Nginx as reverse proxy with acme (letsencrypt): Difference between revisions

From Alpine Linux
Line 17: Line 17:
<pre>
<pre>
# ngnix configuration file
# ngnix configuration file
user  nginx;
user  nginx;
worker_processes  1; # use "auto" to use all available cores (high performance)
worker_processes  1; # use "auto" to use all available cores (high performance)


Line 31: Line 33:
     sendfile                        off; # can cause issues
     sendfile                        off; # can cause issues


     # secure nginx https://cipherli.st/
     # secure nginx according to https://cipherli.st/
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_prefer_server_ciphers on;
     ssl_prefer_server_ciphers on;

Revision as of 11:01, 2 April 2017

Introduction

This setup will allow you to have multiple servers/containers be accessible via a single IP address with the added benefit of centralized generation of letsencrypt certificates and secure https (according to ssllabs ssltest).

Installation

For this howto we need two tools, NGINX and acme-client. lets install them.

apk add nginx acme-client

Setup

NGINX

First step is to refactor our global nginx.conf

# ngnix configuration file

user  nginx;

worker_processes  1; # use "auto" to use all available cores (high performance)

events {
    worker_connections  1024; # increase if you need more connections
}

http {
    # server_names_hash_bucket_size controls the maximum length
    # of a virtual host entry (ie the length of the domain name).
    server_names_hash_bucket_size   64;
    server_tokens                   off; # hide who we are
    sendfile                        off; # can cause issues

    # secure nginx according to https://cipherli.st/
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    ssl_dhparam dhparam.pem;

    # nginx will find this file in the config directory set at nginx build time
    include mime.types;

    #fallback in case we can't determine a type
    default_type application/octet-stream;

    # buffering causes issues
    proxy_buffering off;

    # include hosts
    include conf.d/*.conf;
}

acme-client