From 8a1155d74738df37cf40fabbea554e2fd803c84b Mon Sep 17 00:00:00 2001 From: Timo Wilken Date: Sun, 25 Feb 2024 22:49:08 +0100 Subject: Reverse proxy tweaks for Paperless * Allow large uploads through nginx * Pass though WebSocket connections --- tw/services/paperless.scm | 12 +++++++++++- tw/services/web.scm | 20 ++++++++++++++------ 2 files changed, 25 insertions(+), 7 deletions(-) (limited to 'tw') diff --git a/tw/services/paperless.scm b/tw/services/paperless.scm index 6db99f65..b643ac99 100644 --- a/tw/services/paperless.scm +++ b/tw/services/paperless.scm @@ -4,6 +4,7 @@ #:use-module (gnu services) #:use-module (gnu services configuration) #:use-module (gnu services databases) + #:use-module (gnu services web) #:use-module (guix records) #:use-module (tw services docker) #:use-module (tw services restic) @@ -80,7 +81,16 @@ PAPERLESS_GID=" (number->string %paperless-uid) " (destination-ip (if (string=? bind-address "0.0.0.0") "127.0.0.1" - bind-address))))))) + bind-address)) + (extra-locations + (list (nginx-location-configuration + (uri "/ws/") ; e.g. /ws/status/ endpoint + ;; https://nginx.org/en/docs/http/websocket.html + (body `(("proxy_pass http://" ,destination-ip ":" + ,(number->string destination-port) ";") + "proxy_http_version 1.1;" + "proxy_set_header Upgrade $http_upgrade;" + "proxy_set_header Connection \"upgrade\";")))))))))) (define %paperless-backup-repo (restic-local-repository (path "/var/backups/paperless"))) diff --git a/tw/services/web.scm b/tw/services/web.scm index 835aebd3..aed11083 100644 --- a/tw/services/web.scm +++ b/tw/services/web.scm @@ -5,7 +5,7 @@ #:use-module (gnu services web) #:use-module (guix gexp) #:use-module (guix records) - #:use-module ((srfi srfi-1) #:select (concatenate)) + #:use-module ((srfi srfi-1) #:select (every concatenate)) #:export (%nginx-cert-deploy-hook https-reverse-proxy-service-type https-reverse-proxy-configuration)) @@ -14,6 +14,10 @@ (program-file "nginx-cert-deploy-hook" #~(kill (call-with-input-file "/var/run/nginx/pid" read) SIGHUP))) +(define (list-of-nginx-location-configurations? thing) + (and (list? thing) + (every nginx-location-configuration? thing))) + (define-configuration/no-serialization https-reverse-proxy-configuration (domains list-of-strings "List of domain names that nginx should proxy requests for.") @@ -21,8 +25,9 @@ requests for.") proxied to.") (destination-ip (string "127.0.0.1") "The IP address of the server that should be proxied to. Usually, this should be localhost.") - (destination-protocol (string "http") "The protocol that the proxied service -speaks. Set to @code{\"https\"} if you want to proxy HTTPS-to-HTTPS.")) + (extra-locations (list-of-nginx-location-configurations '()) "A list of +@code{nginx-location-configuration} records to apply in addition to the +default one.")) (define (reverse-proxy-certificate config) (match-record config (domains) @@ -32,7 +37,7 @@ speaks. Set to @code{\"https\"} if you want to proxy HTTPS-to-HTTPS.")) (define (reverse-proxy-nginx-server config) (match-record config - (domains destination-port destination-ip) + (domains destination-port destination-ip extra-locations) (nginx-server-configuration (listen '("443 ssl http2")) (server-name domains) @@ -40,12 +45,15 @@ speaks. Set to @code{\"https\"} if you want to proxy HTTPS-to-HTTPS.")) (ssl-certificate-key (string-append "/etc/letsencrypt/live/" (car domains) "/privkey.pem")) (server-tokens? #f) (locations - (list (nginx-location-configuration + (cons (nginx-location-configuration (uri "/") (body `(("proxy_pass http://" ,destination-ip ":" ,(number->string destination-port) ";") ;; For Grafana: https://grafana.com/tutorials/run-grafana-behind-a-proxy/#configure-nginx - "proxy_set_header Host $http_host;")))))))) + "proxy_set_header Host $http_host;" + ;; Allow large file uploads (for Paperless). + "client_max_body_size 100M;"))) + extra-locations))))) (define (reverse-proxy-certificates configs) (map reverse-proxy-certificate configs)) -- cgit v1.2.3