Add cert scripts; update readme; update gitignore; add nginx
This commit is contained in:
Philip Henning
parent
91c5eb1d9d
commit
ae3d5e4df7
9 changed files with 301 additions and 30 deletions
81
data/nginx/default.conf.template
Normal file
81
data/nginx/default.conf.template
Normal file
|
|
@ -0,0 +1,81 @@
|
|||
# Upstream where your authentik server is hosted.
|
||||
upstream authentik {
|
||||
server https://server:9443;
|
||||
# Improve performance by keeping some connections alive.
|
||||
keepalive 10;
|
||||
}
|
||||
|
||||
# Upgrade WebSocket if requested, otherwise use keepalive
|
||||
map $http_upgrade $connection_upgrade_keepalive {
|
||||
default upgrade;
|
||||
'' '';
|
||||
}
|
||||
|
||||
# Server just for serving a health endpoint
|
||||
server {
|
||||
listen 127.0.0.1:8181;
|
||||
server_name localhost;
|
||||
|
||||
# replace with the IP address of your resolver
|
||||
resolver ${NGINX_RESOLVER};
|
||||
|
||||
# Handle /health separately without serving any files
|
||||
location = /health {
|
||||
access_log off;
|
||||
default_type text/plain;
|
||||
return 200 'OK';
|
||||
}
|
||||
}
|
||||
|
||||
# Redirect to HTTPS
|
||||
server {
|
||||
listen ${NGINX_HTTP_PORT};
|
||||
listen [::]:${NGINX_HTTP_PORT};
|
||||
server_name ${NGINX_SERVERNAME};
|
||||
|
||||
return 302 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# HTTPS Server
|
||||
server {
|
||||
listen ${NGINX_HTTPS_PORT} ssl http2;
|
||||
listen [::]:${NGINX_HTTPS_PORT} ssl http2;
|
||||
server_name ${NGINX_SERVERNAME};
|
||||
|
||||
ssl_certificate /etc/nginx/ssl/certs/sso-base23-de-fullchain-cert.pem;
|
||||
ssl_certificate_key /etc/nginx/ssl/certs/sso-base23-de-fullchain-key.pem;
|
||||
ssl_session_timeout ${NGINX_SSL_SESSION_TIMEOUT};
|
||||
ssl_session_cache ${NGINX_SSL_SESSION_CACHE};
|
||||
|
||||
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
|
||||
|
||||
# intermediate configuration
|
||||
ssl_protocols ${NGINX_SSL_PROTOCOLS};
|
||||
ssl_ciphers ${NGINX_SSL_CIPHERS};
|
||||
ssl_prefer_server_ciphers ${NGINX_SSL_PREFER_SERVER_CIPHERS};
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||
#add_header Strict-Transport-Security ${NGINX_HEADER_STRICT_TRANSPORT_SECURITY};
|
||||
|
||||
# OCSP stapling
|
||||
ssl_stapling ${NGINX_SSL_STAPLING};
|
||||
ssl_stapling_verify ${NGINX_SSL_STAPLING_VERIFY};
|
||||
|
||||
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||
ssl_trusted_certificate /etc/nginx/ssl/certs/sso-base23-de-trustchain.pem;
|
||||
|
||||
# replace with the IP address of your resolver
|
||||
resolver ${NGINX_RESOLVER};
|
||||
|
||||
client_max_body_size 50m;
|
||||
|
||||
location / {
|
||||
proxy_pass https://authentik;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade_keepalive;
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue