oliversalzburg
commented
9 years ago Just FYI, setting up nginx as a reverse proxy to enable HTTPS is rather easy (it's what we do).
Here's one of our nginx HTTPS reverse-proxy configs to get you started, in case you want to go this route:
server {
# HTTP configuration
# This is only used to redirect HTTP requests to HTTPS.
listen 80;
# The name this server responds to.
server_name strider.example.com;
return 301 https://$server_name$request_uri;
}
server {
# Basic configuration
# Our server should respond to requests on any IP address on port 443; the default HTTPS port.
listen 443;
# The name this server responds to.
server_name strider.example.com;
# Don't send the nginx version number.
server_tokens off;
# Don't allow the website to be embedded in an iframe (unless it's from the same origin).
# See: https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;
# Disable MIME-type sniffing.
# See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-Content-Type-Options nosniff;
# Enable XSS protection.
# See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";
# Prevent SSL stripping.
# See: https://en.wikipedia.org/wiki/Moxie_Marlinspike#SSL_stripping
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
# SSL configuration
# Enable SSL.
ssl on;
# Allow only TLS, disable the old SSL protocols.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# The SSL certificate this server should use.
ssl_certificate /etc/ssl/certs/strider.example.com.crt;
# The private key this server should use.
ssl_certificate_key /etc/ssl/private/strider.example.com.key;
# Tell the server to use a customized version of the Diffie-Hellman key exchange parameters.
# See: https://weakdh.org/sysadmin.html
ssl_dhparam /etc/ssl/dhparams.pem;
# SSL session parameters may be reused by the client for the given time.
ssl_session_timeout 5m;
# Store the SSL session parameters in a shared, 10 MB cache.
ssl_session_cache shared:SSL:10m;
# Set the supports SSL cipher suites. Allow only strong suites.
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
# Prefer server cipher suites over the ones the client requests.
# This makes sure the client can't use weak cipher suites.
ssl_prefer_server_ciphers on;
# Enable SSL stapling.
# See https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
ssl_stapling on;
resolver 8.8.8.8;
# Enable Public Key Pinning. This prevents MITM attack by giving the client additional information about our SSL certificate.
# See: https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
# Requires an additional, backup certificate. Disable for now.
# add_header Public-Key-Pins 'pin-sha256="gS7k9UlBgmDZ6+T45UDzoohPX9PEkspSZ1eQBwlABNM="; max-age=5184000; includeSubDomains';
# Logging configuration
access_log /var/log/nginx/strider.example.com.access.log;
# Set a base configuration for all requests to this virtual server.
location / {
# Set this server up as a reverse-proxy for the given address.
# We configure our reverse-proxy to always connect over plain HTTP on a specific port.
proxy_pass http://localhost:7000;
# Rewrite Location and Refresh HTTP headers, so that the client sees the address they requested.
proxy_redirect http://localhost:7000 https://strider.example.com;
# Our server should set the Host HTTP header to the name of this virtual server if the header is not present.
# In practise, the value of the header should always be the name of the virtual server, because, otherwise
# our server configuration wouldn't be hit at all.
proxy_set_header Host $host;
# Set the X-Real-IP HTTP header to the address of the client.
proxy_set_header X-Real-IP $remote_addr;
# Set the X-Forwarded-For HTTP header to contain the value set by the client, with the address of the client
# appended to it.
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Set the X-Forwarded-Proto HTTP header to contain "http" or "https", depending on how the client contacted
# our proxy. In practise, it should always be "https".
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 90;
}
# Socket.io will send requests to the location configured below. It requires some special configuration for
# websockets to perform properly.
location /socket.io/ {
# Requests to this location should be proxied to the address given below.
# This directive may actually be redundant, given the configuration for the root above.
proxy_pass http://localhost:7000;
# Because websockets use keepalive, we need to make sure HTTP version 1.1 is used.
proxy_http_version 1.1;
# To allow websocket proxying, we need to forward the Upgrade and Connection HTTP headers.
# See http://nginx.org/en/docs/http/websocket.html for more details.
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}This assumes nginx can reach strider at http://localhost:7000 and will serve it as strider.example.com, adjust accordingly :)
ghost
fernandoneto
I would like to be able to use strider remotely and securely. Please add in https support. There have to be others who want this.