media-proxy: Unset referer for same-site requests

The qBittorrent WebUI does not work with it set to a different host than the target. This implementation does not compromise security, because the referer is only unset if the real referer was the locally proxied page. All other referers are passed through verbatim.
2022-03-18 23:25:23 +01:00 · 2022-03-18 23:25:23 +01:00 · 0e3bd19aa8
parent a9b6a17818
commit 0e3bd19aa8
1 changed files with 8 additions and 0 deletions
--- a/modules/media-proxy.nix
+++ b/modules/media-proxy.nix
@ -20,6 +20,12 @@ in
    systemd.services.nginx.after = [ "network-online.target" ];
    services.nginx = {
      enable = true;
+      commonHttpConfig = ''
+        map $http_referer $media_proxy_referer {
+            ~^http://localhost:8888/ "";
+            default                  $http_referer;
+        }
+      '';
      virtualHosts.media-proxy = {
        serverName = "localhost";
        listen = [
@ -40,6 +46,8 @@ in
                proxy_buffering off;
                include ${secret};
                charset utf-8;
+                proxy_set_header Referer $media_proxy_referer;
+                proxy_set_header Origin $media_proxy_referer;
              '';
            };
          })