From b002dcb53e9715c81d2cce5d971af74fd4ccd369 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=20Pl=C3=BCss?= Date: Wed, 20 Feb 2019 20:53:26 +0100 Subject: [PATCH] Use adapted default ssl configuration for zammad --- data/nginx/app.conf | 91 +++++++++++++++++++++++++++++++++++---------- init-letsencrypt.sh | 2 + 2 files changed, 74 insertions(+), 19 deletions(-) diff --git a/data/nginx/app.conf b/data/nginx/app.conf index 82f2e8c..3f3b472 100644 --- a/data/nginx/app.conf +++ b/data/nginx/app.conf @@ -1,25 +1,78 @@ -server { - listen 80; - server_name ticket.simplificator.com; +upstream zammad-railsserver { + server 127.0.0.1:3000; +} - location / { - return 301 https://$host$request_uri; - } - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } +upstream zammad-websocket { + server 127.0.0.1:6042; } server { - listen 443 ssl; - server_name ticket.simplificator.com; + listen 80; - ssl_certificate /etc/letsencrypt/live/ticket.simplificator.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/ticket.simplificator.com/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - - location / { - proxy_pass http://ticket.simplificator.com; - } + server_name ticket.simplificator.com; + + access_log /var/log/nginx/zammad.access.log; + error_log /var/log/nginx/zammad.error.log; + + location /.well-known/ { + root /var/www/html; + } + + return 301 https://example.com$request_uri; + +} + + +server { + listen 443 ssl http2; + + server_name ticket.simplificator.com; + + ssl_certificate /etc/letsencrypt/live/ticket.simplificator.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ticket.simplificator.com/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + add_header Strict-Transport-Security "max-age=31536000" always; + + location = /robots.txt { + access_log off; log_not_found off; + } + + location = /favicon.ico { + access_log off; log_not_found off; + } + + root /opt/zammad/public; + + access_log /var/log/nginx/zammad.access.log; + error_log /var/log/nginx/zammad.error.log; + + client_max_body_size 50M; + + location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) { + expires max; + } + + location /ws { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 86400; + proxy_pass http://zammad-websocket; + } + + location / { + proxy_set_header Host $http_host; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 180; + proxy_pass http://zammad-railsserver; + + gzip on; + gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; + gzip_proxied any; + } } \ No newline at end of file diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh index 703266e..a8b0469 100755 --- a/init-letsencrypt.sh +++ b/init-letsencrypt.sh @@ -39,6 +39,8 @@ echo "### Starting $nginx_service_name ..." docker-compose $compose_files up --force-recreate -d $nginx_service_name echo +read -p "Please wait for $nginx_service_name to be started and serving on ports 80 and 443. Then press any key to continue." unused_input + echo "### Deleting dummy certificate for $domains ..." docker-compose $compose_files run --rm --entrypoint "\ rm -Rf /etc/letsencrypt/live/$domains && \