http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
"If the proxy_pass directive is specified with a URI, then when a request
is passed to the server, the part of a normalized request URI matching the
location is replaced by a URI specified in the directive"
we can just use container IP instead of all this httpPort exporting magic.
this is also required for exposing httpPaths feature (we have to otherwise
have multiple httpPorts).
'setup' endpoint for setup/restore. we show the setup wizard.
'ip' endpoint is post activation. we show a splash screen here.
Also, the https://ip will not respond to any api calls anymore
(since this will leak the admin fqdn otherwise).
We should probably make this customizable at some point.
Fixes#739
one of our users had the site reverse proxied. it broke after the
5.1 cipher change and they nailed it down to using this cipher.
https://security.stackexchange.com/questions/72926/is-tls-ecdhe-rsa-with-aes-128-cbc-sha256-a-safe-cipher-suite-to-use
says this is safe
The following prints the cipher suite:
log_format combined2 '$remote_addr - [$time_local] '
'$ssl_protocol/$ssl_cipher '
'"$request" $status $body_bytes_sent $request_time '
'"$http_referer" "$host" "$http_user_agent"';
It seems we cannot separate frame ancestors from CSP because the hide
header just hides everything and not a specific resource. This means
that the user has to set or unset the full policy whole sale.
