hswaw/beyondspace: fix https redirect pollution for local non-https services
Change-Id: I86505b571695e1bbcfccf869817f627140d7b596
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1786
Reviewed-by: informatic <informatic@hackerspace.pl>
diff --git a/hswaw/machines/customs.hackerspace.pl/beyondspace.nix b/hswaw/machines/customs.hackerspace.pl/beyondspace.nix
index ab0c6cf..a10e98c 100644
--- a/hswaw/machines/customs.hackerspace.pl/beyondspace.nix
+++ b/hswaw/machines/customs.hackerspace.pl/beyondspace.nix
@@ -39,13 +39,19 @@
'';
services.nginx.virtualHosts."beyond.waw.hackerspace.pl" = {
- forceSSL = true;
+ # NOTE: we *can't* use forceSSL here for services that do not use HTTPS in
+ # local network setups, since this will pollute browser's redirect cache...
+ addSSL = true;
enableACME = true;
serverAliases = attrNames beyondspaceDomains;
locations."/oauth2/" = {
extraConfig = ''
+ if ($scheme != https) {
+ return 302 https://$host$request_uri;
+ }
+
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@@ -56,6 +62,10 @@
locations."= /oauth2/auth" = {
extraConfig = ''
+ if ($scheme != https) {
+ return 302 https://$host$request_uri;
+ }
+
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@@ -69,6 +79,10 @@
locations."/" = {
extraConfig = ''
+ if ($scheme != https) {
+ return 302 https://$host$request_uri;
+ }
+
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;