From 0e3bd19aa8b3b10d8ef42ac5d53d18a5f8e7f2bb Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Fri, 18 Mar 2022 23:25:23 +0100
Subject: [PATCH] media-proxy: Unset referer for same-site requests

The qBittorrent WebUI does not work with it set to a different host than
the target. This implementation does not compromise security, because
the referer is only unset if the real referer was the locally proxied
page. All other referers are passed through verbatim.
---
 modules/media-proxy.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/media-proxy.nix b/modules/media-proxy.nix
index b9b3ea6..a2897e3 100644
--- a/modules/media-proxy.nix
+++ b/modules/media-proxy.nix
@@ -20,6 +20,12 @@ in
     systemd.services.nginx.after = [ "network-online.target" ];
     services.nginx = {
       enable = true;
+      commonHttpConfig = ''
+        map $http_referer $media_proxy_referer {
+            ~^http://localhost:8888/ "";
+            default                  $http_referer;
+        }
+      '';
       virtualHosts.media-proxy = {
         serverName = "localhost";
         listen = [
@@ -40,6 +46,8 @@ in
                 proxy_buffering off;
                 include ${secret};
                 charset utf-8;
+                proxy_set_header Referer $media_proxy_referer;
+                proxy_set_header Origin $media_proxy_referer;
               '';
             };
           })