Update to 2023-03-24 18:00

roles/wapt_server/templates/wapt.conf.j2

@@ -11,46 +11,89 @@ server {
 
   index index.html;
 
-  location ~ ^/wapt.* {
-    proxy_set_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
-    proxy_set_header Pragma "no-cache";
-    proxy_set_header Expires "Sun, 19 Nov 1978 05:00:00 GMT";
+  server_tokens off;
+
+  client_max_body_size 12288m;
+  client_body_timeout 1800;
+
+  # sub instances  
+  include "/opt/wapt/conf/wapt.d/*.conf";
+
+  location /static {
+    alias "/opt/wapt/waptserver/static";
+  }
+
+  location /ssl {
+    alias "/var/www/html/ssl";
+  }
+
+  # not protected URL
+  location ~ ^/(wapt/waptsetup.*.exe|wapt/waptagent/.*|wapt/waptagent.exe|wapt/waptdeploy.exe|sync.json|rules.json|licences.json)$ {
+    add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
+    add_header Pragma "no-cache";
     root "/var/www/html";
   }
 
+  # not protected URL
+  location /wads {
+    alias "/var/www/html/wads";
+  }
+
+  # SSL protected URL
+  location ~ ^/(wapt/.*|waptwua/.*|wapt-diff-repos/.*)$ {
+    add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
+    add_header Pragma "no-cache";
+
+    # be sure these headers are not forwarded
+    proxy_set_header X-Ssl-Client-Dn  "";
+    proxy_set_header X-Ssl-Authenticated  "";
+
+    root "/var/www/html";
+  }
+
+  # we don't want to expose our list of computers in case someone scan this folder.
+  location /wapt-host/Packages {
+    return 403;
+  }
+
+  location ~ ^/(wapt-host/.*)$ {
+    log_not_found off;
+    add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
+    add_header Pragma "no-cache";
+
+    # be sure these headers are not forwarded
+    proxy_set_header X-Ssl-Client-Dn  "";
+    proxy_set_header X-Ssl-Authenticated  "";
+
+    root "/var/www/html";
+  }
+
+
+  location ~ ^/.*_kerberos$ {
+    return 403;
+  }
+
   location / {
-    proxy_set_header X-Real-IP  $remote_addr;
-    proxy_set_header Host $host;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    add_header X-Remote-IP $remote_addr;
+    proxy_http_version 1.1;
+    proxy_request_buffering off;
     proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_pass http://127.0.0.1:8080;
+  }
 
-    client_max_body_size 4096m;
-    client_body_timeout 1800;
+  location /socket.io {
+    proxy_http_version 1.1;
+    proxy_request_buffering off;
 
-    location /add_host_kerberos {
-      return 403;
-    }
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
-    location  ~ ^/(api/v3/upload_packages|api/v3/upload_hosts/|upload_waptsetup)  {
-      proxy_pass http://127.0.0.1:8080;
-      client_max_body_size 4096m;
-      client_body_timeout 1800;
-    }
-
-    location /wapt-host/Packages {
-      return 403;
-    }
-
-    location / {
-      proxy_pass http://127.0.0.1:8080;
-    }
-
-    location /socket.io {
-      proxy_http_version 1.1;
-      proxy_buffering off;
-      proxy_set_header Upgrade $http_upgrade;
-      proxy_set_header Connection "Upgrade";
-      proxy_pass http://127.0.0.1:8080/socket.io;
-    }
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_pass http://127.0.0.1:8080/socket.io;
   }
 }