ma deployment/etherpad: set proxy configuration according to recommendations

1 files changed, 21 insertions, 0 deletions

diff --git a/makefu/2configs/deployment/docker/etherpad.euer.krebsco.de.nix b/makefu/2configs/deployment/docker/etherpad.euer.krebsco.de.nix
index 32f1a2f8..172e69c4 100644
--- a/makefu/2configs/deployment/docker/etherpad.euer.krebsco.de.nix
+++ b/makefu/2configs/deployment/docker/etherpad.euer.krebsco.de.nix
@@ -5,9 +5,30 @@ in {
   #services.nginx.virtualHosts."euer.krebsco.de".serverAliases = [ "etherpad.euer.krebsco.de" ];
   services.nginx.virtualHosts."etherpad.euer.krebsco.de" = {
     # useACMEHost = "euer.krebsco.de";
+    extraConfig = ''
+      ssl_session_timeout  5m;
+    '';
     enableACME = true;
     forceSSL = true;
     locations."/".proxyPass = "http://localhost:${toString port}";
+    # from https://github.com/ether/etherpad-lite/wiki/How-to-put-Etherpad-Lite-behind-a-reverse-Proxy
+    locations."/".extraConfig = ''
+
+        proxy_buffering    off; # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
+        proxy_set_header   Host $host;
+        proxy_pass_header  Server;
+
+        # Note you might want to pass these headers etc too.
+        proxy_set_header    X-Real-IP $remote_addr; # https://nginx.org/en/docs/http/ngx_http_proxy_module.html
+        proxy_set_header    X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
+        proxy_set_header    X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
+        proxy_http_version  1.1; # recommended with keepalive connections
+
+        # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html
+        proxy_set_header  Upgrade $http_upgrade;
+        proxy_set_header  Connection "upgrade";
+        proxy_read_timeout 61s;
+    '';
   };
   docker-containers."etherpad-lite" = {
     image = "makefoo/bgt-etherpad:2020-05-02.6";