Skip to content

Commit

Permalink
Simplify HTTPS instructions.
Browse files Browse the repository at this point in the history
  • Loading branch information
RubenVerborgh committed Dec 16, 2022
1 parent dba36a4 commit 2011b99
Showing 1 changed file with 24 additions and 42 deletions.
66 changes: 24 additions & 42 deletions _posts/developers/pod-server/2020-08-12-00_nginx-config.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,27 +11,29 @@ redirect_from:
---

# Using NGINX as a Reverse Proxy
A reverse proxy allows you to run a Solid server on a local port
A reverse proxy allows you to run a Solid server on an internal port
and let the proxy handle traffic to public HTTP and HTTPS ports.
The instructions below are for the [Community Solid Server](/self-hosting/css).
This example below shows one way to achieve this
for the [Community Solid Server](/self-hosting/css).

## Prerequisites
In this example, we assume that:
In the code snippet, we assume that:
* your public URL is `https://solid.example/`
* your server is running on `http://localhost:3000/`
* the public URL of your reverse proxy is `https://solid.example/`
* you have [installed NGINX](https://www.nginx.com/resources/wiki/start/topics/tutorials/install/)
and its configuration folder is `/etc/nginx/`
* you have obtained (free) [TLS certificates](https://certbot.eff.org/),
stored at `/etc/letsencrypt/live/solid.example/`
* your TLS certificates are stored at `/etc/letsencrypt/live/solid.example/`
* you can obtain free ones with [Let's Encrypt](https://certbot.eff.org/)

You can replace these values with those of your configuration.

## Configuration
Add a new site to your NGINX configuration
by creating a file such as
by creating a file
`/etc/nginx/sites-available/solid.example`
with the following contents:

```nginx
# The local Solid server instance
# Your local Solid server instance
upstream community-solid-server {
server 127.0.0.1:3000;
}
Expand All @@ -46,22 +48,24 @@ server {
# Proxy traffic for https://solid.example/ to http://localhost:3000/
server {
server_name solid.example;
# HTTPS certificate setup (can be autogenerated by tools such as certbot)
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/solid.example/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/solid.example/privkey.pem;
ssl_trusted_certificate /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem;
# Include this for certificate renewal if you are using Let's Encrypt
ssl_trusted_certificate /etc/letsencrypt/live/solid.example/chain.pem;
include snippets/https.conf;
location ^~ /.well-known/acme-challenge/ {
# Include this for certificate renewal if you are using Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
root /var/www/solid.example; # or a folder of your choice
}
# Proxy all other traffic to the Solid server
location / {
# Delegate to the Solid server, passing the original host and protocol
proxy_pass http://community-solid-server$request_uri;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
# Pass these headers from the Solid server back to the client
Expand All @@ -72,40 +76,18 @@ server {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Prevent ETag modification (https://github.com/solid/community-server/issues/1036)
gzip off;
}
}
```

### HTTPS configuration
We are reusing an HTTPS configuration file
at `/etc/nginx/snippets/https.conf`,
which you should [create](https://ssl-config.mozilla.org/) if it does not exist:

```nginx
# Generated by https://ssl-config.mozilla.org/
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
```
We are reusing an HTTPS configuration file at `/etc/nginx/snippets/https.conf`,
which you should [create](https://ssl-config.mozilla.org/) if it does not exist.

# Activating the configuration
Restart NGINX to activate the new configuration:
Don't forget to restart NGINX to activate the new configuration:
```shell
sudo systemctl restart nginx
```

0 comments on commit 2011b99

Please sign in to comment.