From b5609febf637df06999b3fbdb1eef984b44b21f4 Mon Sep 17 00:00:00 2001 From: shockrah Date: Thu, 11 Feb 2021 20:22:53 -0800 Subject: [PATCH] Adding some basic configuration for Nginx as a reverse proxy For now the readme walks the user through how to generate any keys that may be required for self signing, more documentation to come in following patches on origin/nginx --- nginx-conf/freechat.conf | 18 ++++++++++++++++++ nginx-conf/readme.md | 3 +++ nginx-conf/self-signed.conf | 4 ++++ nginx-conf/ssl-params.conf | 20 ++++++++++++++++++++ 4 files changed, 45 insertions(+) create mode 100644 nginx-conf/freechat.conf create mode 100644 nginx-conf/readme.md create mode 100644 nginx-conf/self-signed.conf create mode 100644 nginx-conf/ssl-params.conf diff --git a/nginx-conf/freechat.conf b/nginx-conf/freechat.conf new file mode 100644 index 0000000..941a9e3 --- /dev/null +++ b/nginx-conf/freechat.conf @@ -0,0 +1,18 @@ +server { + # Freechat servers should not bother adding support for unencrypted trafic + listen 443 ssl; # default_server; + listen [::]:443 ssl; # default_server; + + # Uncomment this line if you are self signing your certs + #include snippets/self-signed.conf; + + # General SSL/TLS settings for nginx + include snippets/ssl-params.conf; + + server_name _; + + location / { + proxy_pass http://0.0.0.0:4536; + } +} + diff --git a/nginx-conf/readme.md b/nginx-conf/readme.md new file mode 100644 index 0000000..15900e5 --- /dev/null +++ b/nginx-conf/readme.md @@ -0,0 +1,3 @@ +# Configs for Nginx Reverse Proxy + +The above are ultra minimal configs for setting up nginx. diff --git a/nginx-conf/self-signed.conf b/nginx-conf/self-signed.conf new file mode 100644 index 0000000..e27a200 --- /dev/null +++ b/nginx-conf/self-signed.conf @@ -0,0 +1,4 @@ +# This should only be used if you are planning on self signing + +ssl_certificate /etc/ssl/certs/freechat.crt; +ssl_certificate_key /etc/ssl/private/freechat.key; diff --git a/nginx-conf/ssl-params.conf b/nginx-conf/ssl-params.conf new file mode 100644 index 0000000..5e393c2 --- /dev/null +++ b/nginx-conf/ssl-params.conf @@ -0,0 +1,20 @@ +ssl_protocols TLSv1 TLSV1.1 TLSv1.2; +ssl_prefer_server_ciphers on; +ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; +ssl_ecdh_curve secp384r1; +ssl_session_cache shared:SSL:10m; +ssl_session_tickets off; +ssl_stapling on; +ssl_stapling_verify on; +resolver 8.8.8.8 8.8.4.4 valid=300s; +resolver_timeout 5s; +# Disable preloading HSTS for now. You can use the commented out header line that includes +# the "preload" directive if you understand the implications. +#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; +add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; +add_header X-Frame-Options DENY; +add_header X-Content-Type-Options nosniff; + +# literal misspelling +ssl_dhparam /etc/ssl/certs/nginx-dev.pem; +