mirror/aliasvault
1
0
Fork 0
mirror of https://github.com/aliasvault/aliasvault.git synced 2026-05-25 00:42:57 -04:00
Code Issues Packages Projects Releases Wiki Activity

Add optional http to https redirect env setting (#1181)

Browse Source
This commit is contained in:
Leendert de Borst
2025-09-08 15:59:21 +02:00
parent fd485b979c
commit fd9e62591e
5 changed files with 142 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
dockerfiles/all-in-one/Dockerfile
View File

@@ -134,7 +134,8 @@ COPY --from=dotnet-builder /app /app
# Copy configuration files and scripts directly to their destinations
COPY dockerfiles/all-in-one/reset-admin-password.sh /usr/local/bin/reset-admin-password.sh
COPY apps/server/AliasVault.Client/nginx.conf /app/client/nginx.conf
COPY dockerfiles/all-in-one/config/nginx.conf /etc/nginx/nginx.conf
COPY dockerfiles/all-in-one/config/nginx-80-443.conf /etc/nginx/nginx-80-443.conf
COPY dockerfiles/all-in-one/config/nginx-443.conf /etc/nginx/nginx-443.conf
COPY apps/server/status.html /usr/share/nginx/html/status.html
COPY dockerfiles/all-in-one/s6-scripts /etc/s6-overlay/s6-rc.d/
@@ -159,6 +160,7 @@ ENV ALIASVAULT_VERBOSITY=0 \
POSTGRES_PORT=5432 \
POSTGRES_USER=aliasvault \
POSTGRES_DATABASE=aliasvault \
FORCE_HTTPS_REDIRECT=false \
S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 \
S6_VERBOSITY=0

126
dockerfiles/all-in-one/config/nginx-443.conf Normal file
View File

@@ -0,0 +1,126 @@
# Nginx configuration for AliasVault all-in-one container with forced HTTP to HTTPS redirect
# and uses a self-signed cert.
events {
worker_connections 1024;
}
http {
client_max_body_size 25M;
upstream client {
server localhost:3000 max_fails=1 fail_timeout=5s;
}
upstream api {
server localhost:3001 max_fails=1 fail_timeout=5s;
}
upstream admin {
server localhost:3002 max_fails=1 fail_timeout=5s;
}
# Preserve any existing X-Forwarded-* headers, this is relevant if AliasVault
# is running behind another reverse proxy.
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Enable gzip compression, which reduces the amount of data that needs to be transferred
# to speed up WASM load times.
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# HTTP server - redirects all traffic to HTTPS
server {
listen 80;
server_name _;
# Redirect all HTTP traffic to HTTPS
return 301 https://$host$request_uri;
}
# HTTPS server
server {
listen 443 ssl;
server_name _;
# Include the appropriate SSL certificate configuration generated
# by the entrypoint script.
include /etc/nginx/ssl.conf;
# Security headers
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Content-Security-Policy "frame-ancestors 'self'" always;
# Root for static files
root /usr/share/nginx/html;
# Error page handler location (internal use only)
location = /status.html {
internal;
try_files /status.html =404;
add_header Cache-Control "no-cache, no-store, must-revalidate";
add_header Pragma "no-cache";
add_header Expires "0";
}
# Admin interface
location /admin {
proxy_pass http://admin;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Prefix /admin/;
# Add WebSocket support for Blazor server
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
# Show status page if admin is down
proxy_intercept_errors on;
error_page 502 503 504 =503 /status.html;
}
# API endpoints
location /api {
proxy_pass http://api;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Show status page if api is down
proxy_intercept_errors on;
error_page 502 503 504 =503 /status.html;
}
# Client app (root path)
location / {
proxy_pass http://client;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Show status page if client is down
proxy_intercept_errors on;
error_page 502 503 504 =503 /status.html;
}
}
}

3
dockerfiles/all-in-one/config/nginx.conf → dockerfiles/all-in-one/config/nginx-80-443.conf
View File

@@ -1,5 +1,6 @@
# This is the main Nginx configuration file for the AliasVault all-in-one container.
# which exposes all AliasVault services via a single port 80.
# which exposes all AliasVault services via both 80 (HTTP)
# and optionally 443 (HTTPS) with self-signed cert.
events {
worker_connections 1024;
}

10
dockerfiles/all-in-one/s6-scripts/nginx/run
View File

@@ -19,6 +19,16 @@ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDS
ssl_prefer_server_ciphers off;
SSLEOF
# Configure nginx based on FORCE_HTTPS_REDIRECT environment variable
FORCE_HTTPS_REDIRECT=${FORCE_HTTPS_REDIRECT:-false}
if [[ "${FORCE_HTTPS_REDIRECT}" == "true" ]]; then
echo "Configuring nginx with HTTPS-only (443) - redirects HTTP to HTTPS"
cp /etc/nginx/nginx-443.conf /etc/nginx/nginx.conf
else
echo "Configuring nginx with HTTP and HTTPS support (80+443)"
cp /etc/nginx/nginx-80-443.conf /etc/nginx/nginx.conf
fi
echo "Starting Nginx reverse proxy..."
# Set nginx error log level based on verbosity

1
dockerfiles/docker-compose.all-in-one.yml
View File

@@ -17,5 +17,6 @@ services:
environment:
PUBLIC_REGISTRATION_ENABLED: "true"
IP_LOGGING_ENABLED: "true"
FORCE_HTTPS_REDIRECT: "false"
SUPPORT_EMAIL: ""
PRIVATE_EMAIL_DOMAINS: ""