From 2dcc9111ad0dca6afe24882e50c508d7e6ebe654 Mon Sep 17 00:00:00 2001
From: Minecon724 <minecon724@noreply.git.m724.eu>
Date: Sat, 12 Apr 2025 09:02:15 +0200
Subject: [PATCH] Nginx improvements

---
 .env                        |  6 ++++++
 docker-compose.yml          | 12 ++++++------
 nginx/conf.d/companion.conf | 23 +++++++++++++++--------
 nginx/nginx.conf            |  9 ++-------
 4 files changed, 29 insertions(+), 21 deletions(-)

diff --git a/.env b/.env
index 71de0c4..fabe137 100644
--- a/.env
+++ b/.env
@@ -1,3 +1,9 @@
 # The subnet to rotate from.
 # Leave blank to disable IPv6 rotation.
 IPV6_SUBNET=2001:db8::/32
+
+# The addresses nginx listens on.
+# To disable (effectively), set to something private.
+# IPv6 brackets are not needed!
+NGINX_IPV4=203.0.113.1
+NGINX_IPV6=2001:db8::1
diff --git a/docker-compose.yml b/docker-compose.yml
index f037d5b..56033f9 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -30,12 +30,12 @@ services:
       - ./html:/var/www/html:ro
       - ssl-certs:/etc/ssl:ro
     ports: # IPs that accept client (HTTP) connections
-      - "203.0.113.1:80:80"
-      - "[2001:db8::1]:80:80"
-      - "203.0.113.1:443:443"
-      - "[2001:db8::1]:443:443"
-      - "203.0.113.1:443:443/udp"
-      - "[2001:db8::1]:443:443/udp"
+      - "${NGINX_IPV4}:80:80"
+      - "[${NGINX_IPV6}]:80:80"
+      - "${NGINX_IPV4}:443:443"
+      - "[${NGINX_IPV6}]:443:443"
+      - "${NGINX_IPV4}:443:443/udp"
+      - "[${NGINX_IPV6}]:443:443/udp"
 
  # Uncomment to use gluetun
  # gluetun:
diff --git a/nginx/conf.d/companion.conf b/nginx/conf.d/companion.conf
index 75b6f8b..a2f70f6 100644
--- a/nginx/conf.d/companion.conf
+++ b/nginx/conf.d/companion.conf
@@ -1,19 +1,26 @@
+set $DOMAIN example.com # replace this of course
+
+upstream cu {
+    # s/companion/gluetun if using gluetun
+    server http://companion:8282;
+}
+ 
 server {
     listen 443 ssl;
     listen 443 quic;
     listen [::]:443 ssl;
     listen [::]:443 quic;
 
-    server_name example.com;
+    server_name $DOMAIN;
 
-    ssl_certificate /etc/ssl/example.com/fullchain.pem;
-    ssl_certificate_key /etc/ssl/example.com/key.pem;
+    ssl_certificate /etc/ssl/$DOMAIN/fullchain.pem;
+    ssl_certificate_key /etc/ssl/$DOMAIN/key.pem;
 
-    proxy_max_temp_file_size 0;
+    proxy_max_temp_file_size 0; 
 
     location / {
-        proxy_pass http://companion:8282;
-        proxy_set_header X-Forwarded-For $remote_addr; 
+        proxy_pass http://cu;
+        proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header Host $host;    # so Invidious knows domain
         proxy_http_version 1.1;
         proxy_set_header Connection "";
@@ -21,10 +28,10 @@ server {
     }
 
     location /youtubei/v1/player {
-        proxy_pass http://companion:8282;
+        proxy_pass http://cu;
     }
 
     location /.well-known/acme-challenge {
-        root /var/www/html/example.com;
+        root /var/www/html/$DOMAIN;
     }
 }
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 8496e59..ae73824 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -12,15 +12,10 @@ http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
-    log_format  main  '$remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent bytes "$http_referer" '
-                      '"$http_x_forwarded_for"';
-
-    # While I removed PII from the above log format, still better not logging
-    access_log  /dev/null main; # /var/log/nginx/access.log main;
+    # Comment those to enable logging
+    access_log  /dev/null main;
     error_log /dev/null; # most errors are insignificant
 
-
     server_tokens off;
 
     sendfile        on;