search

michaelmob / docker-funkwhale

All-in-one funkwhale docker image.
92 stars 18 forks source link

[SOLVED] Unable to get HTTPS working #45

Closed AMoonRabbit closed 4 years ago

AMoonRabbit commented 4 years ago

Struggling to get HTTPS access working on my docker setup. Keep seeing duplicate errors appearing as well for various configuration files:

==> /var/log/nginx/error.log <== 2020/08/03 12:17:44 [warn] 19868#19868: duplicate value "TLSv1.3" in /etc/letsencrypt/options-ssl-nginx.conf:11 2020/08/03 12:17:44 [emerg] 19868#19868: "ssl_prefer_server_ciphers" directive is duplicate in /etc/letsencrypt/options-ssl-nginx.conf:12 2020/08/03 12:19:56 [emerg] 19898#19898: "ssl_ciphers" directive is duplicate in /etc/letsencrypt/options-ssl-nginx.conf:14 2020/08/03 12:20:22 [emerg] 19906#19906: "gzip" directive is duplicate in /etc/nginx/sites-enabled/funkwhale.conf:37 2020/08/03 12:21:03 [emerg] 19926#19926: "location" directive is not allowed here in /etc/nginx/sites-enabled/funkwhale.conf:62 2020/08/03 12:21:32 [emerg] 19931#19931: unexpected "{" in /etc/nginx/sites-enabled/funkwhale.conf:62 2020/08/03 12:21:48 [emerg] 19936#19936: "proxy_pass" directive is not allowed here in /etc/nginx/sites-enabled/funkwhale.conf:63 2020/08/03 12:22:11 [emerg] 19941#19941: unexpected "}" in /etc/nginx/sites-enabled/funkwhale.conf:63 2020/08/03 12:22:32 [emerg] 19946#19946: unexpected "}" in /etc/nginx/sites-enabled/funkwhale.conf:63 2020/08/03 12:34:50 [notice] 21870#21870: signal process started My conf:

`upstream fw {

depending on your setup, you may want to update this

server 127.0.0.1:5000;

} map $http_upgrade $connection_upgrade { default upgrade; '' close; }

server { listen 80; listen [::]:80; server_name music.amoonrabbit.reisen; location / { return 301 https://$host$request_uri; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name music.amoonrabbit.reisen;

# TLS
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_certificate     /etc/letsencrypt/live/music.amoonrabbit.reisen/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/music.amoonrabbit.reisen/privkey.pem;

# HSTS
add_header Strict-Transport-Security "max-age=31536000";

# Security related headers

# If you are using S3 to host your files, remember to add your S3 URL to the
# media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:)

add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";

# compression settings
gzip on;
gzip_comp_level    5;
gzip_min_length    256;
gzip_proxied       any;
gzip_vary          on;

gzip_types
    application/javascript
    application/vnd.geo+json
    application/vnd.ms-fontobject
    application/x-font-ttf
    application/x-web-app-manifest+json
    font/opentype
    image/bmp
    image/svg+xml
    image/x-icon
    text/cache-manifest
    text/css
    text/plain
    text/vcard
    text/vnd.rim.location.xloc
    text/vtt
    text/x-component
    text/x-cross-domain-policy;

location / {
    include /etc/nginx/funkwhale_proxy.conf;
    client_max_body_size 100M;
    proxy_pass   http://fw/;
}

} `

AMoonRabbit commented 4 years ago

I've fixed this now. Partially it was 443 external needing to be forwarded to 443 internal. And ensuring that nginx is listening on 443 with ssl specified.

iot-resister commented 3 years ago

@AMoonRabbit you know what I could o for traefik?

I added this label and now the whole thing is unreachable.

- traefik.http.services.funkwhale.loadbalancer.server.port=443