|
From: | Jeremy T. Bouse |
Subject: | Re: [Sks-devel] HKPS + ssl + nginx |
Date: | Thu, 30 Jul 2015 21:50:18 -0400 |
User-agent: | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 |
Here is my nginx configuration that I use for my server. Obviously
some of it would need to be customized and it is setup to support my
3 SKS nodes. upstream sks_servers { least_conn; server 127.0.0.1:11371; server xx.xx.xx.228:11371; server xx.xx.xx.229:11371; } server { listen xx.xx.xx.xx:11371 default_server; listen xx.xx.xx.xx:80 default_server; listen [xxxx:xxxx:xxxx:xxxx::xxxx:xxxx]:11371 default_server ipv6only=on; listen [xxxx:xxxx:xxxx:xxxx::xxxx:xxxx]:80 default_server ipv6only=on; access_log off; server_tokens off; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection '1; mode=block'; # deny access to files, starting with dot (hidden) or ending with ~ (temp) location ~ /\. { log_not_found off; deny all; } location ~ ~$ { log_not_found off; deny all; } # block of rules for static content location ~ /(favicon.ico|favicon.png|robots.txt)$ { log_not_found off; expires 1y; add_header Cache-Control public,max-age=259200; } location ~* \.(jpg|jpeg|png|gif|ico|css|js|mp3)$ { expires 30d; add_header Cache-Control public,max-age=259200; } location / { root /srv/www; index index.html; } location /pks { proxy_pass http://sks_servers/pks; proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass_header Server; add_header Via "1.1 sks.undergrid.net:$server_port (nginx)"; proxy_ignore_client_abort on; client_max_body_size 8m; } } server { listen xx.xx.xx.xx:443 default_server ssl; listen [xxxx:xxxx:xxxx:xxxx::xxxx:xxxx]:443 default_server ssl ipv6only=on; access_log off; server_tokens off; ssl_certificate /etc/ssl/certs/sks.undergrid.net.crt; ssl_certificate_key /etc/ssl/private/sks.undergrid.net.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; add_header Strict-Transport-Security 'max-age=31536000;'; add_header Public-Key-Pins 'pin-sha256="Xnu7zI1oPbsQ4x47NpJVpOiMPPC3rLO81mTuKMiEjlI="; pin-sha256="9eGb55deEj42vOObXCSswgduvM5JNB7z/PriVx/AQUo="; max-age=315366000'; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection '1; mode=block'; # deny access to files, starting with dot (hidden) or ending with ~ (temp) location ~ /\. { log_not_found off; deny all; } location ~ ~$ { log_not_found off; deny all; } # block of rules for static content location ~ /(favicon.ico|favicon.png|robots.txt)$ { log_not_found off; expires 1y; add_header Cache-Control public,max-age=259200; } location ~* \.(jpg|jpeg|png|gif|ico|css|js|mp3)$ { expires 30d; add_header Cache-Control public,max-age=259200; } location / { root /srv/www; index index.html; } location /pks { proxy_pass http://sks_servers/pks; proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass_header Server; add_header Via "1.1 sks.undergrid.net:$server_port (nginx)"; proxy_ignore_client_abort on; client_max_body_size 8m; } } On 7/30/2015 7:05 PM, Mike Forbes wrote: Hi,> > _______________________________________________ > Sks-devel mailing list > address@hidden > https://lists.nongnu.org/mailman/listinfo/sks-devel |
[Prev in Thread] | Current Thread | [Next in Thread] |