admin/NewSmoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

changes in nginx config, couse i retarded enough to do it in one approach

Browse Source
This commit is contained in:
tdv
2025-10-15 19:16:16 +03:00
parent bdb89f0966
commit 40b7e590a3
3 changed files with 40 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
nginx/dev.conf
View File

@@ -6,6 +6,23 @@ map $http_upgrade $connection_upgrade {
# Helpful for larger uploads via API (tweak as you wish)
client_max_body_size 400m;
log_format mtls_debug '
[$time_local] $remote_addr:$remote_port → $server_name:$server_port
"$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"
TLS=$ssl_protocol/$ssl_cipher
ClientVerify=$ssl_client_verify
ClientSerial=$ssl_client_serial
ClientSubject="$ssl_client_s_dn"
ClientIssuer="$ssl_client_i_dn"
RequestTime=$request_time
ProxyUpstreamAddr=$upstream_addr
ProxyStatus=$upstream_status
';
# Default access & error logs for both 80 and 443 servers
access_log /var/log/nginx/access.log mtls_debug;
error_log /var/log/nginx/error.log warn;
server {
listen 80;
server_name _;
@@ -60,6 +77,9 @@ server {
listen 443 ssl http2;
server_name _;
access_log /var/log/nginx/access.log mtls_debug;
error_log /var/log/nginx/error.log info;
ssl_certificate /etc/nginx/ssl/certs/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/certs/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
@@ -98,25 +118,28 @@ server {
}
# ---- mTLS-protected paths ----
location ^~ /api/records {
location ^~ /api/records/upload {
if ($ssl_client_verify != SUCCESS) {
return 495;
}
proxy_pass http://snoop-api:8080/;
rewrite ^/api/(.*)$ /$1 break;
proxy_pass http://snoop-api:8080;
}
location ^~ /api/tasks {
if ($ssl_client_verify != SUCCESS) {
return 495;
}
proxy_pass http://snoop-api:8080/;
rewrite ^/api/(.*)$ /$1 break;
proxy_pass http://snoop-api:8080;
}
location ^~ /api/renew {
if ($ssl_client_verify != SUCCESS) {
return 495;
}
proxy_pass http://snoop-api:8080/;
rewrite ^/api/(.*)$ /$1 break;
proxy_pass http://snoop-api:8080;
}
# MediaMTX HLS
@@ -128,13 +151,17 @@ server {
}
# MediaMTX WebRTC (WHIP/WHEP/test)
location ^~ /webrtc/ {
location ^~ /whip/ {
if ($ssl_client_verify != SUCCESS) {
return 495;
}
proxy_pass http://mediamtx:8889/;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass http://mediamtx:8889;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_request_buffering off;
client_max_body_size 35m;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
}
# MQTT WS entry points (guarded by mTLS)