free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Fix subsonic nginx configuration

Bob Mottram 10 years ago
parent
341e590dcf
commit
d0f7bb9f0e
1 changed files with 33 additions and 30 deletions
Unified View Show Diff Stats
  1. 33
    30
      beaglebone.txt

+ 33
- 30
beaglebone.txt View File

2542 
     ssl on;
 2542 
     ssl on;
2543 
     ssl_certificate /etc/ssl/certs/mydomainname.com.crt;
 2543 
     ssl_certificate /etc/ssl/certs/mydomainname.com.crt;
2544 
     ssl_certificate_key /etc/ssl/private/mydomainname.com.key;
 2544 
     ssl_certificate_key /etc/ssl/private/mydomainname.com.key;
2545 
+    ssl_dhparam /etc/ssl/certs/mydomainname.com.dhparam;
2545
2546
2546 
     ssl_session_timeout 5m;
 2547 
     ssl_session_timeout 5m;
2547 
     ssl_prefer_server_ciphers on;
 2548 
     ssl_prefer_server_ciphers on;
2549 
+    ssl_session_cache  builtin:1000  shared:SSL:10m;
2548 
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
 2550 
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
2549 
     ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
 2551 
     ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
2550 
-    add_header Strict-Transport-Security "max-age=0;";
2551 
-    # Only uncomment one of the Strict-Transport-Security entries if you are
2552 
-    # not using a self-signed certificate
2553 
-    # add_header Strict-Transport-Security max-age=15768000; # six months
2554 
-    # use this only if all subdomains support HTTPS!
2555 
-    # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
2552 
+    add_header X-Frame-Options DENY;
2553 
+    add_header X-Content-Type-Options nosniff;
2554 
+    add_header Strict-Transport-Security max-age=15768000;
2555 
+    # if you want to be able to access the site via HTTP
2556 
+    # then replace the above with the following:
2557 
+    # add_header Strict-Transport-Security "max-age=0;";
2556
2558
2557 
     # rewrite to front controller as default rule
 2559 
     # rewrite to front controller as default rule
2558 
     location / {
 2560 
     location / {
2657 
   -newkey rsa:2048 \
 2659 
   -newkey rsa:2048 \
2658 
   -keyout /etc/ssl/private/$HOSTNAME.key \
 2660 
   -keyout /etc/ssl/private/$HOSTNAME.key \
2659 
   -out /etc/ssl/certs/$HOSTNAME.crt
 2661 
   -out /etc/ssl/certs/$HOSTNAME.crt
2662 
+
2663 
+openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam
2664 
+
2660 
 chmod 400 /etc/ssl/private/$HOSTNAME.key
 2665 
 chmod 400 /etc/ssl/private/$HOSTNAME.key
2666 
+chmod 640 /etc/ssl/certs/$HOSTNAME.crt
2667 
+chmod 640 /etc/ssl/certs/$HOSTNAME.dhparam
2661 
 /etc/init.d/nginx reload
 2668 
 /etc/init.d/nginx reload
2662
2669
2663 
 # add the public certificate to a separate directory
 2670 
 # add the public certificate to a separate directory
4998 
     ssl on;
 5005 
     ssl on;
4999 
     ssl_certificate /etc/ssl/certs/mypumpiodomainname.com.bundle.crt;
 5006 
     ssl_certificate /etc/ssl/certs/mypumpiodomainname.com.bundle.crt;
5000 
     ssl_certificate_key /etc/ssl/private/mypumpiodomainname.com.key;
 5007 
     ssl_certificate_key /etc/ssl/private/mypumpiodomainname.com.key;
5008 
+    ssl_dhparam /etc/ssl/certs/mypumpiodomainname.com.dhparam;
5001
5009
5002 
     ssl_session_timeout 5m;
 5010 
     ssl_session_timeout 5m;
5003 
     ssl_prefer_server_ciphers on;
 5011 
     ssl_prefer_server_ciphers on;
5004 
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
 5012 
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
5005 
     ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
 5013 
     ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
5006 
-    add_header Strict-Transport-Security "max-age=0;";
5007 
-    # Only uncomment one of the Strict-Transport-Security entries if you are
5008 
-    # not using a self-signed certificate
5009 
-    # add_header Strict-Transport-Security max-age=15768000; # six months
5010 
-    # use this only if all subdomains support HTTPS!
5011 
-    # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
5014 
+    add_header X-Frame-Options DENY;
5015 
+    add_header X-Content-Type-Options nosniff;
5016 
+    add_header Strict-Transport-Security max-age=15768000;
5017 
+    # if you want to be able to access the site via HTTP
5018 
+    # then replace the above with the following:
5019 
+    # add_header Strict-Transport-Security "max-age=0;";
5012
5020
5013 
     client_max_body_size 6m;
 5021 
     client_max_body_size 6m;
5014
5022
5541 
     ssl on;
 5549 
     ssl on;
5542 
     ssl_certificate /etc/ssl/certs/myownclouddomainname.com.crt;
 5550 
     ssl_certificate /etc/ssl/certs/myownclouddomainname.com.crt;
5543 
     ssl_certificate_key /etc/ssl/private/myownclouddomainname.com.key;
 5551 
     ssl_certificate_key /etc/ssl/private/myownclouddomainname.com.key;
5552 
+    ssl_dhparam /etc/ssl/certs/myownclouddomainname.com.dhparam;
5544
5553
5545 
     ssl_session_timeout 5m;
 5554 
     ssl_session_timeout 5m;
5546 
     ssl_prefer_server_ciphers on;
 5555 
     ssl_prefer_server_ciphers on;
5547 
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
 5556 
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
5548 
     ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
 5557 
     ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
5549 
-    add_header Strict-Transport-Security "max-age=0;";
5550 
-    # Only uncomment one of the Strict-Transport-Security entries if you are
5551 
-    # not using a self-signed certificate
5552 
-    # add_header Strict-Transport-Security max-age=15768000; # six months
5553 
-    # use this only if all subdomains support HTTPS!
5554 
-    # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
5558 
+    add_header X-Frame-Options DENY;
5559 
+    add_header X-Content-Type-Options nosniff;
5560 
+    add_header Strict-Transport-Security max-age=15768000;
5561 
+    # if you want to be able to access the site via HTTP
5562 
+    # then replace the above with the following:
5563 
+    # add_header Strict-Transport-Security "max-age=0;";
5555
5564
5556 
     # make sure webfinger and other well known services aren't blocked
 5565 
     # make sure webfinger and other well known services aren't blocked
5557 
     # by denying dot files and rewrite request to the front controller
 5566 
     # by denying dot files and rewrite request to the front controller
7204 
 #+BEGIN_SRC: bash
 7213 
 #+BEGIN_SRC: bash
7205 
 server {
 7214 
 server {
7206 
     listen 80;
 7215 
     listen 80;
7207 
-    server_name tunes.us.to;
7216 
+    server_name mysubsonicdomainname.com;
7208 
     rewrite ^ https://$server_name$request_uri? permanent;
 7217 
     rewrite ^ https://$server_name$request_uri? permanent;
7209 
 }
 7218 
 }
7210
7219
7211 
-map $http_upgrade $connection_upgrade {
7212 
-    default upgrade;
7213 
-    ''      close;
7214 
-}
7215 
-
7216 
 server {
 7220 
 server {
7217 
     listen 443;
 7221 
     listen 443;
7218 
-    server_name tunes.us.to;
7222 
+    server_name mysubsonicdomainname.com;
7219 
     index index.html index.htm;
 7223 
     index index.html index.htm;
7220
7224
7221 
     error_log  /var/www/mysubsonicdomainname.com/error.log debug;
 7225 
     error_log  /var/www/mysubsonicdomainname.com/error.log debug;
7223 
     ssl on;
 7227 
     ssl on;
7224 
     ssl_certificate /etc/ssl/certs/mysubsonicdomainname.com.crt;
 7228 
     ssl_certificate /etc/ssl/certs/mysubsonicdomainname.com.crt;
7225 
     ssl_certificate_key /etc/ssl/private/mysubsonicdomainname.com.key;
 7229 
     ssl_certificate_key /etc/ssl/private/mysubsonicdomainname.com.key;
7230 
+    ssl_dhparam /etc/ssl/certs/mysubsonicdomainname.com.dhparam;
7226
7231
7227 
     ssl_session_timeout 5m;
 7232 
     ssl_session_timeout 5m;
7228 
     ssl_prefer_server_ciphers on;
 7233 
     ssl_prefer_server_ciphers on;
7234 
+    ssl_session_cache  builtin:1000  shared:SSL:10m;
7229 
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
 7235 
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
7230 
     ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
 7236 
     ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
7231 
-    #add_header Strict-Transport-Security max-age=0; # six months
7237 
+    add_header Strict-Transport-Security "max-age=0;";
7232
7238
7233 
     client_max_body_size 20M;
 7239 
     client_max_body_size 20M;
7234
7240
7235 
-    keepalive_timeout 75 75;
7236 
-    gzip_vary off;
7237 
-
7238 
     location / {
 7241 
     location / {
7239 
         proxy_pass http://localhost:4040/;
 7242 
         proxy_pass http://localhost:4040/;
7240 
         proxy_redirect     http://             https://;
 7243 
         proxy_redirect     http://             https://;
8040 
 Add the following to the section which starts with *listen 443*
 8043 
 Add the following to the section which starts with *listen 443*
8041
8044
8042 
 #+BEGIN_SRC: bash
 8045 
 #+BEGIN_SRC: bash
8043 
-    ssl_certificate /etc/ssl/certs/mydomainname.com_bundle.crt;
8046 
+    ssl_certificate /etc/ssl/certs/mydomainname.com.bundle.crt;
8044 
 #+END_SRC
 8047 
 #+END_SRC
8045
8048
8046 
 Save and exit, then restart the web server.
 8049 
 Save and exit, then restart the web server.