nginx: add separate endpoint for ip/setup screens

'setup' endpoint for setup/restore. we show the setup wizard.
'ip' endpoint is post activation. we show a splash screen here.

Also, the https://ip will not respond to any api calls anymore
(since this will leak the admin fqdn otherwise).

We should probably make this customizable at some point.

Fixes #739

src/nginxconfig.ejs

@@ -6,51 +6,57 @@ map $http_upgrade $connection_upgrade {
 
 # http server
 server {
-    listen       80;
-    server_tokens off; # hide version
+<% if (endpoint === 'ip' || endpoint === 'setup') { -%>
+    listen 80 default_server;
+    server_name _;
 <% if (hasIPv6) { -%>
-    listen       [::]:80;
+    listen [::]:80 default_server;
 <% } -%>
-
-<% if (vhost) { -%>
-    server_name  <%= vhost %>;
 <% } else { -%>
-    # IP based access for initial cloudron setup. TODO: match the IPv6 address
-    server_name  "~^\d+\.\d+\.\d+\.\d+$";
+    listen 80;
+    server_name  <%= vhost %>;
+<% if (hasIPv6) { -%>
+    listen [::]:80;
+<% } -%>
 <% } -%>
 
-    # acme challenges (for cert renewal where the vhost config exists)
+    server_tokens off; # hide version
+
+    # acme challenges
     location /.well-known/acme-challenge/ {
         default_type text/plain;
         alias /home/yellowtent/platformdata/acme/;
     }
 
+    # for default server, serve the splash page. for other endpoints, redirect to HTTPS
     location / {
-        # redirect everything to HTTPS
-<% if ( endpoint === 'admin' ) { %>
+<% if ( endpoint === 'admin' || endpoint === 'setup' ) { %>
         return 301 https://$host$request_uri;
 <% } else if ( endpoint === 'app' ) { %>
         return 301 https://$host$request_uri;
 <% } else if ( endpoint === 'redirect' ) { %>
         return 301 https://<%= redirectTo %>$request_uri;
+<% } else if ( endpoint === 'ip' ) { %>
+        root <%= sourceDir %>/dashboard/dist;
+        try_files /splash.html =404;
 <% } %>
-
     }
 }
 
 # https server
 server {
-<% if (vhost) { -%>
-    server_name  <%= vhost %>;
-    listen       443 ssl http2;
-<% if (hasIPv6) { -%>
-    listen       [::]:443 ssl http2;
-<% } -%>
-<% } else { -%>
+<% if (endpoint === 'ip' || endpoint === 'setup') { -%>
     listen       443 ssl http2 default_server;
+    server_name _;
 <% if (hasIPv6) { -%>
     listen       [::]:443 ssl http2 default_server;
 <% } -%>
+<% } else { -%>
+    listen       443 ssl http2;
+    server_name  <%= vhost %>;
+<% if (hasIPv6) { -%>
+    listen       [::]:443 ssl http2;
+<% } -%>
 <% } -%>
 
     server_tokens off; # hide version
@@ -94,7 +100,7 @@ server {
     # enable for proxied requests as well
     gzip_proxied any;
 
-<% if ( endpoint === 'admin' ) { -%>
+<% if ( endpoint === 'admin' || endpoint === 'ip' || endpoint === 'setup' ) { -%>
     # CSP headers for the admin/dashboard resources
     add_header Content-Security-Policy "default-src 'none'; frame-src 'self' cloudron.io *.cloudron.io; connect-src wss: https: 'self' *.cloudron.io; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; img-src * data:; style-src https: 'unsafe-inline'; object-src 'none'; font-src https: 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self';";
 <% } else { %>
@@ -171,7 +177,7 @@ server {
         }
 <% } %>
 
-<% if ( endpoint === 'admin' ) { %>
+<% if ( endpoint === 'admin' || endpoint === 'setup' ) { %>
         location /api/ {
             proxy_pass   http://127.0.0.1:3000;
             client_max_body_size 1m;
@@ -216,6 +222,11 @@ server {
         # redirect everything to the app. this is temporary because there is no way
         # to clear a permanent redirect on the browser
         return 302 https://<%= redirectTo %>$request_uri;
+<% } else if ( endpoint === 'ip' ) { %>
+        location / {
+            root   <%= sourceDir %>/dashboard/dist;
+            try_files /splash.html =404;
+        }
 <% } %>
     }
 }