| | 28 | |
| | 29 | == Enable http redirections == |
| | 30 | |
| | 31 | On robideau, we have the following nginx configuration to allow web-based proxying: |
| | 32 | |
| | 33 | {{{ |
| | 34 | #server { |
| | 35 | # listen 80; |
| | 36 | # server_name ipmi.john.mayfirst.org; |
| | 37 | # root /var/www/html; |
| | 38 | # location /.well-known/acme-challenge { |
| | 39 | # try_files $uri $uri/ =404; |
| | 40 | # } |
| | 41 | # location / { |
| | 42 | # return 301 https://$host$request_uri; |
| | 43 | # } |
| | 44 | #} |
| | 45 | |
| | 46 | server { |
| | 47 | listen 443; |
| | 48 | server_name ipmi.john.mayfirst.org; |
| | 49 | location /.well-known { |
| | 50 | root /var/www/html; |
| | 51 | } |
| | 52 | location / { |
| | 53 | access_log off; |
| | 54 | proxy_pass http://192.168.56.3:80; |
| | 55 | proxy_set_header X-Real-IP $remote_addr; |
| | 56 | proxy_set_header Host $host; |
| | 57 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| | 58 | proxy_set_header Upgrade $http_upgrade; |
| | 59 | proxy_set_header Connection "Upgrade"; |
| | 60 | } |
| | 61 | |
| | 62 | ssl on; |
| | 63 | ssl_certificate_key /etc/letsencrypt/live/ipmi.john.mayfirst.org/privkey.pem; |
| | 64 | ssl_certificate /etc/letsencrypt/live/ipmi.john.mayfirst.org/fullchain.pem; |
| | 65 | |
| | 66 | ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; |
| | 67 | |
| | 68 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
| | 69 | ssl_session_cache shared:SSL:10m; |
| | 70 | |
| | 71 | ssl_prefer_server_ciphers on; |
| | 72 | ssl_dhparam /etc/ssl/dhparam.pem; |
| | 73 | |
| | 74 | add_header Strict-Transport-Security max-age=63072000; |
| | 75 | add_header X-Content-Type-Options nosniff; |
| | 76 | } |
| | 77 | }}} |
| | 78 | |
| | 79 | The commented out section must be un-commented initially to allow lets encrypt to create a proper initial certificate. |
| | 80 | |
| | 81 | Also, you need to create dlparams with: |
| | 82 | |
| | 83 | {{{ |
| | 84 | openssl dhparam -out /etc/ssl/dhparam.pem 2048 |
| | 85 | }}} |
