This commit is contained in:
H.T. Kruitbosch 2017-11-28 15:40:46 +01:00
parent 63884e696b
commit 757270c53f

View File

@ -176,48 +176,48 @@ You can use nginx to proxy your website, and add https-support (instead of plain
files efficiently. Make sure nginx is installed and configure the website, for example by creating the files efficiently. Make sure nginx is installed and configure the website, for example by creating the
`/etc/nginx/conf.d/yourwebsite.conf` file on centos: `/etc/nginx/conf.d/yourwebsite.conf` file on centos:
# Make sure the port matches # Make sure the port matches
upstream yourwebsiteupstream { upstream yourwebsiteupstream {
server 127.0.0.1:8890; server 127.0.0.1:8890;
}
# Forward http to https
server {
listen 80;
server_name cosmo.service.rug.nl;
return 301 https://$host$request_uri;
}
server {
client_max_body_size 64M;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
listen 443 ssl;
server_name cosmo.service.rug.nl;
ssl_certificate /etc/nginx/conf.d/cosmo.service.rug.nl.pem;
ssl_certificate_key /etc/nginx/conf.d/cosmo.service.rug.nl.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/conf.d/dhparams.pem;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
alias absolute-path-to/rugwebsite/static/;
} }
location / { # Forward http to https
proxy_pass http://yourwebsiteupstream/; server {
proxy_set_header Host cosmo.service.rug.nl; listen 80;
proxy_set_header X-Forwarded-For $remote_addr; server_name cosmo.service.rug.nl;
return 301 https://$host$request_uri;
# This setting is important, it allows SAML2 to verify the provider url, whithout getting into trouble because }
# the https-part is handled by nginx, and hence not seen by the django SAML2 code.
proxy_set_header X_FORWARDED_PROTO https; server {
client_max_body_size 64M;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
listen 443 ssl;
server_name cosmo.service.rug.nl;
ssl_certificate /etc/nginx/conf.d/cosmo.service.rug.nl.pem;
ssl_certificate_key /etc/nginx/conf.d/cosmo.service.rug.nl.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/conf.d/dhparams.pem;
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
alias absolute-path-to/rugwebsite/static/;
}
location / {
proxy_pass http://yourwebsiteupstream/;
proxy_set_header Host cosmo.service.rug.nl;
proxy_set_header X-Forwarded-For $remote_addr;
# This setting is important, it allows SAML2 to verify the provider url, whithout getting into trouble because
# the https-part is handled by nginx, and hence not seen by the django SAML2 code.
proxy_set_header X_FORWARDED_PROTO https;
}
} }
}
Restart nginx to load the settings `sudo service nginx restart` (or `reload`, to only reload the settings instaed of a Restart nginx to load the settings `sudo service nginx restart` (or `reload`, to only reload the settings instaed of a
full restart) full restart)