File tree Expand file tree Collapse file tree 3 files changed +50
-2
lines changed
nginx/templates_rasenmaeher_takapi Expand file tree Collapse file tree 3 files changed +50
-2
lines changed Original file line number Diff line number Diff line change @@ -708,6 +708,7 @@ services:
708708 - kraftwerk_shared_tak:/pvarki
709709 - takrmapi_data:/data/persistent
710710 - tak_data:/opt/tak/data
711+ - tak_www_static:/www_static
711712 depends_on :
712713 rmnginx :
713714 condition : service_healthy
@@ -729,6 +730,7 @@ services:
729730 - nginx_templates:/nginx_templates
730731 - ca_public:/ca_public
731732 - le_certs:/le_certs
733+ - tak_www_static:/www_static
732734 environment :
733735 NGINX_HOST : *takdomain
734736 NGINX_HTTPS_PORT : *takapiport
@@ -738,7 +740,7 @@ services:
738740 CFSSL_OCSP_BIND_PORT : *oscpport
739741 NGINX_OCSP_UPSTREAM : *ocsphost
740742 DNS_RESOLVER_IP : *dnsresolver
741- NGINX_TEMPLATE_DIR : " templates_productapi "
743+ NGINX_TEMPLATE_DIR : " templates_rasenmaeher_takapi "
742744 networks :
743745 - taknet
744746 - intranet
Original file line number Diff line number Diff line change @@ -619,6 +619,7 @@ services:
619619 - kraftwerk_shared_tak:/pvarki
620620 - tak_data:/opt/tak/data
621621 - takrmapi_data:/data/persistent
622+ - tak_www_static:/www_static
622623 depends_on :
623624 rmnginx :
624625 condition : service_healthy
@@ -640,6 +641,7 @@ services:
640641 - nginx_templates:/nginx_templates
641642 - ca_public:/ca_public
642643 - le_certs:/le_certs
644+ - tak_www_static:/www_static
643645 environment :
644646 NGINX_HOST : *takdomain
645647 NGINX_HTTPS_PORT : *takapiport
@@ -649,7 +651,7 @@ services:
649651 CFSSL_OCSP_BIND_PORT : *oscpport
650652 NGINX_OCSP_UPSTREAM : *ocsphost
651653 DNS_RESOLVER_IP : *dnsresolver
652- NGINX_TEMPLATE_DIR : " templates_productapi "
654+ NGINX_TEMPLATE_DIR : " templates_rasenmaeher_takapi "
653655 networks :
654656 - taknet
655657 - intranet
@@ -718,3 +720,4 @@ volumes:
718720 takrmapi_data :
719721 rmui_files :
720722 nginx_templates :
723+ tak_www_static :
Original file line number Diff line number Diff line change 1+ ssl_certificate /le_certs/${NGINX_CERT_NAME}/fullchain.pem;
2+ ssl_certificate_key /le_certs/${NGINX_CERT_NAME}/privkey.pem;
3+
4+ include /etc/nginx/includes/le_common_settings.conf;
5+
6+ server {
7+ server_name ${NGINX_HOST};
8+
9+ # HTTPS configuration
10+ listen ${NGINX_HTTPS_PORT} ssl;
11+
12+ ssl_client_certificate /ca_public/ca_chain.pem;
13+ ssl_verify_client on;
14+ ssl_ocsp leaf;
15+ ssl_ocsp_responder http://${NGINX_OCSP_UPSTREAM}:${CFSSL_OCSP_BIND_PORT};
16+ resolver ${DNS_RESOLVER_IP} ipv6=off;
17+ #ssl_crl /ca_public/crl.pem;
18+ ssl_verify_depth 3;
19+
20+
21+ # This volume may only have content that EVERYONE with proper client certificate can view
22+ location /content/static {
23+ if ($ssl_client_verify != SUCCESS) {
24+ return 401;
25+ }
26+ root /www_static;
27+ }
28+
29+ location / {
30+ if ($ssl_client_verify != SUCCESS) {
31+ return 401;
32+ }
33+ proxy_pass http://${NGINX_UPSTREAM}:${NGINX_UPSTREAM_PORT};
34+ proxy_redirect off;
35+ proxy_set_header Host $http_host;
36+ proxy_set_header X-Real-IP $remote_addr;
37+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
38+ proxy_set_header X-Forwarded-Proto $scheme;
39+ proxy_read_timeout 900;
40+ proxy_set_header X-ClientCert-DN $ssl_client_s_dn;
41+ proxy_set_header X-ClientCert-Serial ssl_client_serial;
42+ }
43+ }
You can’t perform that action at this time.
0 commit comments