From 0a619bc3f7e531d3647b559c2223d72b7aafcec1 Mon Sep 17 00:00:00 2001 From: Liam Sullivan Date: Wed, 13 Jun 2018 10:22:48 +0100 Subject: [PATCH 1/3] Update zammad_ssl.conf --- contrib/nginx/zammad_ssl.conf | 179 +++++++++++++--------------------- 1 file changed, 70 insertions(+), 109 deletions(-) diff --git a/contrib/nginx/zammad_ssl.conf b/contrib/nginx/zammad_ssl.conf index 331f74c61..009d39dd8 100644 --- a/contrib/nginx/zammad_ssl.conf +++ b/contrib/nginx/zammad_ssl.conf @@ -1,143 +1,104 @@ # -# this is an example nginx config for zammad with free letsencrypt.org ssl certificates +# this is an example nginx config for using SSL with zammad +# this can be adjusted to be used with self-signed, trusted ca, and letsencrypt certs # replace all occurrences of example.com with your domain -# create letsencrypt certificate by: certbot certonly --webroot -w /var/www/html -d www.example.com +# If using LetsEncrypt create letsencrypt certificate by: certbot certonly --webroot -w /var/www/html -d www.example.com # create dhparam.pem by: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096 -# download x3 certificate by: wget -q https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -P /etc/nginx/ssl +# download LetsEncrypt x3 certificate by: wget -q https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -P /etc/nginx/ssl # you can test your ssl configuration @ https://www.ssllabs.com/ssltest/analyze.html # -upstream zammad { - server localhost:3000; +upstream zammad-railsserver { + server localhost:3000; } upstream zammad-websocket { - server localhost:6042; + server localhost:6042; } server { - listen 80; - listen [::]:80; + listen 80; - server_name example.com www.example.com; + server_name example.com www.example.com; - access_log /var/log/nginx/example.com.access.log; - error_log /var/log/nginx/example.com.error.log; + access_log /var/log/nginx/zammad.access.log; + error_log /var/log/nginx/zammad.error.log; - location /.well-known/ { - root /var/www/html; - } + location /.well-known/ { + root /var/www/html; + } - location / { - rewrite ^/(.*)$ https://www.example.com/$1 permanent; - } + location / { + rewrite ^/(.*)$ https://example.com/$1 permanent; + } } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl http2; - server_name example.com; + server_name example.com; - ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem; - ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem; + ssl_certificate /etc/nginx/ssl/your_cert.crt; + ssl_certificate_key /etc/nginx/ssl/your_private_key.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1.2; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - ssl_dhparam /etc/nginx/ssl/dhparam.pem; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; - ssl_prefer_server_ciphers on; + ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 180m; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 180m; - ssl_stapling on; - ssl_stapling_verify on; + ssl_stapling on; + ssl_stapling_verify on; - ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem; + ssl_trusted_certificate /etc/nginx/ssl/your_cert.crt; - resolver 8.8.8.8 8.8.4.4; + resolver 8.8.8.8 8.8.4.4; - add_header Strict-Transport-Security "max-age=31536000" always; + add_header Strict-Transport-Security "max-age=31536000" always; - access_log /var/log/nginx/example.com.access.log; - error_log /var/log/nginx/example.com.error.log; + location = /robots.txt { + access_log off; log_not_found off; + } - rewrite ^/(.*)$ https://www.example.com/$1 permanent; -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name www.example.com; - - ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem; - ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - - ssl_ciphers HIGH:!aNULL:!MD5; - - ssl_dhparam /etc/nginx/ssl/dhparam.pem; - - ssl_prefer_server_ciphers on; - - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 180m; - - ssl_stapling on; - ssl_stapling_verify on; - - ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem; - - resolver 8.8.8.8 8.8.4.4; - - add_header Strict-Transport-Security "max-age=31536000" always; - - location = /robots.txt { - access_log off; log_not_found off; - } - - location = /favicon.ico { - access_log off; log_not_found off; - } - - root /opt/zammad/public; - - access_log /var/log/nginx/example.com.access.log; - error_log /var/log/nginx/example.com.error.log; - - client_max_body_size 50M; - - location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) { - expires max; - } - - location /ws { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header CLIENT_IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 86400; - proxy_pass http://zammad-websocket; - } - - location / { - proxy_set_header Host $http_host; - proxy_set_header CLIENT_IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 300; - proxy_pass http://zammad; - - gzip on; - gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; - gzip_proxied any; - } + location = /favicon.ico { + access_log off; log_not_found off; + } + + root /opt/zammad/public; + + access_log /var/log/nginx/zammad.access.log; + error_log /var/log/nginx/zammad.error.log; + + client_max_body_size 50M; + + location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) { + expires max; + } + + location /ws { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 86400; + proxy_pass http://zammad-websocket; + } + location / { + proxy_set_header Host $http_host; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 180; + proxy_pass http://zammad-railsserver; + + gzip on; + gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; + gzip_proxied any; + } } From f50bd63c4105c18a330b57b7a2566f34a615ee6e Mon Sep 17 00:00:00 2001 From: Liam Sullivan Date: Wed, 13 Jun 2018 11:07:21 +0100 Subject: [PATCH 2/3] Update zammad_ssl.conf Indentation corrected --- contrib/nginx/zammad_ssl.conf | 64 +++++++++++++++++------------------ 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/contrib/nginx/zammad_ssl.conf b/contrib/nginx/zammad_ssl.conf index 009d39dd8..eb74cd361 100644 --- a/contrib/nginx/zammad_ssl.conf +++ b/contrib/nginx/zammad_ssl.conf @@ -9,60 +9,60 @@ # upstream zammad-railsserver { - server localhost:3000; + server localhost:3000; } upstream zammad-websocket { - server localhost:6042; + server localhost:6042; } server { - listen 80; + listen 80; - server_name example.com www.example.com; + server_name example.com www.example.com; - access_log /var/log/nginx/zammad.access.log; - error_log /var/log/nginx/zammad.error.log; + access_log /var/log/nginx/zammad.access.log; + error_log /var/log/nginx/zammad.error.log; - location /.well-known/ { - root /var/www/html; - } + location /.well-known/ { + root /var/www/html; + } - location / { - rewrite ^/(.*)$ https://example.com/$1 permanent; - } + location / { + rewrite ^/(.*)$ https://example.com/$1 permanent; + } } server { - listen 443 ssl http2; + listen 443 ssl http2; - server_name example.com; + server_name example.com; - ssl_certificate /etc/nginx/ssl/your_cert.crt; - ssl_certificate_key /etc/nginx/ssl/your_private_key.key; + ssl_certificate /etc/nginx/ssl/your_cert.crt; + ssl_certificate_key /etc/nginx/ssl/your_private_key.key; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.2; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - ssl_dhparam /etc/nginx/ssl/dhparam.pem; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; - ssl_prefer_server_ciphers on; + ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 180m; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 180m; - ssl_stapling on; - ssl_stapling_verify on; + ssl_stapling on; + ssl_stapling_verify on; - ssl_trusted_certificate /etc/nginx/ssl/your_cert.crt; + ssl_trusted_certificate /etc/nginx/ssl/your_cert.crt; - resolver 8.8.8.8 8.8.4.4; + resolver 8.8.8.8 8.8.4.4; - add_header Strict-Transport-Security "max-age=31536000" always; + add_header Strict-Transport-Security "max-age=31536000" always; - location = /robots.txt { + location = /robots.txt { access_log off; log_not_found off; } @@ -97,8 +97,8 @@ server { proxy_read_timeout 180; proxy_pass http://zammad-railsserver; - gzip on; - gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; - gzip_proxied any; - } + gzip on; + gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; + gzip_proxied any; + } } From 9a74975fba618ce43a215b665fd159838eb17931 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Bauer?= Date: Wed, 18 Jul 2018 09:43:42 +0200 Subject: [PATCH 3/3] renamed ssl_trusted_certificate --- contrib/nginx/zammad_ssl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/nginx/zammad_ssl.conf b/contrib/nginx/zammad_ssl.conf index eb74cd361..e7bb4c64b 100644 --- a/contrib/nginx/zammad_ssl.conf +++ b/contrib/nginx/zammad_ssl.conf @@ -56,7 +56,7 @@ server { ssl_stapling on; ssl_stapling_verify on; - ssl_trusted_certificate /etc/nginx/ssl/your_cert.crt; + ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem; resolver 8.8.8.8 8.8.4.4;