From ca2939dedb1a2bd22ea2be7e0f971fd4df2bd360 Mon Sep 17 00:00:00 2001
From: Julian Labus <julian@labus-online.de>
Date: Thu, 22 Aug 2019 15:29:31 +0200
Subject: [PATCH] Role service-nginx-unms: update vhost

adjust vhost config according to recommended settings
https://help.ubnt.com/hc/en-us/articles/115015690207-UNMS-Reverse-Proxy#3
---
 .../templates/unms_vhost.conf.j2              | 62 +++++++++++--------
 1 file changed, 36 insertions(+), 26 deletions(-)

diff --git a/roles/service-nginx-unms/templates/unms_vhost.conf.j2 b/roles/service-nginx-unms/templates/unms_vhost.conf.j2
index d4c7701..4c3f5c2 100644
--- a/roles/service-nginx-unms/templates/unms_vhost.conf.j2
+++ b/roles/service-nginx-unms/templates/unms_vhost.conf.j2
@@ -1,18 +1,23 @@
-server {
-        listen 80;
-        listen [::]:80;
-
-        server_name unms.{{ http_domain_external }} unifi.{{ http_domain_internal }};
-
-        location / {
-                return 301 https://$host$request_uri;
-        }
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
 }
 
 server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    server_name unms.{{ http_domain_external }} unifi.{{ http_domain_internal }};
+    listen 80;
+    listen [::]:80;
+
+    server_name unms.{{ http_domain_external }} unms.{{ http_domain_internal }};
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name unms.{{ http_domain_external }} unms.{{ http_domain_internal }};
 
     charset utf-8;
     server_tokens off;
@@ -23,21 +28,26 @@ server {
 
     include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
 
-    location /wss/ {
-        proxy_pass https://localhost:9443;
-        proxy_http_version 1.1;
-        proxy_buffering off;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "Upgrade";
-        proxy_read_timeout 86400;
-    }
+    set $upstream 127.0.0.1:9443; # The UNMS Controller Port
 
     location / {
-            proxy_pass https://localhost:9443/; # The Unifi Controller Port
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
+        proxy_pass     https://$upstream;
+        proxy_redirect https://$upstream https://$server_name;
+
+        proxy_cache off;
+        proxy_store off;
+        proxy_buffering off;
+        proxy_http_version 1.1;
+        proxy_read_timeout 36000s;
+
+        proxy_set_header Host $http_host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Referer "";
+
+        client_max_body_size 0;
     }
-
-
 }