mirror of
https://github.com/bashclub/zamba-lxc-toolbox.git
synced 2024-11-07 19:31:58 +01:00
zammad fix webserver config
This commit is contained in:
parent
b56ae6487b
commit
ddcedc57e4
@ -28,120 +28,20 @@ cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options
|
||||
-Xmx1g
|
||||
EOF
|
||||
|
||||
# configurwe nginx
|
||||
rm -f /etc/nginx/sites-enabled/default
|
||||
# configure nginx
|
||||
unlink /etc/nginx/sites-enabled/default
|
||||
sed -e "s|server_name example.com;|server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};|g" \
|
||||
-e "s|ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;|ssl_certificate /etc/nginx/ssl/fullchain.pem;|g" \
|
||||
-e "s|ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;|ssl_certificate_key /etc/nginx/ssl/privkey.pem;|g" \
|
||||
-e "s|ssl_protocols TLSv1.2;|ssl_protocols TLSv1.2 TLSv1.3;|g" \
|
||||
-e "s|ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|# ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;|g" \
|
||||
/opt/zammad/contrib/nginx/zammad_ssl.conf > /etc/nginx/sites-available/zammad_ssl.conf
|
||||
|
||||
cat << EOF > /etc/nginx/sites-available/zammad.conf
|
||||
upstream zammad-railsserver {
|
||||
server 127.0.0.1:3000;
|
||||
}
|
||||
|
||||
upstream zammad-websocket {
|
||||
server 127.0.0.1:6042;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
|
||||
|
||||
server_tokens off;
|
||||
|
||||
access_log /var/log/nginx/zammad.access.log;
|
||||
error_log /var/log/nginx/zammad.error.log;
|
||||
|
||||
location /.well-known/ {
|
||||
root /var/www/html;
|
||||
}
|
||||
|
||||
return 301 https://\$host\$request_uri;
|
||||
}
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
|
||||
|
||||
server_tokens off;
|
||||
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
||||
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
||||
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
|
||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 180m;
|
||||
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
resolver 1.1.1.1 1.0.0.1;
|
||||
#
|
||||
# https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache
|
||||
#
|
||||
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
|
||||
add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *";
|
||||
add_header Referrer-Policy "strict-origin";
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
|
||||
location = /robots.txt {
|
||||
access_log off; log_not_found off;
|
||||
}
|
||||
|
||||
location = /favicon.ico {
|
||||
access_log off; log_not_found off;
|
||||
}
|
||||
|
||||
root /opt/zammad/public;
|
||||
|
||||
access_log /var/log/nginx/zammad.access.log;
|
||||
error_log /var/log/nginx/zammad.error.log;
|
||||
|
||||
client_max_body_size 50M;
|
||||
|
||||
location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
|
||||
expires max;
|
||||
}
|
||||
|
||||
location /ws {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade \$http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header CLIENT_IP \$remote_addr;
|
||||
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto \$scheme;
|
||||
proxy_read_timeout 86400;
|
||||
proxy_pass http://zammad-websocket;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_set_header Host \$http_host;
|
||||
proxy_set_header CLIENT_IP \$remote_addr;
|
||||
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto \$scheme;
|
||||
|
||||
# change this line in an SSO setup
|
||||
proxy_set_header X-Forwarded-User "";
|
||||
|
||||
proxy_read_timeout 180;
|
||||
proxy_pass http://zammad-railsserver;
|
||||
|
||||
gzip on;
|
||||
gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
|
||||
gzip_proxied any;
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
ln -sf /etc/nginx/sites-available/zammad.conf /etc/nginx/sites-enabled/
|
||||
ln -sf /etc/nginx/sites-available/zammad_ssl.conf /etc/nginx/sites-enabled/
|
||||
|
||||
generate_dhparam
|
||||
|
||||
# configure elasticsearch
|
||||
/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment
|
||||
|
||||
systemctl enable elasticsearch.service
|
||||
|
||||
Loading…
Reference in New Issue
Block a user