AimeeOS/home-assistant-yellow
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2025-09-06. You can view files and clone it, but cannot push or open issues or pull requests.
Files
b312649a50caef5ffe6416cc56111d1faf1c2f93
home-assistant-yellow/yellow/overlay/etc/nginx/conf.d/default.conf
Dustin C. Hatch 670c1f7561 yellow: Install/configure nginx 
We're going to use *nginx* as the reverse proxy in front of Home
Assistant, as well as the web consoles for Zigbee2MQTT and ZWaveJS2MQTT.
It will provide TLS termination for all of these applications.

Since *nginx* will not start without a certificate and private key file
for HTTPS, the *gen-nginx-cert.service* systemd unit generates a
self-signed certificate if one does not already exist.  This ensures
that *nginx* can start by default, but still allows the administrator to
replace the certificate with a trusted one later.

The *nginx* container image has symlinks at `/var/log/nginx/error.log`
and `/var/log/nginx/access.log`, pointing to `/dev/stderr` and
`/dev/stdout`, respectively.  The intent here is to send all log
messages to the container runtime.  Unfortunately, when the the
container is managed by Podman from a systemd unit, the standard output
and standard error streams are connected to the systemd journal via a
UNIX socket.  As a result, the `/dev/stdout` and `/dev/stderr`
pseudo-files cannot be "opened" like normal files or pipes.  Thus, to
forward nginx's logs to the systemd journal correctly, we have to do a
bit of trickery.  For the error log at least, setting `error_log stderr`
works well; nginx simply writes messages to the existing file
descriptor.  Unfortunately, the access log has no such mechanism.  For
that, we use nginx's syslog capabilities.  The `/dev/log` socket is
bind-mounted into the container, and nginx is configured to connect to
it.
2023-03-30 09:23:47 -05:00

71 lines
1.7 KiB
Plaintext
Raw Blame History

# vim: set sw=4 ts=4 sts=4 et :
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
return 301 https://$host$request_uri;
error_page 500 502 503 504 /50x.html;
location = /50x.html { }
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
root /usr/share/nginx/html;
ssl_certificate "/etc/nginx/ssl/server.crt";
ssl_certificate_key "/etc/nginx/ssl/server.key";
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
error_page 500 502 503 504 /50x.html;
add_header
Strict-Transport-Security
"max-age=63072000; includeSubDomains"
always;
location = /50x.html { }
location = /zwave {
return 301 https://$host/zwave/;
}
location = /zigbee {
return 301 https://$host/zigbee/;
}
location /zwave/ {
proxy_pass http://127.0.0.1:8091/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-External-Path /zwave;
}
location /zigbee/ {
proxy_pass http://127.0.0.1:8080/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-External-Path /zigbee;
}
location / {
proxy_pass http://[::1]:8123/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
Reference in New Issue View Git Blame Copy Permalink