Nginx needs to be configured for https

zadigus commented 5 years ago

/etc/nginx/conf.d/ssl.conf

under server{, modified:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

under server{, added:

proxy_pass_header Server;

location /assets {
}

under location / {, added:

add_header "Strict-Transport-Security" "max-age=63072000; includeSubDomains; preload";
add_header "X-Frame-Options" "DENY";
add_header "X-Content-Type-Options" "nosniff";
add_header "X-XSS-Protection" "1; mode=block";
add_header "Referrer-Policy" "strict-origin-when-cross-origin";
add_header "Content-Security-Policy" "default-src 'self'; style-src 'self' fonts.googleapis.com 'unsafe-inline'; img-src 'self' demo.vuestorefront.io data:; script-src 'self' cdn.jsdelivr.net ajax.googleapis.com 'unsafe-inline'; connect-src 'self' demo.vuestorefront.io; font-src 'self' fonts.gstatic.com; child-src 'self'; media-src 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; frame-ancestors 'none';"; 
add_header "Feature-Policy" "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'self'; fullscreen 'self'; geolocation 'self'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'self'; speaker 'none'; usb 'none'; vr 'self'; sync-xhr 'none';";

/etc/nginx/nginx-jelastic.conf

under server{, modified:

server_name  _;

at the end of the server{ block, added:

return 307 https://$host$request_uri;

zadigus commented 5 years ago

mais ce serait pas mal d'avoir un outil pour éditer ce fichier comme on veut faut pouvoir "setter des clé", genre ssl_protocols, ssl_ciphers, ... faut pouvoir ajouter des clés ça existe ptet dja mais bon jcrois que c'est mieux de juste avoir les fichiers de config versionnés et on peut voir d'une version à l'autre ce qui a changé, avec modifications manuelles on met le fichier original, on précise chaque fois la version de nginx qui est installée dans les commits, et ça devrait suffir jpense

donnerc commented 5 years ago

I usually use this for a fully automated HTTPS setup. Very handy : https://hub.docker.com/r/jwilder/nginx-proxy

donnerc commented 5 years ago

No need to manually tinker with SSL config. Just let this run on the docker engine where the containers are running and set appropriate env vars in the containers that you want to be accessible through HTTPS

zadigus commented 5 years ago

https://github.com/shopozor/backend/issues/9

shopozor / services

Nginx needs to be configured for https #61