diff options
Diffstat (limited to 'roles/apps/collabora/code/instance/templates/nginx-vhost.conf.j2')
-rw-r--r-- | roles/apps/collabora/code/instance/templates/nginx-vhost.conf.j2 | 78 |
1 files changed, 54 insertions, 24 deletions
diff --git a/roles/apps/collabora/code/instance/templates/nginx-vhost.conf.j2 b/roles/apps/collabora/code/instance/templates/nginx-vhost.conf.j2 index d661427f..a7248194 100644 --- a/roles/apps/collabora/code/instance/templates/nginx-vhost.conf.j2 +++ b/roles/apps/collabora/code/instance/templates/nginx-vhost.conf.j2 @@ -6,10 +6,15 @@ location ^~ /browser { include snippets/proxy-forward-headers.conf; proxy_set_header Host $http_host; - proxy_pass http://127.0.0.1:{{ collabora_code_instances[collabora_code_instance].port }}; - - proxy_redirect http://$host/ https://$host/; - proxy_redirect http://$host:9980/ https://$host/; +{% if collabora_code_instances[collabora_code_instance].publish.zone.publisher == inventory_hostname %} + proxy_pass https://127.0.0.1:{{ collabora_code_instances[collabora_code_instance].port }}; +{% else %} + proxy_pass https://{{ ansible_default_ipv4.address }}:{{ collabora_code_instances[collabora_code_instance].port }}; +{% endif %} + proxy_ssl_trusted_certificate /etc/ssl/apps-publish-{{ collabora_code_instances[collabora_code_instance].publish.zone.name }}/apps-publish-{{ collabora_code_instances[collabora_code_instance].publish.zone.name }}-ca-crt.pem; + proxy_ssl_verify on; + proxy_ssl_name collabora-code-{{ collabora_code_instance }}.{{ inventory_hostname }}; + proxy_ssl_protocols TLSv1.3; } # WOPI discovery URL @@ -18,10 +23,15 @@ location ^~ /hosting/discovery { include snippets/proxy-forward-headers.conf; proxy_set_header Host $http_host; - proxy_pass http://127.0.0.1:{{ collabora_code_instances[collabora_code_instance].port }}; - - proxy_redirect http://$host/ https://$host/; - proxy_redirect http://$host:9980/ https://$host/; +{% if collabora_code_instances[collabora_code_instance].publish.zone.publisher == inventory_hostname %} + proxy_pass https://127.0.0.1:{{ collabora_code_instances[collabora_code_instance].port }}; +{% else %} + proxy_pass https://{{ ansible_default_ipv4.address }}:{{ collabora_code_instances[collabora_code_instance].port }}; +{% endif %} + proxy_ssl_trusted_certificate /etc/ssl/apps-publish-{{ collabora_code_instances[collabora_code_instance].publish.zone.name }}/apps-publish-{{ collabora_code_instances[collabora_code_instance].publish.zone.name }}-ca-crt.pem; + proxy_ssl_verify on; + proxy_ssl_name collabora-code-{{ collabora_code_instance }}.{{ inventory_hostname }}; + proxy_ssl_protocols TLSv1.3; } # Capabilities @@ -30,10 +40,15 @@ location ^~ /hosting/capabilities { include snippets/proxy-forward-headers.conf; proxy_set_header Host $http_host; - proxy_pass http://127.0.0.1:{{ collabora_code_instances[collabora_code_instance].port }}; - - proxy_redirect http://$host/ https://$host/; - proxy_redirect http://$host:9980/ https://$host/; +{% if collabora_code_instances[collabora_code_instance].publish.zone.publisher == inventory_hostname %} + proxy_pass https://127.0.0.1:{{ collabora_code_instances[collabora_code_instance].port }}; +{% else %} + proxy_pass https://{{ ansible_default_ipv4.address }}:{{ collabora_code_instances[collabora_code_instance].port }}; +{% endif %} + proxy_ssl_trusted_certificate /etc/ssl/apps-publish-{{ collabora_code_instances[collabora_code_instance].publish.zone.name }}/apps-publish-{{ collabora_code_instances[collabora_code_instance].publish.zone.name }}-ca-crt.pem; + proxy_ssl_verify on; + proxy_ssl_name collabora-code-{{ collabora_code_instance }}.{{ inventory_hostname }}; + proxy_ssl_protocols TLSv1.3; } # main websocket @@ -47,10 +62,15 @@ location ~ ^/cool/(.*)/ws$ { proxy_read_timeout 36000s; proxy_set_header Host $http_host; - proxy_pass http://127.0.0.1:{{ collabora_code_instances[collabora_code_instance].port }}; - - proxy_redirect http://$host/ https://$host/; - proxy_redirect http://$host:9980/ https://$host/; +{% if collabora_code_instances[collabora_code_instance].publish.zone.publisher == inventory_hostname %} + proxy_pass https://127.0.0.1:{{ collabora_code_instances[collabora_code_instance].port }}; +{% else %} + proxy_pass https://{{ ansible_default_ipv4.address }}:{{ collabora_code_instances[collabora_code_instance].port }}; +{% endif %} + proxy_ssl_trusted_certificate /etc/ssl/apps-publish-{{ collabora_code_instances[collabora_code_instance].publish.zone.name }}/apps-publish-{{ collabora_code_instances[collabora_code_instance].publish.zone.name }}-ca-crt.pem; + proxy_ssl_verify on; + proxy_ssl_name collabora-code-{{ collabora_code_instance }}.{{ inventory_hostname }}; + proxy_ssl_protocols TLSv1.3; } # download, presentation and image upload @@ -59,10 +79,15 @@ location ~ ^/(c|l)ool { include snippets/proxy-forward-headers.conf; proxy_set_header Host $http_host; - proxy_pass http://127.0.0.1:{{ collabora_code_instances[collabora_code_instance].port }}; - - proxy_redirect http://$host/ https://$host/; - proxy_redirect http://$host:9980/ https://$host/; +{% if collabora_code_instances[collabora_code_instance].publish.zone.publisher == inventory_hostname %} + proxy_pass https://127.0.0.1:{{ collabora_code_instances[collabora_code_instance].port }}; +{% else %} + proxy_pass https://{{ ansible_default_ipv4.address }}:{{ collabora_code_instances[collabora_code_instance].port }}; +{% endif %} + proxy_ssl_trusted_certificate /etc/ssl/apps-publish-{{ collabora_code_instances[collabora_code_instance].publish.zone.name }}/apps-publish-{{ collabora_code_instances[collabora_code_instance].publish.zone.name }}-ca-crt.pem; + proxy_ssl_verify on; + proxy_ssl_name collabora-code-{{ collabora_code_instance }}.{{ inventory_hostname }}; + proxy_ssl_protocols TLSv1.3; } # Admin Console websocket @@ -76,8 +101,13 @@ location ^~ /cool/adminws { proxy_read_timeout 36000s; proxy_set_header Host $http_host; - proxy_pass http://127.0.0.1:{{ collabora_code_instances[collabora_code_instance].port }}; - - proxy_redirect http://$host/ https://$host/; - proxy_redirect http://$host:9980/ https://$host/; +{% if collabora_code_instances[collabora_code_instance].publish.zone.publisher == inventory_hostname %} + proxy_pass https://127.0.0.1:{{ collabora_code_instances[collabora_code_instance].port }}; +{% else %} + proxy_pass https://{{ ansible_default_ipv4.address }}:{{ collabora_code_instances[collabora_code_instance].port }}; +{% endif %} + proxy_ssl_trusted_certificate /etc/ssl/apps-publish-{{ collabora_code_instances[collabora_code_instance].publish.zone.name }}/apps-publish-{{ collabora_code_instances[collabora_code_instance].publish.zone.name }}-ca-crt.pem; + proxy_ssl_verify on; + proxy_ssl_name collabora-code-{{ collabora_code_instance }}.{{ inventory_hostname }}; + proxy_ssl_protocols TLSv1.3; } |