From 571e737fe5158f0cc56208a30a63913c17a83db6 Mon Sep 17 00:00:00 2001
From: Ulf Gebhardt <ulf.gebhardt@webcraft-media.de>
Date: Sat, 8 Jan 2022 05:28:26 +0100
Subject: [PATCH] seperate http and https templates

---
 deployment/bare_metal/install.sh              |  6 +-
 .../sites-available/gradido.conf.ssl.template | 80 +++++++++++++++++++
 .../sites-available/gradido.conf.template     | 29 +------
 3 files changed, 86 insertions(+), 29 deletions(-)
 create mode 100644 deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template

diff --git a/deployment/bare_metal/install.sh b/deployment/bare_metal/install.sh
index dfd8dab7a..9c50f3586 100755
--- a/deployment/bare_metal/install.sh
+++ b/deployment/bare_metal/install.sh
@@ -102,4 +102,8 @@ sudo certbot --certonly
 
 # Generate gradido.conf from template
 # TODO order - first certbot, then nginx setup
-envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < gradido.conf.template > gradido.conf
\ No newline at end of file
+case "$NGINX_SSL" in
+ true) TEMPLATE_FILE="gradido.conf.ssl.template" ;;
+    *) TEMPLATE_FILE="gradido.conf.template" ;;
+esac
+envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $TEMPLATE_FILE > gradido.conf
\ No newline at end of file
diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template
new file mode 100644
index 000000000..8cffa43ba
--- /dev/null
+++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template
@@ -0,0 +1,80 @@
+server {
+    if ($host = $NGINX_SERVER_NAME) {
+        return 301 https://$host$request_uri;
+    }
+
+    server_name $NGINX_SERVER_NAME;
+    listen 80;
+    listen [::]:80;
+    return 404;
+}
+
+server {
+    server_name $NGINX_SERVER_NAME;
+
+    listen [::]:443 ssl ipv6only=on;
+    listen 443 ssl;
+    ssl_certificate $NGINX_SSL_CERTIFICATE;
+    ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY;
+    include $NGINX_SSL_INCLUDE;
+    ssl_dhparam $NGINX_SSL_DHPARAM;
+
+    include /etc/nginx/common/protect.conf;
+    include /etc/nginx/common/protect_add_header.conf;
+	#include /etc/nginx/common/ssl.conf;
+
+    #gzip_static  on;
+
+    # Frontend (default)
+    location / {
+		proxy_http_version 1.1;
+		proxy_set_header   Upgrade $http_upgrade;
+		proxy_set_header   Connection 'upgrade';
+		proxy_set_header   X-Forwarded-For $remote_addr;
+		proxy_set_header   X-Real-IP  $remote_addr;
+		proxy_set_header   Host $host;
+		
+		proxy_pass         http://127.0.0.1:3000;
+		proxy_redirect     off;
+	}
+
+    # Backend
+    location /graphql {
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade $http_upgrade;
+        proxy_set_header   Connection 'upgrade';
+        proxy_set_header   X-Forwarded-For $remote_addr;
+        proxy_set_header   X-Real-IP  $remote_addr;
+        proxy_set_header   Host $host;
+        
+        #todo remove /graphql
+        proxy_pass         http://127.0.0.1:4000/graphql;
+        proxy_redirect     off;
+    }
+
+    # Admin Frontend
+    location /admin {
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade $http_upgrade;
+        proxy_set_header   Connection 'upgrade';
+        proxy_set_header   X-Forwarded-For $remote_addr;
+        proxy_set_header   X-Real-IP  $remote_addr;
+        proxy_set_header   Host $host;
+        
+        proxy_pass         http://127.0.0.1:8080/;
+        proxy_redirect     off;
+    }
+
+    # TODO this could be a performance optimization
+    #location /vue {
+    #    alias /var/www/html/gradido/frontend/dist;
+    #    index index.html;
+    #
+    #    location ~* \.(png)$ {
+    #        expires 39d;
+    #    }
+    #    try_files $uri $uri/ /index.html = 404;
+    #}
+
+    #access_log /var/log/nginx/access.log main;
+}
\ No newline at end of file
diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf.template b/deployment/bare_metal/nginx/sites-available/gradido.conf.template
index 4e2a37796..311c3646a 100644
--- a/deployment/bare_metal/nginx/sites-available/gradido.conf.template
+++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.template
@@ -1,35 +1,8 @@
 server {
-    if ($host = $NGINX_SERVER_NAME) {
-        return 301 https://$host$request_uri;
-    }
-
     server_name $NGINX_SERVER_NAME;
+
     listen 80;
     listen [::]:80;
-    return 404;
-}
-
-server {
-    server_name $NGINX_SERVER_NAME;
-
-    # Set variables to allow if checks
-    set $SSL "$NGINX_SSL";
-
-    if ($SSL = 'true') {
-        listen [::]:443 ssl ipv6only=on;
-        listen 443 ssl;
-        ssl_certificate $NGINX_SSL_CERTIFICATE;
-        ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY;
-        ssl_dhparam $NGINX_SSL_DHPARAM;
-        if ($NGINX_SSL_INCLUDE != '') {
-            include $NGINX_SSL_INCLUDE;
-        }
-    }
-
-    if ($SSL != 'true'){
-        listen 80;
-        listen [::]:80;
-    }
 
     include /etc/nginx/common/protect.conf;
     include /etc/nginx/common/protect_add_header.conf;