Fix subsonic nginx configuration

This commit is contained in:
Bob Mottram 2014-09-14 13:30:23 +01:00
parent 341e590dcf
commit d0f7bb9f0e
1 changed files with 33 additions and 30 deletions

View File

@ -2542,17 +2542,19 @@ server {
ssl on;
ssl_certificate /etc/ssl/certs/mydomainname.com.crt;
ssl_certificate_key /etc/ssl/private/mydomainname.com.key;
ssl_dhparam /etc/ssl/certs/mydomainname.com.dhparam;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
add_header Strict-Transport-Security "max-age=0;";
# Only uncomment one of the Strict-Transport-Security entries if you are
# not using a self-signed certificate
# add_header Strict-Transport-Security max-age=15768000; # six months
# use this only if all subdomains support HTTPS!
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security max-age=15768000;
# if you want to be able to access the site via HTTP
# then replace the above with the following:
# add_header Strict-Transport-Security "max-age=0;";
# rewrite to front controller as default rule
location / {
@ -2657,7 +2659,12 @@ openssl req \
-newkey rsa:2048 \
-keyout /etc/ssl/private/$HOSTNAME.key \
-out /etc/ssl/certs/$HOSTNAME.crt
openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam
chmod 400 /etc/ssl/private/$HOSTNAME.key
chmod 640 /etc/ssl/certs/$HOSTNAME.crt
chmod 640 /etc/ssl/certs/$HOSTNAME.dhparam
/etc/init.d/nginx reload
# add the public certificate to a separate directory
@ -4998,17 +5005,18 @@ server {
ssl on;
ssl_certificate /etc/ssl/certs/mypumpiodomainname.com.bundle.crt;
ssl_certificate_key /etc/ssl/private/mypumpiodomainname.com.key;
ssl_dhparam /etc/ssl/certs/mypumpiodomainname.com.dhparam;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
add_header Strict-Transport-Security "max-age=0;";
# Only uncomment one of the Strict-Transport-Security entries if you are
# not using a self-signed certificate
# add_header Strict-Transport-Security max-age=15768000; # six months
# use this only if all subdomains support HTTPS!
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security max-age=15768000;
# if you want to be able to access the site via HTTP
# then replace the above with the following:
# add_header Strict-Transport-Security "max-age=0;";
client_max_body_size 6m;
@ -5541,17 +5549,18 @@ server {
ssl on;
ssl_certificate /etc/ssl/certs/myownclouddomainname.com.crt;
ssl_certificate_key /etc/ssl/private/myownclouddomainname.com.key;
ssl_dhparam /etc/ssl/certs/myownclouddomainname.com.dhparam;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
add_header Strict-Transport-Security "max-age=0;";
# Only uncomment one of the Strict-Transport-Security entries if you are
# not using a self-signed certificate
# add_header Strict-Transport-Security max-age=15768000; # six months
# use this only if all subdomains support HTTPS!
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security max-age=15768000;
# if you want to be able to access the site via HTTP
# then replace the above with the following:
# add_header Strict-Transport-Security "max-age=0;";
# make sure webfinger and other well known services aren't blocked
# by denying dot files and rewrite request to the front controller
@ -7204,18 +7213,13 @@ Delete all existing contents then add the following:
#+BEGIN_SRC: bash
server {
listen 80;
server_name tunes.us.to;
server_name mysubsonicdomainname.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443;
server_name tunes.us.to;
server_name mysubsonicdomainname.com;
index index.html index.htm;
error_log /var/www/mysubsonicdomainname.com/error.log debug;
@ -7223,18 +7227,17 @@ server {
ssl on;
ssl_certificate /etc/ssl/certs/mysubsonicdomainname.com.crt;
ssl_certificate_key /etc/ssl/private/mysubsonicdomainname.com.key;
ssl_dhparam /etc/ssl/certs/mysubsonicdomainname.com.dhparam;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
#add_header Strict-Transport-Security max-age=0; # six months
add_header Strict-Transport-Security "max-age=0;";
client_max_body_size 20M;
keepalive_timeout 75 75;
gzip_vary off;
location / {
proxy_pass http://localhost:4040/;
proxy_redirect http:// https://;
@ -8040,7 +8043,7 @@ editor /etc/nginx/sites-available/$HOSTNAME
Add the following to the section which starts with *listen 443*
#+BEGIN_SRC: bash
ssl_certificate /etc/ssl/certs/mydomainname.com_bundle.crt;
ssl_certificate /etc/ssl/certs/mydomainname.com.bundle.crt;
#+END_SRC
Save and exit, then restart the web server.