seperate http and https templates

deployment/bare_metal/install.sh

@@ -102,4 +102,8 @@ sudo certbot --certonly
 
 # Generate gradido.conf from template
 # TODO order - first certbot, then nginx setup
-envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < gradido.conf.template > gradido.conf
+case "$NGINX_SSL" in
+ true) TEMPLATE_FILE="gradido.conf.ssl.template" ;;
+    *) TEMPLATE_FILE="gradido.conf.template" ;;
+esac
+envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $TEMPLATE_FILE > gradido.conf

deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template

@@ -0,0 +1,80 @@
+server {
+    if ($host = $NGINX_SERVER_NAME) {
+        return 301 https://$host$request_uri;
+    }
+
+    server_name $NGINX_SERVER_NAME;
+    listen 80;
+    listen [::]:80;
+    return 404;
+}
+
+server {
+    server_name $NGINX_SERVER_NAME;
+
+    listen [::]:443 ssl ipv6only=on;
+    listen 443 ssl;
+    ssl_certificate $NGINX_SSL_CERTIFICATE;
+    ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY;
+    include $NGINX_SSL_INCLUDE;
+    ssl_dhparam $NGINX_SSL_DHPARAM;
+
+    include /etc/nginx/common/protect.conf;
+    include /etc/nginx/common/protect_add_header.conf;
+	#include /etc/nginx/common/ssl.conf;
+
+    #gzip_static  on;
+
+    # Frontend (default)
+    location / {
+		proxy_http_version 1.1;
+		proxy_set_header   Upgrade $http_upgrade;
+		proxy_set_header   Connection 'upgrade';
+		proxy_set_header   X-Forwarded-For $remote_addr;
+		proxy_set_header   X-Real-IP  $remote_addr;
+		proxy_set_header   Host $host;
+		
+		proxy_pass         http://127.0.0.1:3000;
+		proxy_redirect     off;
+	}
+
+    # Backend
+    location /graphql {
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade $http_upgrade;
+        proxy_set_header   Connection 'upgrade';
+        proxy_set_header   X-Forwarded-For $remote_addr;
+        proxy_set_header   X-Real-IP  $remote_addr;
+        proxy_set_header   Host $host;
+        
+        #todo remove /graphql
+        proxy_pass         http://127.0.0.1:4000/graphql;
+        proxy_redirect     off;
+    }
+
+    # Admin Frontend
+    location /admin {
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade $http_upgrade;
+        proxy_set_header   Connection 'upgrade';
+        proxy_set_header   X-Forwarded-For $remote_addr;
+        proxy_set_header   X-Real-IP  $remote_addr;
+        proxy_set_header   Host $host;
+        
+        proxy_pass         http://127.0.0.1:8080/;
+        proxy_redirect     off;
+    }
+
+    # TODO this could be a performance optimization
+    #location /vue {
+    #    alias /var/www/html/gradido/frontend/dist;
+    #    index index.html;
+    #
+    #    location ~* \.(png)$ {
+    #        expires 39d;
+    #    }
+    #    try_files $uri $uri/ /index.html = 404;
+    #}
+
+    #access_log /var/log/nginx/access.log main;
+}

deployment/bare_metal/nginx/sites-available/gradido.conf.template

@@ -1,35 +1,8 @@
 server {
-    if ($host = $NGINX_SERVER_NAME) {
-        return 301 https://$host$request_uri;
-    }
-
     server_name $NGINX_SERVER_NAME;
+
     listen 80;
     listen [::]:80;
-    return 404;
-}
-
-server {
-    server_name $NGINX_SERVER_NAME;
-
-    # Set variables to allow if checks
-    set $SSL "$NGINX_SSL";
-
-    if ($SSL = 'true') {
-        listen [::]:443 ssl ipv6only=on;
-        listen 443 ssl;
-        ssl_certificate $NGINX_SSL_CERTIFICATE;
-        ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY;
-        ssl_dhparam $NGINX_SSL_DHPARAM;
-        if ($NGINX_SSL_INCLUDE != '') {
-            include $NGINX_SSL_INCLUDE;
-        }
-    }
-
-    if ($SSL != 'true'){
-        listen 80;
-        listen [::]:80;
-    }
 
     include /etc/nginx/common/protect.conf;
     include /etc/nginx/common/protect_add_header.conf;