-
Notifications
You must be signed in to change notification settings - Fork 74
Behind nginx and https
Sten Feldman edited this page Jul 24, 2019
·
4 revisions
Pylon supports basic web authentication and as such, if you plan to use this app over the internet, it is recommended that you install a forwarding proxy like nginx and use encrypted traffic only via https. The below configuration will help you in setting up the forwarding:
-
Use https://letsencrypt.org to setup your nginx
-
A sample configuration file: Change the
<your fqdn>to your fully qualified domain name that you will also use to request certificate for.
# The port 80 is required for Let's Encrypt's ACME challenges to go through
server {
listen 80;
server_name default;
root /var/www/html;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/letsencrypt;
}
location = /.well-known/acme-challenge/ {
return 404;
}
location / {
return 301 https://<your fqdn>;
}
}
# The port 443 is the secured traffic
server {
listen 443 ssl;
server_name <your fqdn>;
ssl_certificate /etc/letsencrypt/live/<your fqdn>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<your fqdn>/privkey.pem;
# Poodle attack disable MITM
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Strong ciphers
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES2
56-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# Custom Diffie Hellman Ephemeral Parameters
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# HTTP Strict Transport Security
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";
location / {
proxy_pass http://localhost:8181;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_connect_timeout 7d;
proxy_send_timeout 7d;
proxy_read_timeout 7d;
client_max_body_size 10M;
}
# This is not required for Pylon, however, it shows how to map additional tools do sub-paths
location /mungit {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}