NGINX Reverse Proxy with Mozilla SSL Conf
-
I am trying to get a working .conf for a NGINX Reverse Proxy using the Mozilla SSL Configuration Generator, but it keeps getting me issues.
Anyone ever done this before?
Here is the NGINX Modern example:
server { listen 80 default_server; listen [::]:80 default_server; # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # modern configuration. tweak to your needs. ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; resolver <IP DNS resolver>; .... }https://mozilla.github.io/server-side-tls/ssl-config-generator/
-
Certificates will be from let's encrypt of course
-
What are your issues?
-
@black3dynamite when I tried to merge together my existing .conf with this I kept getting errors. Hoping someone here with more nginx experience can help
-
I'll have to try it again soon, and provide more details.
-
server { listen 80 default_server; listen [::]:80 default_server; # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2;How do I change this to listen for subdomain.domain.com?
Also, where do I add in the location lines?
location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://<IP_ADDRESS>:<PORT>; proxy_redirect off; } -
@aaronstuder said in NGINX Reverse Proxy with Mozilla SSL Conf:
How do I change this to listen for subdomain.domain.com?
I would guess in the list that says
listen. Just a guess... -
@aaronstuder said in NGINX Reverse Proxy with Mozilla SSL Conf:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
This strictly shows the SSL setup. none of the rest of the NginX setup.
-
@aaronstuder said in NGINX Reverse Proxy with Mozilla SSL Conf:
Also, where do I add in the location lines?
This is probably a good place to start.
https://mangolassi.it/tags/nginxThen maybe this.
https://mangolassi.it/search?term=nginx&in=titlesposts -
This is what I came up with. Going to make dinner, but I'll be back soon to test it
server { listen 80 default_server; listen [::]:80 default_server; server_name sub.domain.com; # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name sub.domain.com; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://<IP_ADDRESS>:<PORT>; proxy_redirect off; } # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # modern configuration. tweak to your needs. ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /etc/letsencrypt/live/domain.com/chain.pem; resolver 1.1.1.1; } -
This post is deleted! -
This post is deleted! -
Got it!
.conf coming soon!
-
-
WTF does this have to do with Wildcard?
It is simply a Nginx config. Nginx doesn't give a shit about the number of SAN on a cert.
-
@aaronstuder You delete a lot of your posts on each thread you create and it is a lot less helpful for people who are trying to find answers to questions. I have no idea what your problem was or what the solution was. This looks like a normal nginx server block.
-
@wirestyle22 Huh?
-
@aaronstuder said in NGINX Reverse Proxy with Mozilla SSL Conf:
@wirestyle22 Huh?
You delete and edit posts after the fact. It'd be easier to just leave them as is and let people see the process.
-
@aaronstuder what do you learn from this?
Post 1: What is this config? --edited and corrected
Post 2: deleted
Post 3: deleted
Post 4: Working!
