Add cert scripts; update readme; update gitignore; add nginx

2024-11-19 10:54:05 +01:00 · 2024-11-19 10:54:05 +01:00 · ae3d5e4df7
commit ae3d5e4df7
parent 91c5eb1d9d
9 changed files with 301 additions and 30 deletions
--- a/data/nginx/default.conf.template
+++ b/data/nginx/default.conf.template
@ -0,0 +1,81 @@
+# Upstream where your authentik server is hosted.
+upstream authentik {
+	server https://server:9443;
+	# Improve performance by keeping some connections alive.
+	keepalive 10;
+}
+
+# Upgrade WebSocket if requested, otherwise use keepalive
+map $http_upgrade $connection_upgrade_keepalive {
+	default upgrade;
+	''      '';
+}
+
+# Server just for serving a health endpoint
+server {
+	listen 127.0.0.1:8181;
+	server_name localhost;
+
+	# replace with the IP address of your resolver
+	resolver ${NGINX_RESOLVER};
+
+	# Handle /health separately without serving any files
+	location = /health {
+		access_log off;
+		default_type text/plain;
+		return 200 'OK';
+	}
+}
+
+# Redirect to HTTPS
+server {
+	listen ${NGINX_HTTP_PORT};
+	listen [::]:${NGINX_HTTP_PORT};
+	server_name ${NGINX_SERVERNAME};
+
+	return 302 https://$host$request_uri;
+}
+
+# HTTPS Server
+server {
+	listen ${NGINX_HTTPS_PORT} ssl http2;
+	listen [::]:${NGINX_HTTPS_PORT} ssl http2;
+	server_name ${NGINX_SERVERNAME};
+
+	ssl_certificate /etc/nginx/ssl/certs/sso-base23-de-fullchain-cert.pem;
+	ssl_certificate_key /etc/nginx/ssl/certs/sso-base23-de-fullchain-key.pem;
+	ssl_session_timeout ${NGINX_SSL_SESSION_TIMEOUT};
+	ssl_session_cache ${NGINX_SSL_SESSION_CACHE};
+
+	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+	# intermediate configuration
+	ssl_protocols ${NGINX_SSL_PROTOCOLS};
+	ssl_ciphers ${NGINX_SSL_CIPHERS};
+	ssl_prefer_server_ciphers ${NGINX_SSL_PREFER_SERVER_CIPHERS};
+
+	# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+	#add_header Strict-Transport-Security ${NGINX_HEADER_STRICT_TRANSPORT_SECURITY};
+
+	# OCSP stapling
+	ssl_stapling ${NGINX_SSL_STAPLING};
+	ssl_stapling_verify ${NGINX_SSL_STAPLING_VERIFY};
+
+	# verify chain of trust of OCSP response using Root CA and Intermediate certs
+	ssl_trusted_certificate /etc/nginx/ssl/certs/sso-base23-de-trustchain.pem;
+
+	# replace with the IP address of your resolver
+	resolver ${NGINX_RESOLVER};
+
+	client_max_body_size 50m;
+
+	location / {
+		proxy_pass https://authentik;
+		proxy_http_version 1.1;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header Host $http_host;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade_keepalive;
+	}
+}