40 lines
1.5 KiB
Nix
40 lines
1.5 KiB
Nix
|
# Native nginx reverse proxy. The proxy configuration is declarative Nix:
|
||
|
|
# every proxied service is an entry under services.nginx.virtualHosts, so the
|
||
|
|
# whole routing table lives in this file and is built/version-controlled with
|
||
|
|
# the rest of the system.
|
||
|
|
#
|
||
|
|
# To add a proxied service, add another virtualHosts."<host>" entry following
|
||
|
|
# the example below. To serve it over HTTPS, uncomment enableACME + forceSSL on
|
||
|
|
# that vhost once it has a real DNS name and the ACME HTTP-01/DNS-01 challenge
|
||
|
|
# can be satisfied (see security.acme for the account/email and DNS settings).
|
||
|
|
{ ... }:
|
||
|
|
{
|
||
|
|
services.nginx = {
|
||
|
|
enable = true;
|
||
|
|
recommendedProxySettings = true; # sane proxy_set_header defaults (Host, X-Forwarded-*)
|
||
|
|
recommendedTlsSettings = true;
|
||
|
|
recommendedOptimisation = true;
|
||
|
|
recommendedGzipSettings = true;
|
||
|
|
|
||
|
|
virtualHosts = {
|
||
|
|
# Example reverse-proxy vhost. Replace the name and upstream with a real
|
||
|
|
# service (e.g. a container published by the Docker host on this machine).
|
||
|
|
"example.lan" = {
|
||
|
|
# enableACME = true; # request a Let's Encrypt cert for this host
|
||
|
|
# forceSSL = true; # redirect HTTP -> HTTPS once the cert exists
|
||
|
|
locations."/" = {
|
||
|
|
proxyPass = "http://127.0.0.1:8080";
|
||
|
|
proxyWebsockets = true; # forward Upgrade/Connection for WebSocket apps
|
||
|
|
};
|
||
|
|
};
|
||
|
|
};
|
||
|
|
};
|
||
|
|
|
||
|
|
# Public reverse-proxy ports. 443 is opened now so flipping a vhost to TLS
|
||
|
|
# needs no firewall change.
|
||
|
|
networking.firewall.allowedTCPPorts = [
|
||
|
|
80
|
||
|
|
443
|
||
|
|
];
|
||
|
|
}
|