fix: remove hardcoded immich-ml

feat: support multi stream map & better errors
fix: support network restrictions in nginx.py
2026-04-26 22:02:29 +02:00 · 2026-03-21 23:34:04 +01:00 · 2026-03-21 22:26:58 +00:00 · 2026-03-21 23:18:26 +01:00 · 2026-03-21 23:07:45 +01:00
2 changed files with 33 additions and 3 deletions
--- a/nginx.py
+++ b/nginx.py
@@ -29,22 +29,44 @@ def dump_config(vmList, masterAddress):

        # ssl passthrough/no-terminate #
        ssl_passthrough_map = []
+        network_restrictions = {}
+
        for vmo in vmList:
            relevant_subdomains = filter(lambda x: x.get("no-terminate-ssl"), vmo.subdomains)
            for s in relevant_subdomains:
+
                # print(s, "ssl_target_port", s.get("ssl_target_port"))
                # build the map contents #
+
                if s.get("include-subdomains"):
                    match = "~.*{}".format(s.get("name"))
                else:
                    match = s.get("name")

+                geo_restriction = s.get("network-restriction")
+                if geo_restriction:
+                    network_restrictions.update({ match: geo_restriction })
+                    with open("templates/nginx_stream_ssl_map.conf.j2") as test:
+                        test_string = f"geo ${geo_restriction}"
+                        if test_string not in test.read():
+                            msg = f"{test_string} not defined in stream map."
+                            msg += "\nYou need to define it in "
+                            msg += "'templates/nginx_stream_ssl_map.conf.j2' first.\n"
+                            msg += "See geo \"$priviledged_networks {{...}}\" as an example"
+                            raise ValueError(msg)
+
+
                ssl_target_port = s.get("ssl_target_port") or 443
                ssl_passthrough_map.append("{} {}:{};".format(match, vmo.ip, ssl_target_port))

        environment = jinja2.Environment(loader=jinja2.FileSystemLoader(searchpath="./templates"))
        template = environment.get_template("nginx_stream_ssl_map.conf.j2")
-        f.write(template.render(ssl_passthrough_map=ssl_passthrough_map))
+        f.write(
+            template.render(
+                ssl_passthrough_map=ssl_passthrough_map,
+                network_restrictions=network_restrictions
+            )
+        )


        for vmo in vmList:
--- a/templates/nginx_stream_ssl_map.conf.j2
+++ b/templates/nginx_stream_ssl_map.conf.j2
@@ -32,10 +32,18 @@ map $block_connection $proxy_target {

 map $ssl_preread_server_name $is_restricted {
    default 0;
-    ~^immich-ml\.services\.atlantishq\.de$ 1;
+    {% for pattern, selected_network in network_restrictions.items() %}
+    {{ pattern }} 1;
+    {% endfor %}
 }

-map "$is_restricted:$priviledged_networks" $block_connection {
+map $ssl_preread_server_name $selected_network {
+    {% for pattern, selected_network in network_restrictions.items() %}
+    {{ pattern }} ${{ selected_network}};
+    {% endfor %}
+}
+
+map "$is_restricted:$selected_network" $block_connection {
    default 0;
    "1:0" 1;
 }
Author	SHA1	Message	Date
Kathrin Maurer	17cb059482	fix: remove hardcoded immich-ml	2026-03-21 23:34:04 +01:00
Sheppy	e79b8de175	feat: support multi stream map & better errors	2026-03-21 22:26:58 +00:00
Kathrin Maurer	1dc46606a0	fix: support network restrictions in nginx.py	2026-03-21 23:18:26 +01:00
Kathrin Maurer	f26ed30471	add: map chain for multi network	2026-03-21 23:07:45 +01:00