Hello Meph,
Not, exactly this has SSL.
Here's a suggestion configuration:
nginx.conf:
------------------------------------------------------------------------------------------------------
user nginx;
worker_processes auto;
error_log /var/log/nginx/cloudssl.diakont.it.error.log;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local]
"$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/cloudssl.diakont.it.access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
upstream cloud {
server 10.39.0.52;
}
upstream cloud_ssl {
server 10.39.0.52:443;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name cloud.diakont.it cloud.diakont.srl;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name cloud.diakont.it;
#HTTPS-and-SSL
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_trusted_certificate
<PATH-OF-CA-CERTIFICATE>;
include snippets/cloud.diakont.it.conf;
include snippets/ssl-params.conf;
location / {
proxy_set_header
X-Real-IP $remote_addr;
proxy_set_header
X-Forwarded-Proto $scheme;
proxy_set_header
X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header
Upgrade $http_upgrade;
proxy_set_header
Connection 'upgrade';
proxy_set_header Host
$host;
proxy_pass
https://cloud_ssl/;
}
}
}
------------------------------------------------------------------------------------------------------
cloud.diakont.it.conf:
------------------------------------------------------------------------------------------------------
ssl_certificate #PATH OF PUBLIC CERTIFICATE FROM SDP GATEWAY#;
ssl_certificate_key #PATH OF PRIVATE KEY FROM SDP GATEWAY#;
ssl_trusted_certificate #PATH OF PUBLIC CA CERTIFICATE#;
------------------------------------------------------------------------------------------------------
ssl-params.conf:
------------------------------------------------------------------------------------------------------
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers
'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
#this resolver and resolver_timeout maybe be comment
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
------------------------------------------------------------------------------------------------------
Test this configuration and tell me :)
Best regards,
Goce Joncheski
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,279665,279741#msg-279741
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
