From 32f443368d189c439c74844d2af2e8804eb540ce Mon Sep 17 00:00:00 2001 From: Dominic Ricottone Date: Wed, 28 Jun 2023 11:10:18 -0500 Subject: [PATCH] Proxy and TLS updates Include configuration for proxying on HTTP 1.1, which enabled keepalive. Also adding configuration for automatic connection upgrading as needed. Update configuration for TLS ciphers. Include a simple configuration file for enabling encryption. --- nginx/nginx.conf | 6 ++++++ nginx/proxy.conf | 5 +++++ nginx/tls.conf | 2 ++ 3 files changed, 13 insertions(+) create mode 100644 nginx/tls.conf diff --git a/nginx/nginx.conf b/nginx/nginx.conf index be0dfc5..c7bfc23 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -13,11 +13,17 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + server_tokens off; client_max_body_size 1m; sendfile on; tcp_nopush on; ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:2m; ssl_session_timeout 1h; diff --git a/nginx/proxy.conf b/nginx/proxy.conf index a89f03b..8a841af 100644 --- a/nginx/proxy.conf +++ b/nginx/proxy.conf @@ -1,5 +1,10 @@ +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $connection_upgrade; + real_ip_header X-Forwarded-For; real_ip_recursive on; + proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/nginx/tls.conf b/nginx/tls.conf new file mode 100644 index 0000000..1b47f55 --- /dev/null +++ b/nginx/tls.conf @@ -0,0 +1,2 @@ +ssl_certificate /var/lets-encrypt/fullchain.cert; +ssl_certificate_key /var/lets-encrypt/private.key; -- 2.45.2