Fix subsonic nginx configuration
This commit is contained in:
Bob Mottram
parent
341e590dcf
commit
d0f7bb9f0e
|
|
@ -2542,17 +2542,19 @@ server {
|
|||
ssl on;
|
||||
ssl_certificate /etc/ssl/certs/mydomainname.com.crt;
|
||||
ssl_certificate_key /etc/ssl/private/mydomainname.com.key;
|
||||
ssl_dhparam /etc/ssl/certs/mydomainname.com.dhparam;
|
||||
|
||||
ssl_session_timeout 5m;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
|
||||
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
|
||||
add_header Strict-Transport-Security "max-age=0;";
|
||||
# Only uncomment one of the Strict-Transport-Security entries if you are
|
||||
# not using a self-signed certificate
|
||||
# add_header Strict-Transport-Security max-age=15768000; # six months
|
||||
# use this only if all subdomains support HTTPS!
|
||||
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
# if you want to be able to access the site via HTTP
|
||||
# then replace the above with the following:
|
||||
# add_header Strict-Transport-Security "max-age=0;";
|
||||
|
||||
# rewrite to front controller as default rule
|
||||
location / {
|
||||
|
|
@ -2657,7 +2659,12 @@ openssl req \
|
|||
-newkey rsa:2048 \
|
||||
-keyout /etc/ssl/private/$HOSTNAME.key \
|
||||
-out /etc/ssl/certs/$HOSTNAME.crt
|
||||
|
||||
openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam
|
||||
|
||||
chmod 400 /etc/ssl/private/$HOSTNAME.key
|
||||
chmod 640 /etc/ssl/certs/$HOSTNAME.crt
|
||||
chmod 640 /etc/ssl/certs/$HOSTNAME.dhparam
|
||||
/etc/init.d/nginx reload
|
||||
|
||||
# add the public certificate to a separate directory
|
||||
|
|
@ -4998,17 +5005,18 @@ server {
|
|||
ssl on;
|
||||
ssl_certificate /etc/ssl/certs/mypumpiodomainname.com.bundle.crt;
|
||||
ssl_certificate_key /etc/ssl/private/mypumpiodomainname.com.key;
|
||||
ssl_dhparam /etc/ssl/certs/mypumpiodomainname.com.dhparam;
|
||||
|
||||
ssl_session_timeout 5m;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
|
||||
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
|
||||
add_header Strict-Transport-Security "max-age=0;";
|
||||
# Only uncomment one of the Strict-Transport-Security entries if you are
|
||||
# not using a self-signed certificate
|
||||
# add_header Strict-Transport-Security max-age=15768000; # six months
|
||||
# use this only if all subdomains support HTTPS!
|
||||
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
# if you want to be able to access the site via HTTP
|
||||
# then replace the above with the following:
|
||||
# add_header Strict-Transport-Security "max-age=0;";
|
||||
|
||||
client_max_body_size 6m;
|
||||
|
||||
|
|
@ -5541,17 +5549,18 @@ server {
|
|||
ssl on;
|
||||
ssl_certificate /etc/ssl/certs/myownclouddomainname.com.crt;
|
||||
ssl_certificate_key /etc/ssl/private/myownclouddomainname.com.key;
|
||||
ssl_dhparam /etc/ssl/certs/myownclouddomainname.com.dhparam;
|
||||
|
||||
ssl_session_timeout 5m;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
|
||||
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
|
||||
add_header Strict-Transport-Security "max-age=0;";
|
||||
# Only uncomment one of the Strict-Transport-Security entries if you are
|
||||
# not using a self-signed certificate
|
||||
# add_header Strict-Transport-Security max-age=15768000; # six months
|
||||
# use this only if all subdomains support HTTPS!
|
||||
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
# if you want to be able to access the site via HTTP
|
||||
# then replace the above with the following:
|
||||
# add_header Strict-Transport-Security "max-age=0;";
|
||||
|
||||
# make sure webfinger and other well known services aren't blocked
|
||||
# by denying dot files and rewrite request to the front controller
|
||||
|
|
@ -7204,18 +7213,13 @@ Delete all existing contents then add the following:
|
|||
#+BEGIN_SRC: bash
|
||||
server {
|
||||
listen 80;
|
||||
server_name tunes.us.to;
|
||||
server_name mysubsonicdomainname.com;
|
||||
rewrite ^ https://$server_name$request_uri? permanent;
|
||||
}
|
||||
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443;
|
||||
server_name tunes.us.to;
|
||||
server_name mysubsonicdomainname.com;
|
||||
index index.html index.htm;
|
||||
|
||||
error_log /var/www/mysubsonicdomainname.com/error.log debug;
|
||||
|
|
@ -7223,18 +7227,17 @@ server {
|
|||
ssl on;
|
||||
ssl_certificate /etc/ssl/certs/mysubsonicdomainname.com.crt;
|
||||
ssl_certificate_key /etc/ssl/private/mysubsonicdomainname.com.key;
|
||||
ssl_dhparam /etc/ssl/certs/mysubsonicdomainname.com.dhparam;
|
||||
|
||||
ssl_session_timeout 5m;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
|
||||
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
|
||||
#add_header Strict-Transport-Security max-age=0; # six months
|
||||
add_header Strict-Transport-Security "max-age=0;";
|
||||
|
||||
client_max_body_size 20M;
|
||||
|
||||
keepalive_timeout 75 75;
|
||||
gzip_vary off;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:4040/;
|
||||
proxy_redirect http:// https://;
|
||||
|
|
@ -8040,7 +8043,7 @@ editor /etc/nginx/sites-available/$HOSTNAME
|
|||
Add the following to the section which starts with *listen 443*
|
||||
|
||||
#+BEGIN_SRC: bash
|
||||
ssl_certificate /etc/ssl/certs/mydomainname.com_bundle.crt;
|
||||
ssl_certificate /etc/ssl/certs/mydomainname.com.bundle.crt;
|
||||
#+END_SRC
|
||||
|
||||
Save and exit, then restart the web server.
|
||||
|
|
|
|||
Loading…
Reference in New Issue