90 lines
2.3 KiB
Text
90 lines
2.3 KiB
Text
# Upstream where your authentik server is hosted.
|
|
upstream authentik {
|
|
server server:9443;
|
|
# Improve performance by keeping some connections alive.
|
|
keepalive 10;
|
|
}
|
|
|
|
# Upgrade WebSocket if requested, otherwise use keepalive
|
|
map $http_upgrade $connection_upgrade_keepalive {
|
|
default upgrade;
|
|
'' '';
|
|
}
|
|
|
|
# Server just for serving a health endpoint
|
|
server {
|
|
listen 127.0.0.1:8181;
|
|
server_name localhost;
|
|
|
|
# replace with the IP address of your resolver
|
|
resolver ${NGINX_RESOLVER};
|
|
|
|
# Handle /health separately without serving any files
|
|
location = /health {
|
|
access_log off;
|
|
default_type text/plain;
|
|
return 200 'OK';
|
|
}
|
|
}
|
|
|
|
# Redirect to HTTPS
|
|
server {
|
|
listen ${NGINX_HTTP_PORT};
|
|
listen [::]:${NGINX_HTTP_PORT};
|
|
server_name ${NGINX_SERVERNAME};
|
|
|
|
# Exclude Let's Encrypt directory from redirection
|
|
location /.well-known/acme-challenge/ {
|
|
root /var/www/letsencrypt;
|
|
}
|
|
|
|
# Redirect all other traffic to HTTPS
|
|
location / {
|
|
return 302 https://$host$request_uri;
|
|
}
|
|
}
|
|
|
|
# HTTPS Server
|
|
server {
|
|
listen ${NGINX_HTTPS_PORT} ssl;
|
|
listen [::]:${NGINX_HTTPS_PORT} ssl;
|
|
http2 on;
|
|
server_name ${NGINX_SERVERNAME};
|
|
|
|
ssl_certificate /etc/nginx/ssl/certs/sso.base23.de.crt;
|
|
ssl_certificate_key /etc/nginx/ssl/certs/sso.base23.de.key;
|
|
ssl_session_timeout ${NGINX_SSL_SESSION_TIMEOUT};
|
|
ssl_session_cache ${NGINX_SSL_SESSION_CACHE};
|
|
|
|
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
|
|
|
|
# intermediate configuration
|
|
ssl_protocols ${NGINX_SSL_PROTOCOLS};
|
|
ssl_ciphers ${NGINX_SSL_CIPHERS};
|
|
ssl_prefer_server_ciphers ${NGINX_SSL_PREFER_SERVER_CIPHERS};
|
|
|
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
|
add_header Strict-Transport-Security ${NGINX_HEADER_STRICT_TRANSPORT_SECURITY};
|
|
|
|
# OCSP stapling
|
|
ssl_stapling ${NGINX_SSL_STAPLING};
|
|
ssl_stapling_verify ${NGINX_SSL_STAPLING_VERIFY};
|
|
|
|
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
|
ssl_trusted_certificate /etc/nginx/ssl/certs/sso.base23.de.issuer.crt;
|
|
|
|
# replace with the IP address of your resolver
|
|
resolver ${NGINX_RESOLVER};
|
|
|
|
client_max_body_size 50m;
|
|
|
|
location / {
|
|
proxy_pass https://authentik;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade_keepalive;
|
|
}
|
|
}
|