changes in nginx config, couse i retarded enough to do it in one approach
This commit is contained in:
@@ -6,6 +6,23 @@ map $http_upgrade $connection_upgrade {
|
||||
# Helpful for larger uploads via API (tweak as you wish)
|
||||
client_max_body_size 400m;
|
||||
|
||||
log_format mtls_debug '
|
||||
[$time_local] $remote_addr:$remote_port → $server_name:$server_port
|
||||
"$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
|
||||
TLS=$ssl_protocol/$ssl_cipher
|
||||
ClientVerify=$ssl_client_verify
|
||||
ClientSerial=$ssl_client_serial
|
||||
ClientSubject="$ssl_client_s_dn"
|
||||
ClientIssuer="$ssl_client_i_dn"
|
||||
RequestTime=$request_time
|
||||
ProxyUpstreamAddr=$upstream_addr
|
||||
ProxyStatus=$upstream_status
|
||||
';
|
||||
|
||||
# Default access & error logs for both 80 and 443 servers
|
||||
access_log /var/log/nginx/access.log mtls_debug;
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name _;
|
||||
@@ -60,6 +77,9 @@ server {
|
||||
listen 443 ssl http2;
|
||||
server_name _;
|
||||
|
||||
access_log /var/log/nginx/access.log mtls_debug;
|
||||
error_log /var/log/nginx/error.log info;
|
||||
|
||||
ssl_certificate /etc/nginx/ssl/certs/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/ssl/certs/privkey.pem;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
@@ -98,25 +118,28 @@ server {
|
||||
}
|
||||
|
||||
# ---- mTLS-protected paths ----
|
||||
location ^~ /api/records {
|
||||
location ^~ /api/records/upload {
|
||||
if ($ssl_client_verify != SUCCESS) {
|
||||
return 495;
|
||||
}
|
||||
proxy_pass http://snoop-api:8080/;
|
||||
rewrite ^/api/(.*)$ /$1 break;
|
||||
proxy_pass http://snoop-api:8080;
|
||||
}
|
||||
|
||||
location ^~ /api/tasks {
|
||||
if ($ssl_client_verify != SUCCESS) {
|
||||
return 495;
|
||||
}
|
||||
proxy_pass http://snoop-api:8080/;
|
||||
rewrite ^/api/(.*)$ /$1 break;
|
||||
proxy_pass http://snoop-api:8080;
|
||||
}
|
||||
|
||||
location ^~ /api/renew {
|
||||
if ($ssl_client_verify != SUCCESS) {
|
||||
return 495;
|
||||
}
|
||||
proxy_pass http://snoop-api:8080/;
|
||||
rewrite ^/api/(.*)$ /$1 break;
|
||||
proxy_pass http://snoop-api:8080;
|
||||
}
|
||||
|
||||
# MediaMTX HLS
|
||||
@@ -128,13 +151,17 @@ server {
|
||||
}
|
||||
|
||||
# MediaMTX WebRTC (WHIP/WHEP/test)
|
||||
location ^~ /webrtc/ {
|
||||
location ^~ /whip/ {
|
||||
if ($ssl_client_verify != SUCCESS) {
|
||||
return 495;
|
||||
}
|
||||
proxy_pass http://mediamtx:8889/;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
proxy_pass http://mediamtx:8889;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_request_buffering off;
|
||||
client_max_body_size 35m;
|
||||
proxy_read_timeout 3600s;
|
||||
proxy_send_timeout 3600s;
|
||||
}
|
||||
|
||||
# MQTT WS entry points (guarded by mTLS)
|
||||
|
||||
Reference in New Issue
Block a user