Simon Bruder
0e3bd19aa8
The qBittorrent WebUI does not work with it set to a different host than the target. This implementation does not compromise security, because the referer is only unset if the real referer was the locally proxied page. All other referers are passed through verbatim.
59 lines
1.8 KiB
Nix
59 lines
1.8 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
port = 8888;
|
|
services = {
|
|
"media" = config.sops.secrets.media-proxy-auth.path;
|
|
"torrent" = config.sops.secrets.torrent-proxy-auth.path;
|
|
};
|
|
in
|
|
{
|
|
options.sbruder.media-proxy.enable = lib.mkEnableOption "media proxy";
|
|
|
|
config = lib.mkIf config.sbruder.media-proxy.enable {
|
|
sops.secrets = {
|
|
torrent-proxy-auth.owner = "nginx";
|
|
media-proxy-auth.owner = "nginx";
|
|
};
|
|
systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton config.users.groups.keys.name;
|
|
|
|
# otherwise name resolution fails
|
|
systemd.services.nginx.after = [ "network-online.target" ];
|
|
services.nginx = {
|
|
enable = true;
|
|
commonHttpConfig = ''
|
|
map $http_referer $media_proxy_referer {
|
|
~^http://localhost:8888/ "";
|
|
default $http_referer;
|
|
}
|
|
'';
|
|
virtualHosts.media-proxy = {
|
|
serverName = "localhost";
|
|
listen = [
|
|
{ inherit port; addr = "127.0.0.1"; }
|
|
{ inherit port; addr = "[::1]"; }
|
|
];
|
|
locations = {
|
|
"/".extraConfig = ''
|
|
rewrite ^/__nginx-interactive-index-assets__/(.*)$ /media/__nginx-interactive-index-assets__/$1;
|
|
'';
|
|
} // lib.mapAttrs'
|
|
(name: secret: {
|
|
name = "/${name}/";
|
|
value = {
|
|
proxyPass = "https://${name}.sbruder.de/";
|
|
proxyWebsockets = true;
|
|
extraConfig = ''
|
|
proxy_buffering off;
|
|
include ${secret};
|
|
charset utf-8;
|
|
proxy_set_header Referer $media_proxy_referer;
|
|
proxy_set_header Origin $media_proxy_referer;
|
|
'';
|
|
};
|
|
})
|
|
services;
|
|
};
|
|
};
|
|
};
|
|
}
|