diff --git a/_posts/developers/pod-server/2020-08-12-00_nginx-config.md b/_posts/developers/pod-server/2020-08-12-00_nginx-config.md index 9669c532..2918dab5 100644 --- a/_posts/developers/pod-server/2020-08-12-00_nginx-config.md +++ b/_posts/developers/pod-server/2020-08-12-00_nginx-config.md @@ -11,27 +11,29 @@ redirect_from: --- # Using NGINX as a Reverse Proxy -A reverse proxy allows you to run a Solid server on a local port +A reverse proxy allows you to run a Solid server on an internal port and let the proxy handle traffic to public HTTP and HTTPS ports. -The instructions below are for the [Community Solid Server](/self-hosting/css). +This example below shows one way to achieve this +for the [Community Solid Server](/self-hosting/css). -## Prerequisites -In this example, we assume that: +In the code snippet, we assume that: +* your public URL is `https://solid.example/` * your server is running on `http://localhost:3000/` -* the public URL of your reverse proxy is `https://solid.example/` * you have [installed NGINX](https://www.nginx.com/resources/wiki/start/topics/tutorials/install/) and its configuration folder is `/etc/nginx/` -* you have obtained (free) [TLS certificates](https://certbot.eff.org/), - stored at `/etc/letsencrypt/live/solid.example/` +* your TLS certificates are stored at `/etc/letsencrypt/live/solid.example/` + * you can obtain free ones with [Let's Encrypt](https://certbot.eff.org/) + +You can replace these values with those of your configuration. ## Configuration Add a new site to your NGINX configuration -by creating a file such as +by creating a file `/etc/nginx/sites-available/solid.example` with the following contents: ```nginx -# The local Solid server instance +# Your local Solid server instance upstream community-solid-server { server 127.0.0.1:3000; } @@ -46,14 +48,16 @@ server { # Proxy traffic for https://solid.example/ to http://localhost:3000/ server { server_name solid.example; + + # HTTPS certificate setup (can be autogenerated by tools such as certbot) listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/solid.example/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/solid.example/privkey.pem; - ssl_trusted_certificate /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem; - - # Include this for certificate renewal if you are using Let's Encrypt + ssl_trusted_certificate /etc/letsencrypt/live/solid.example/chain.pem; include snippets/https.conf; - location ^~ /.well-known/acme-challenge/ { + + # Include this for certificate renewal if you are using Let's Encrypt + location ^~ /.well-known/acme-challenge/ { root /var/www/solid.example; # or a folder of your choice } @@ -61,7 +65,7 @@ server { location / { # Delegate to the Solid server, passing the original host and protocol proxy_pass http://community-solid-server$request_uri; - proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; # Pass these headers from the Solid server back to the client @@ -72,40 +76,18 @@ server { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; + + # Prevent ETag modification (https://github.com/solid/community-server/issues/1036) + gzip off; } } ``` -### HTTPS configuration -We are reusing an HTTPS configuration file -at `/etc/nginx/snippets/https.conf`, -which you should [create](https://ssl-config.mozilla.org/) if it does not exist: - -```nginx -# Generated by https://ssl-config.mozilla.org/ - -ssl_session_timeout 1d; -ssl_session_cache shared:SSL:10m; -ssl_session_tickets off; - -# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits -ssl_dhparam /etc/ssl/certs/dhparam.pem; - -# intermediate configuration -ssl_protocols TLSv1.2 TLSv1.3; -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; -ssl_prefer_server_ciphers off; - -# HSTS (ngx_http_headers_module is required) (63072000 seconds) -add_header Strict-Transport-Security "max-age=63072000" always; - -# OCSP stapling -ssl_stapling on; -ssl_stapling_verify on; -``` +We are reusing an HTTPS configuration file at `/etc/nginx/snippets/https.conf`, +which you should [create](https://ssl-config.mozilla.org/) if it does not exist. # Activating the configuration -Restart NGINX to activate the new configuration: +Don't forget to restart NGINX to activate the new configuration: ```shell sudo systemctl restart nginx ```