nevo-david
commented
1 month ago I am not sure we need it if it's not a part of the docker, it will just over confuse people. What's your thoughts @jamesread
Closed EsdrubalMagano closed 3 weeks ago
nevo-david
commented
1 month ago I am not sure we need it if it's not a part of the docker, it will just over confuse people. What's your thoughts @jamesread
jamesread
commented
1 month ago Yeah I think we should add this to the docs, we already have instructions for nginx and caddy, and Nginx is arguably more popular. It isn't to go inside the containers, but just for the external proxy.
nevo-david
commented
1 month ago Alright so @EsdrubalMagano, can you do it? :)
EsdrubalMagano
commented
1 month ago Sure, I can help by providing a starting point.
For a simple config:
# HTTP -> HTTPS Redirection
server {
listen 80;
server_name <your.domain.tld>;
return 301 https://$host$request_uri; # Redirect all traffic to HTTPS
}
# HTTPS Configuration
server {
listen 443 ssl;
server_name <your.domain.tld>;
# SSL certificate
ssl_certificate /etc/letsencrypt/live/<your.domain.tld>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<your.domain.tld>/privkey.pem;
# Proxy requests to Postiz running on port 5000
location / {
proxy_pass http://localhost:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket Support
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}And for a more secure config:
# HTTP -> HTTPS Redirection
server {
listen 80;
listen [::]:80; # IPv6 support if you need
server_name <your.domain.tld>;
# Hide NGINX version
server_tokens off;
return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
}
# Main HTTPS Configuration
server {
listen 443 ssl http2;
listen [::]:443 ssl http2; # Enable HTTP/2 and IPv6 support if you need
server_name <your.domain.tld>;
# Hide NGINX version
server_tokens off;
# SSL Certificates
ssl_certificate /etc/letsencrypt/live/<your.domain.tld>/fullchain.pem; # Full certificate chain
ssl_certificate_key /etc/letsencrypt/live/<your.domain.tld>/privkey.pem; # Private key
ssl_trusted_certificate /etc/letsencrypt/live/<your.domain.tld>/chain.pem; # Trusted chain for verification
# Security: Stronger SSL Configuration
ssl_session_cache shared:SSL:10m; # Cache SSL sessions
ssl_session_timeout 1d; # Set session timeout to 1 day
ssl_session_tickets off; # Disable SSL session tickets
# Use only modern SSL/TLS protocols (disables older insecure ones)
ssl_protocols TLSv1.2 TLSv1.3;
# Configure SSL ciphers (strong encryption algorithms)
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off; # Allow clients to prefer their ciphers
# Diffie-Hellman parameter for Perfect Forward Secrecy (PFS)
ssl_dhparam /etc/ssl/certs/dhparam.pem; # Generate with `sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048`
# OCSP Stapling for improved SSL/TLS performance
ssl_stapling on;
ssl_stapling_verify on;
# DNS resolver for OCSP
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
# some HTTP Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; # HSTS
add_header X-Frame-Options "SAMEORIGIN" always; # Prevent Clickjacking
add_header X-Content-Type-Options "nosniff" always; # Prevent MIME-type sniffing
add_header X-XSS-Protection "1; mode=block" always; # XSS Protection
add_header Referrer-Policy "no-referrer" always; # Better privacy control
add_header Permissions-Policy "geolocation=(self), microphone=(), camera=()" always; # Limit browser permissions
# Location for Let's Encrypt validation in case you renew by webroot method
#location /.well-known/acme-challenge/ {
# root /var/www/certbot;
#}
# Reverse Proxy to Postiz application
location / {
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket Support
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Disable directory listing for security
autoindex off;
# Enable Gzip compression for better performance
gzip on;
gzip_comp_level 6;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_proxied any;
gzip_types text/plain text/css text/javascript application/json application/xml image/svg+xml;
}It's just a starting point, could probably be improved even further, and I added WebSocket Support but in case Postiz don't need it then it should be deleted.
jamesread
commented
3 weeks ago @EsdrubalMagano Yeap, this mostly LGTM. Would you like to raise a PR on the gitroomhq/postiz-docs repo so that you get credit for the PR, or would you like me to just copy and paste your example into the docs?
EsdrubalMagano
commented
3 weeks ago @EsdrubalMagano Yeap, this mostly LGTM. Would you like to raise a PR on the gitroomhq/postiz-docs repo so that you get credit for the PR, or would you like me to just copy and paste your example into the docs?
Hey James, sure why not, just raised it https://github.com/gitroomhq/postiz-docs/pull/21 let me know if it's all ok
jamesread
commented
3 weeks ago @EsdrubalMagano awesome, I'll close this issue and comment on gitroomhq/postiz-docs#21 then :-) Thanks for your work so far on this!
🔖 Feature description
Would be cool to have a starting point for setting up nginx as a reverse proxy to postiz.
🎤 Why is this feature needed ?
I have other apps already running nginx in my server.
✌️ How do you aim to achieve this?
A starting configuration for nginx.
🔄️ Additional Information
No response
👀 Have you spent some time to check if this feature request has been raised before?
Are you willing to submit PR?
None