탐색 도움말
로그인
bachir
/
editoria-debian-prod
1
0
포크 0
파일 이슈 0 풀 리퀘스트 0 위키
소스 검색

ssl proxy

bach 3 년 전
부모
17a25756b4
커밋
3d898a7333
2개의 변경된 파일131개의 추가작업 그리고 0개의 파일을 삭제
통합 보기 변경상태 보기
  1. 54 0
      assets/nginx-ssl.conf
  2. 77 0
      readme.md

+ 54 - 0
assets/nginx-ssl.conf
파일 보기 

@@ -0,0 +1,54 @@
 
+server {
 
+  listen 80;
 
+  listen [::]:80;
 
+  server_name editoria.figli.io;
 
+  return 301 https://$server_name$request_uri;
 
+}
 
+
 
+server {
 
+  listen 443 ssl;
 
+  listen [::]:443 ssl;
 
+
 
+  server_name editoria.figli.io;
 
+
 
+  charset utf-8;
 
+
 
+  location = /favicon.ico { access_log off; log_not_found off; }
 
+  location = /robots.txt  { access_log off; log_not_found off; }
 
+
 
+  access_log on;
 
+  # error_log /var/logs/nginx/editoria.figli.io/error.log;
 
+
 
+  sendfile off;
 
+
 
+  client_max_body_size 100m;
 
+
 
+  #SSL Certificates
 
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
+  ssl_certificate "/etc/letsencrypt/live/editoria.figli.io/fullchain.pem";
 
+  ssl_certificate_key "/etc/letsencrypt/live/editoria.figli.io/privkey.pem";
 
+  ssl_dhparam /etc/nginx/ssl/certs/editoria.figli.io/dhparam.pem;
 
+  ssl_session_cache shared:SSL:1m;
 
+  ssl_session_timeout 10m;
 
+  ssl_ciphers HIGH:!aNULL:!MD5;
 
+  #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
 
+  ssl_prefer_server_ciphers  on;
 
+
 
+  add_header Strict-Transport-Security "max-age=31536000;
 
+  #includeSubDomains" always;
 
+
 
+  location ~ /\.ht {
 
+    deny all;
 
+  }
 
+
 
+  location / {
 
+    proxy_pass http://127.0.0.1:9005;
 
+    proxy_set_header    Host $host;
 
+
 
+    proxy_connect_timeout 30;
 
+    proxy_send_timeout 30;
 
+  }
 
+
 
+  # website should not be displayed inside a <frame>, an <iframe> or an <object>
 
+  add_header X-Frame-Options SAMEORIGIN;
 
+}

+ 77 - 0
readme.md
파일 보기 

@@ -264,3 +264,80 @@ docker-compose -f docker-compose.production.yml up
 
 ```
 
 ```
 
 docker system prune
 
 docker system prune
 
 ```
 
 ```
 
+
 
+##  SSL
 
+
 
+```sh
 
+apt-get install --yes nginx certbot
 
+systemctl stop nginx
 
+certbot certonly --standalone -d your.domain.ltd --cert-name your.domain.ltd
 
+systemctl start nginx
 
+mkdir -p /etc/nginx/ssl/certs/your.domain.ltd
 
+openssl dhparam -out /etc/nginx/ssl/certs/your.domain.ltd/dhparam.pem 2048
 
+touch /var/spool/cron/crontabs/root
 
+crontab -l > /tmp/mycron
 
+echo "0 3 * * * certbot renew --pre-hook 'systemctl stop nginx' --post-hook 'systemctl start nginx' --cert-name your.domain.ltd" >> /tmp/mycron
 
+crontab /tmp/mycron
 
+rm /tmp/mycron
 
+
 
+echo '
 
+server {
 
+  listen 80;
 
+  listen [::]:80;
 
+  server_name your.domain.ltd;
 
+  return 301 https://$server_name$request_uri;
 
+}
 
+
 
+server {
 
+  listen 443 ssl;
 
+  listen [::]:443 ssl;
 
+
 
+  server_name your.domain.ltd;
 
+
 
+  charset utf-8;
 
+
 
+  location = /favicon.ico { access_log off; log_not_found off; }
 
+  location = /robots.txt  { access_log off; log_not_found off; }
 
+
 
+  access_log on;
 
+  # error_log /var/logs/nginx/your.domain.ltd/error.log;
 
+
 
+  sendfile off;
 
+
 
+  client_max_body_size 100m;
 
+
 
+  #SSL Certificates
 
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
+  ssl_certificate "/etc/letsencrypt/live/your.domain.ltd/fullchain.pem";
 
+  ssl_certificate_key "/etc/letsencrypt/live/your.domain.ltd/privkey.pem";
 
+  ssl_dhparam /etc/nginx/ssl/certs/your.domain.ltd/dhparam.pem;
 
+  ssl_session_cache shared:SSL:1m;
 
+  ssl_session_timeout 10m;
 
+  ssl_ciphers HIGH:!aNULL:!MD5;
 
+  #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
 
+  ssl_prefer_server_ciphers  on;
 
+
 
+  add_header Strict-Transport-Security "max-age=31536000;
 
+  #includeSubDomains" always;
 
+
 
+  location ~ /\.ht {
 
+    deny all;
 
+  }
 
+
 
+  location / {
 
+    proxy_pass http://127.0.0.1:9005;
 
+    proxy_set_header    Host $host;
 
+
 
+    proxy_connect_timeout 30;
 
+    proxy_send_timeout 30;
 
+  }
 
+
 
+  # website should not be displayed inside a <frame>, an <iframe> or an <object>
 
+  add_header X-Frame-Options SAMEORIGIN;
 
+}
 
+' > /etc/nginx/sites-available/your.domain.ltd.conf
 
+
 
+ln -s /etc/nginx/sites-available/your.domain.ltd.conf /etc/nginx/sites-enabled/
 
+
 
+systemctl restart nginx
 
+```