc/ssl/cloud.rootdir.org.crt";
+    ssl_certificate_key "/etc/ssl/private/cloud.rootdir.org.key";
+
+    error_log syslog error;
+    access_log off;
+
+    # Local filter block.
+    #include extras/access_local;
+
+    location / {
+        proxy_pass http://cloud.darkdragon.lan/;
+
+        include extras/proxy_pass;
+        include extras/fix-http-destination;
+
+        client_max_body_size 512M;
+
+        proxy_read_timeout 60s;
+    }
+}