| 28 | |
| 29 | == Enable http redirections == |
| 30 | |
| 31 | On robideau, we have the following nginx configuration to allow web-based proxying: |
| 32 | |
| 33 | {{{ |
| 34 | #server { |
| 35 | # listen 80; |
| 36 | # server_name ipmi.john.mayfirst.org; |
| 37 | # root /var/www/html; |
| 38 | # location /.well-known/acme-challenge { |
| 39 | # try_files $uri $uri/ =404; |
| 40 | # } |
| 41 | # location / { |
| 42 | # return 301 https://$host$request_uri; |
| 43 | # } |
| 44 | #} |
| 45 | |
| 46 | server { |
| 47 | listen 443; |
| 48 | server_name ipmi.john.mayfirst.org; |
| 49 | location /.well-known { |
| 50 | root /var/www/html; |
| 51 | } |
| 52 | location / { |
| 53 | access_log off; |
| 54 | proxy_pass http://192.168.56.3:80; |
| 55 | proxy_set_header X-Real-IP $remote_addr; |
| 56 | proxy_set_header Host $host; |
| 57 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 58 | proxy_set_header Upgrade $http_upgrade; |
| 59 | proxy_set_header Connection "Upgrade"; |
| 60 | } |
| 61 | |
| 62 | ssl on; |
| 63 | ssl_certificate_key /etc/letsencrypt/live/ipmi.john.mayfirst.org/privkey.pem; |
| 64 | ssl_certificate /etc/letsencrypt/live/ipmi.john.mayfirst.org/fullchain.pem; |
| 65 | |
| 66 | ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; |
| 67 | |
| 68 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
| 69 | ssl_session_cache shared:SSL:10m; |
| 70 | |
| 71 | ssl_prefer_server_ciphers on; |
| 72 | ssl_dhparam /etc/ssl/dhparam.pem; |
| 73 | |
| 74 | add_header Strict-Transport-Security max-age=63072000; |
| 75 | add_header X-Content-Type-Options nosniff; |
| 76 | } |
| 77 | }}} |
| 78 | |
| 79 | The commented out section must be un-commented initially to allow lets encrypt to create a proper initial certificate. |
| 80 | |
| 81 | Also, you need to create dlparams with: |
| 82 | |
| 83 | {{{ |
| 84 | openssl dhparam -out /etc/ssl/dhparam.pem 2048 |
| 85 | }}} |