ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    NGINX Reverse Proxy with Mozilla SSL Conf

    Scheduled Pinned Locked Moved IT Discussion
    19 Posts 5 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBuschJ
      JaredBusch @Alex Sage
      last edited by

      @aaronstuder said in NGINX Reverse Proxy with Mozilla SSL Conf:

      Also, where do I add in the location lines?

      This is probably a good place to start.
      https://mangolassi.it/tags/nginx

      Then maybe this.
      https://mangolassi.it/search?term=nginx&in=titlesposts

      1 Reply Last reply Reply Quote 0
      • A
        Alex Sage
        last edited by Alex Sage

        This is what I came up with. Going to make dinner, but I'll be back soon to test it 🙂

        server {
            listen 80 default_server;
            listen [::]:80 default_server;
            server_name sub.domain.com;
        
            # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
            return 301 https://$host$request_uri;
        }
        
        server {
            listen 443 ssl http2;
            listen [::]:443 ssl http2;
            server_name sub.domain.com;
        
            location / {
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header Host $http_host;
                        proxy_set_header X-NginX-Proxy true;
                        proxy_pass http://<IP_ADDRESS>:<PORT>;
                        proxy_redirect off;
                }
        
            # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
            ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
            ssl_session_timeout 1d;
            ssl_session_cache shared:SSL:50m;
            ssl_session_tickets off;
        
        
            # modern configuration. tweak to your needs.
            ssl_protocols TLSv1.2;
            ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
            ssl_prefer_server_ciphers on;
        
            # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
            add_header Strict-Transport-Security max-age=15768000;
        
            # OCSP Stapling ---
            # fetch OCSP records from URL in ssl_certificate and cache them
            ssl_stapling on;
            ssl_stapling_verify on;
        
            ## verify chain of trust of OCSP response using Root CA and Intermediate certs
            ssl_trusted_certificate /etc/letsencrypt/live/domain.com/chain.pem;
        
            resolver 1.1.1.1;
        
        }
        
        1 Reply Last reply Reply Quote 0
        • A
          Alex Sage
          last edited by

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          • A
            Alex Sage
            last edited by Alex Sage

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • A
              Alex Sage
              last edited by

              Got it!

              0_1541553753187_d4c1fbf4-50c2-4c75-a912-648ab38aaaab-image.png

              .conf coming soon!

              1 Reply Last reply Reply Quote 0
              • A
                Alex Sage
                last edited by

                https://github.com/aaronstuder/lxq/blob/master/wildcard.temp

                wirestyle22W 1 Reply Last reply Reply Quote 0
                • JaredBuschJ
                  JaredBusch
                  last edited by

                  WTF does this have to do with Wildcard?

                  It is simply a Nginx config. Nginx doesn't give a shit about the number of SAN on a cert.

                  1 Reply Last reply Reply Quote 1
                  • wirestyle22W
                    wirestyle22 @Alex Sage
                    last edited by wirestyle22

                    @aaronstuder You delete a lot of your posts on each thread you create and it is a lot less helpful for people who are trying to find answers to questions. I have no idea what your problem was or what the solution was. This looks like a normal nginx server block.

                    A 1 Reply Last reply Reply Quote 0
                    • A
                      Alex Sage @wirestyle22
                      last edited by

                      @wirestyle22 Huh?

                      coliverC 1 Reply Last reply Reply Quote 0
                      • coliverC
                        coliver @Alex Sage
                        last edited by

                        @aaronstuder said in NGINX Reverse Proxy with Mozilla SSL Conf:

                        @wirestyle22 Huh?

                        You delete and edit posts after the fact. It'd be easier to just leave them as is and let people see the process.

                        1 Reply Last reply Reply Quote 2
                        • wirestyle22W
                          wirestyle22
                          last edited by wirestyle22

                          @aaronstuder what do you learn from this?

                          Post 1: What is this config? --edited and corrected
                          Post 2: deleted
                          Post 3: deleted
                          Post 4: Working!

                          1 Reply Last reply Reply Quote 1
                          • 1 / 1
                          • First post
                            Last post