diff --git a/infra/nginx-edge/nginx.conf b/infra/nginx-edge/nginx.conf index d5e23f8..2d94e82 100644 --- a/infra/nginx-edge/nginx.conf +++ b/infra/nginx-edge/nginx.conf @@ -19,6 +19,12 @@ http { "" "cookieCheck=1"; } + # NPM termina TLS: lo schema reale arriva in X-Forwarded-Proto. + map $http_x_forwarded_proto $forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + server { listen 80; server_name _; @@ -66,32 +72,31 @@ http { proxy_set_header Cookie $hls_cookie; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto $forwarded_proto; + # MediaMTX risponde 302 con Location http://… — il browser HTTPS lo blocca. + proxy_redirect http://$host/ https://$host/; + proxy_redirect http://$http_host/ https://$host/; # MediaMTX risponde 302 verso /live/match_{uuid}/… — riscrive per restare sotto /hls/ proxy_redirect /live/ /hls/live/; proxy_redirect ~^/live/(.*)$ /hls/live/$1; } - # Fallback: se il browser segue un redirect assoluto a /live/match_{uuid}/… (m3u8/ts). + # HLS cookie redirect di MediaMTX: passa da Rails (proxy con follow interno). location ~ ^/live/match_[0-9a-f-]+/ { limit_except GET HEAD { deny all; } - rewrite ^/live/(.*)$ /$1 break; - proxy_pass http://mediamtx:8888; + proxy_pass http://$rails_backend; proxy_http_version 1.1; proxy_buffering off; proxy_request_buffering off; proxy_connect_timeout 5s; proxy_read_timeout 3600s; proxy_set_header Host $host; - proxy_set_header Cookie $hls_cookie; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_redirect /live/ /hls/live/; - proxy_redirect ~^/live/(.*)$ /hls/live/$1; + proxy_set_header X-Forwarded-Proto $forwarded_proto; } location = /edge-health {