Use adapted default ssl configuration for zammad

2019-02-20 20:53:26 +01:00 · 2019-02-20 20:53:26 +01:00 · b002dcb53e
commit b002dcb53e
parent 3ae1fc042c
2 changed files with 74 additions and 19 deletions
--- a/data/nginx/app.conf
+++ b/data/nginx/app.conf
@ -1,25 +1,78 @@
-server {
-    listen 80;
-    server_name ticket.simplificator.com;
+upstream zammad-railsserver {
+  server 127.0.0.1:3000;
+}

-    location / {
-        return 301 https://$host$request_uri;
-    }
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
+upstream zammad-websocket {
+  server 127.0.0.1:6042;
 }

 server {
-    listen 443 ssl;
-    server_name ticket.simplificator.com;
+  listen 80;

-    ssl_certificate /etc/letsencrypt/live/ticket.simplificator.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/ticket.simplificator.com/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-    
-    location / {
-        proxy_pass http://ticket.simplificator.com;
-    }
+  server_name ticket.simplificator.com;
+
+  access_log /var/log/nginx/zammad.access.log;
+  error_log /var/log/nginx/zammad.error.log;
+
+  location /.well-known/ {
+    root /var/www/html;
+  }
+
+  return 301 https://example.com$request_uri;
+
+}
+
+
+server {
+  listen 443 ssl http2;
+
+  server_name ticket.simplificator.com;
+
+  ssl_certificate /etc/letsencrypt/live/ticket.simplificator.com/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/ticket.simplificator.com/privkey.pem;
+  include /etc/letsencrypt/options-ssl-nginx.conf;
+  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+  add_header Strict-Transport-Security "max-age=31536000" always;
+
+  location = /robots.txt  {
+    access_log off; log_not_found off;
+  }
+
+  location = /favicon.ico {
+    access_log off; log_not_found off;
+  }
+
+  root /opt/zammad/public;
+
+  access_log /var/log/nginx/zammad.access.log;
+  error_log  /var/log/nginx/zammad.error.log;
+
+  client_max_body_size 50M;
+
+  location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) {
+    expires max;
+  }
+
+  location /ws {
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header CLIENT_IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_read_timeout 86400;
+    proxy_pass http://zammad-websocket;
+  }
+
+  location / {
+    proxy_set_header Host $http_host;
+    proxy_set_header CLIENT_IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_read_timeout 180;
+    proxy_pass http://zammad-railsserver;
+
+    gzip on;
+    gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
+    gzip_proxied any;
+  }
 }
--- a/init-letsencrypt.sh
+++ b/init-letsencrypt.sh
@ -39,6 +39,8 @@ echo "### Starting $nginx_service_name ..."
 docker-compose $compose_files up --force-recreate -d $nginx_service_name
 echo

+read -p "Please wait for $nginx_service_name to be started and serving on ports 80 and 443. Then press any key to continue." unused_input
+
 echo "### Deleting dummy certificate for $domains ..."
 docker-compose $compose_files run --rm --entrypoint "\
  rm -Rf /etc/letsencrypt/live/$domains && \