Simplify HTTPS instructions.

solid · Dec 16, 2022 · ea33a89 · ea33a89
1 parent dba36a4
commit ea33a89
Showing 1 changed file with 24 additions and 42 deletions.
diff --git a/_posts/developers/pod-server/2020-08-12-00_nginx-config.md b/_posts/developers/pod-server/2020-08-12-00_nginx-config.md
@@ -11,27 +11,29 @@ redirect_from:
 ---
 
 # Using NGINX as a Reverse Proxy
-A reverse proxy allows you to run a Solid server on a local port
+A reverse proxy allows you to run a Solid server on an internal port
 and let the proxy handle traffic to public HTTP and HTTPS ports.
-The instructions below are for the [Community Solid Server](/self-hosting/css).
+This example below shows one way to achieve this
+for the [Community Solid Server](/self-hosting/css).
 
-## Prerequisites
-In this example, we assume that:
+In the code snippet, we assume that:
+* your public URL is `https://solid.example/`
 * your server is running on `http://localhost:3000/`
-* the public URL of your reverse proxy is `https://solid.example/`
 * you have [installed NGINX](https://www.nginx.com/resources/wiki/start/topics/tutorials/install/)
   and its configuration folder is `/etc/nginx/`
-* you have obtained (free) [TLS certificates](https://certbot.eff.org/),
-  stored at `/etc/letsencrypt/live/solid.example/`
+* your TLS certificates are stored at `/etc/letsencrypt/live/solid.example/`
+  * you can obtain free ones with [Let's Encrypt](https://certbot.eff.org/)
+
+You can replace these values with those of your configuration.
 
 ## Configuration
 Add a new site to your NGINX configuration
-by creating a file such as
+by creating a file
 `/etc/nginx/sites-available/solid.example`
 with the following contents:
 
 ```nginx
-# The local Solid server instance
+# Your local Solid server instance
 upstream community-solid-server {
   server 127.0.0.1:3000;
 }
@@ -46,22 +48,24 @@ server {
 # Proxy traffic for https://solid.example/ to http://localhost:3000/
 server {
   server_name solid.example;
+  
+  # HTTPS certificate setup (can be autogerated for you by tools such as certbot)
   listen 443 ssl http2;
   ssl_certificate         /etc/letsencrypt/live/solid.example/fullchain.pem;
   ssl_certificate_key     /etc/letsencrypt/live/solid.example/privkey.pem;
-  ssl_trusted_certificate /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem;
-
-  # Include this for certificate renewal if you are using Let's Encrypt
+  ssl_trusted_certificate /etc/letsencrypt/live/solid.example/chain.pem;
   include snippets/https.conf;
-    location ^~ /.well-known/acme-challenge/ {
+  
+  # Include this for certificate renewal if you are using Let's Encrypt
+  location ^~ /.well-known/acme-challenge/ {
     root /var/www/solid.example; # or a folder of your choice
   }
 
   # Proxy all other traffic to the Solid server
   location / {
     # Delegate to the Solid server, passing the original host and protocol
     proxy_pass http://community-solid-server$request_uri;
-    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Forwarded-Host  $host;
     proxy_set_header X-Forwarded-Proto $scheme;
 
     # Pass these headers from the Solid server back to the client
@@ -72,40 +76,18 @@ server {
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
+    
+    # Prevent ETag modification (https://github.com/solid/community-server/issues/1036)
+    gzip off;
   }
 }
 ```
 
-### HTTPS configuration
-We are reusing an HTTPS configuration file
-at `/etc/nginx/snippets/https.conf`,
-which you should [create](https://ssl-config.mozilla.org/) if it does not exist:
-
-```nginx
-# Generated by https://ssl-config.mozilla.org/
-
-ssl_session_timeout 1d;
-ssl_session_cache shared:SSL:10m;
-ssl_session_tickets off;
-
-# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
-ssl_dhparam /etc/ssl/certs/dhparam.pem;
-
-# intermediate configuration
-ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-ssl_prefer_server_ciphers off;
-
-# HSTS (ngx_http_headers_module is required) (63072000 seconds)
-add_header Strict-Transport-Security "max-age=63072000" always;
-
-# OCSP stapling
-ssl_stapling on;
-ssl_stapling_verify on;
-```
+We are reusing an HTTPS configuration file at `/etc/nginx/snippets/https.conf`,
+which you should [create](https://ssl-config.mozilla.org/) if it does not exist.
 
 # Activating the configuration
-Restart NGINX to activate the new configuration:
+Don't forget to restart NGINX to activate the new configuration:
  ```shell
 sudo systemctl restart nginx
  ```