From db7446e92ecea306bc949df100c4a3e655b97ed0 Mon Sep 17 00:00:00 2001
From: Lee Spottiswood <me@lee.io>
Date: Wed, 22 Nov 2023 16:36:12 +0000
Subject: [PATCH 1/2] rewrite to forwarded scheme

---
 .ci/kustomize/base/app-ingress-ans.yaml     |  1 -
 .ci/kustomize/base/app-ingress.yaml         |  2 --
 .ci/kustomize/overlays/uat/app-ingress.yaml |  2 --
 nginx/nginx.conf                            | 27 ++++++++++++---------
 4 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/.ci/kustomize/base/app-ingress-ans.yaml b/.ci/kustomize/base/app-ingress-ans.yaml
index b5280b83c..098ce7910 100644
--- a/.ci/kustomize/base/app-ingress-ans.yaml
+++ b/.ci/kustomize/base/app-ingress-ans.yaml
@@ -4,7 +4,6 @@ kind: Ingress
 metadata:
   name: app-ingress-ans
   annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
     cert-manager.io/cluster-issuer: letsencrypt-http
 spec:
   rules:
diff --git a/.ci/kustomize/base/app-ingress.yaml b/.ci/kustomize/base/app-ingress.yaml
index ff6906d32..c7b4156f1 100644
--- a/.ci/kustomize/base/app-ingress.yaml
+++ b/.ci/kustomize/base/app-ingress.yaml
@@ -3,8 +3,6 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: app-ingress
-  annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
 spec:
   rules:
   - host: docs.ukfast.co.uk
diff --git a/.ci/kustomize/overlays/uat/app-ingress.yaml b/.ci/kustomize/overlays/uat/app-ingress.yaml
index 0544ea088..be2b389f1 100644
--- a/.ci/kustomize/overlays/uat/app-ingress.yaml
+++ b/.ci/kustomize/overlays/uat/app-ingress.yaml
@@ -3,8 +3,6 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: app-ingress
-  annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
 spec:
   rules:
   - host: REPLACE_ME
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 2da61c847..de4b91d96 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -24,6 +24,11 @@ http {
     # See http://nginx.org/en/docs/ngx_core_module.html#include
     # for more information.
 
+    map $http_x_forwarded_proto $http_scheme {
+        default "http";
+        https   "https";
+    }
+
     server {
         listen       80 default_server;
         listen       [::]:80 default_server;
@@ -38,17 +43,17 @@ http {
             proxy_pass http://elasticsearch:9200/;
         }
         
-        rewrite ^(?!(\/docs|\/search))\/(.*)$ /docs/$2 permanent;
-        rewrite ^\/docs\/(((?!index).)*)\.html$ /docs/$1/ permanent;
-
-        rewrite ^/docs/cloud/(.*)$ /docs/ecloud/$1 permanent;
-        rewrite ^/docs/ecloud/hybridandprivate/(.*)$ /docs/ecloud/private/$1 permanent;
-        rewrite ^/docs/Domains/(.*)$ /docs/domains/$1 permanent;
-        rewrite ^/docs/ecommercestacks/magento/magento2/nginxphpfilewhitelist.html /docs/ecommercestacks/magento/magento2/nginxphpfileallowlist.html permanent;
-        rewrite ^/docs/operatingsystems/linux/mail/blacklists.html /docs/email/blocklists.html permanent;
-        rewrite ^/docs/security/threatmonitoring/alert-remediation-tips/ip-whitelist.html /docs/security/threatmonitoring/alert-remediation-tips/ip-allowlist.html permanent;
-        rewrite ^/docs/operatingsystems/linux/mail/(.*)$ /docs/email/$1 permanent;
-        rewrite ^/docs/operatingsystems/windows/hmail/antispamsetup.html /docs/email/hmail-antispam-setup.html permanent;
+        rewrite ^(?!(\/docs|\/search))\/(.*)$ $http_scheme://$host/docs/$2 permanent;
+        rewrite ^\/docs\/(((?!index).)*)\.html$ $http_scheme://$host/docs/$1/ permanent;
+
+        rewrite ^/docs/cloud/(.*)$ $http_scheme://$host/docs/ecloud/$1 permanent;
+        rewrite ^/docs/ecloud/hybridandprivate/(.*)$ $http_scheme://$host/docs/ecloud/private/$1 permanent;
+        rewrite ^/docs/Domains/(.*)$ $http_scheme://$host/docs/domains/$1 permanent;
+        rewrite ^/docs/ecommercestacks/magento/magento2/nginxphpfilewhitelist.html $http_scheme://$host/docs/ecommercestacks/magento/magento2/nginxphpfileallowlist.html permanent;
+        rewrite ^/docs/operatingsystems/linux/mail/blacklists.html $http_scheme://$host/docs/email/blocklists.html permanent;
+        rewrite ^/docs/security/threatmonitoring/alert-remediation-tips/ip-whitelist.html $http_scheme://$host/docs/security/threatmonitoring/alert-remediation-tips/ip-allowlist.html permanent;
+        rewrite ^/docs/operatingsystems/linux/mail/(.*)$ $http_scheme://$host/docs/email/$1 permanent;
+        rewrite ^/docs/operatingsystems/windows/hmail/antispamsetup.html $http_scheme://$host/docs/email/hmail-antispam-setup.html permanent;
 
         location /docs/robots.txt {
             alias /usr/share/nginx/docs.ukfast.co.uk/html/docs/_static/robots.txt;

From 353cb3055514b171142eb94c3370920be389e0fe Mon Sep 17 00:00:00 2001
From: Lee Spottiswood <me@lee.io>
Date: Wed, 22 Nov 2023 16:41:56 +0000
Subject: [PATCH 2/2] disable absolute redirect

---
 nginx/nginx.conf | 31 ++++++++++++++-----------------
 1 file changed, 14 insertions(+), 17 deletions(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index de4b91d96..32145f3e0 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -24,17 +24,14 @@ http {
     # See http://nginx.org/en/docs/ngx_core_module.html#include
     # for more information.
 
-    map $http_x_forwarded_proto $http_scheme {
-        default "http";
-        https   "https";
-    }
-
     server {
         listen       80 default_server;
         listen       [::]:80 default_server;
         server_name  _;
         root        /usr/share/nginx/docs.ukfast.co.uk/html;
-        include /etc/nginx/default.d/*.conf;
+        include     /etc/nginx/default.d/*.conf;
+
+        absolute_redirect off;
 
         location /search/ {
             if ($request_method != GET) {
@@ -43,17 +40,17 @@ http {
             proxy_pass http://elasticsearch:9200/;
         }
         
-        rewrite ^(?!(\/docs|\/search))\/(.*)$ $http_scheme://$host/docs/$2 permanent;
-        rewrite ^\/docs\/(((?!index).)*)\.html$ $http_scheme://$host/docs/$1/ permanent;
-
-        rewrite ^/docs/cloud/(.*)$ $http_scheme://$host/docs/ecloud/$1 permanent;
-        rewrite ^/docs/ecloud/hybridandprivate/(.*)$ $http_scheme://$host/docs/ecloud/private/$1 permanent;
-        rewrite ^/docs/Domains/(.*)$ $http_scheme://$host/docs/domains/$1 permanent;
-        rewrite ^/docs/ecommercestacks/magento/magento2/nginxphpfilewhitelist.html $http_scheme://$host/docs/ecommercestacks/magento/magento2/nginxphpfileallowlist.html permanent;
-        rewrite ^/docs/operatingsystems/linux/mail/blacklists.html $http_scheme://$host/docs/email/blocklists.html permanent;
-        rewrite ^/docs/security/threatmonitoring/alert-remediation-tips/ip-whitelist.html $http_scheme://$host/docs/security/threatmonitoring/alert-remediation-tips/ip-allowlist.html permanent;
-        rewrite ^/docs/operatingsystems/linux/mail/(.*)$ $http_scheme://$host/docs/email/$1 permanent;
-        rewrite ^/docs/operatingsystems/windows/hmail/antispamsetup.html $http_scheme://$host/docs/email/hmail-antispam-setup.html permanent;
+        rewrite ^(?!(\/docs|\/search))\/(.*)$ /docs/$2 permanent;
+        rewrite ^\/docs\/(((?!index).)*)\.html$ /docs/$1/ permanent;
+
+        rewrite ^/docs/cloud/(.*)$ /docs/ecloud/$1 permanent;
+        rewrite ^/docs/ecloud/hybridandprivate/(.*)$ /docs/ecloud/private/$1 permanent;
+        rewrite ^/docs/Domains/(.*)$ /docs/domains/$1 permanent;
+        rewrite ^/docs/ecommercestacks/magento/magento2/nginxphpfilewhitelist.html /docs/ecommercestacks/magento/magento2/nginxphpfileallowlist.html permanent;
+        rewrite ^/docs/operatingsystems/linux/mail/blacklists.html /docs/email/blocklists.html permanent;
+        rewrite ^/docs/security/threatmonitoring/alert-remediation-tips/ip-whitelist.html /docs/security/threatmonitoring/alert-remediation-tips/ip-allowlist.html permanent;
+        rewrite ^/docs/operatingsystems/linux/mail/(.*)$ /docs/email/$1 permanent;
+        rewrite ^/docs/operatingsystems/windows/hmail/antispamsetup.html /docs/email/hmail-antispam-setup.html permanent;
 
         location /docs/robots.txt {
             alias /usr/share/nginx/docs.ukfast.co.uk/html/docs/_static/robots.txt;