Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

sandstorm/docs/administering/sample-config/nginx-example.conf

Go to file
 
 
Cannot retrieve contributors at this time
102 lines (85 sloc) 3.62 KB
Raw Blame
Open in GitHub Desktop
# This is an example nginx config used to serve your Sandstorm server over SSL/TLS/HTTPS.
#
# Definitions like these should go in the "http" block of your nginx config. Replace "example.com"
# with the domain of your Sandstorm install. On a Debian/Ubuntu system, you can copy this into
# /etc/nginx/sites-enabled/.
# This magic stanza is ESSENTIAL to avoid breaking WebSockets.
#
# Specifically, for WebSocket forwarding, we want to forward the `Connection` header.
# This "map" declaration helps with that.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# The following stanza does a HTTP -> HTTPS redirect.
server {
listen 80;
server_name example.com *.example.com;
return 301 https://$host$request_uri$is_args$args;
}
# Configuration for Sandstorm shell and apps, over HTTPS.
server {
# http2 requires Nginx >=1.9.5
listen 443 ssl http2;
server_name example.com *.example.com;
ssl_certificate /etc/nginx/ssl/sandstorm.crt;
ssl_certificate_key /etc/nginx/ssl/sandstorm.key;
ssl_session_timeout 5m;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
ssl_dhparam /path/to/dhparam.pem;
# Configure SSL with forward secrecy and other goodies.
# Ciphersuite taken from https://wiki.mozilla.org/Security/Server_Side_TLS
# "Intermediate compatibility" as of 2019-09-12
# TLSv1.3 requires Nginx >=1.13.0 & OpenSSL >=1.1.1
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS prevents attackers from tricking you into connecting via HTTP in the
# future, but if you actually intend to access the server via non-SSL in the
# future then you should probably delete this line.
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling, requires Intermediate cert
#ssl_stapling on;
#ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
location / {
proxy_pass http://127.0.0.1:6080;
# Forward the Host header, which is used to route requests for
# static content published from Sandstorm apps.
proxy_set_header Host $http_host;
# Forward WebSocket.
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
}
# Allow large spk uploads from the /install form and allow grains to receive large uploads.
client_max_body_size 1024m;
}
### The following commented-out configuration works for HTTP reverse proxying, if
### for some reason you can't use HTTPS. In that case, remove the HTTP->HTTPS
### redirect config stanza above.
# server {
# listen 80;
# server_name example.com *.example.com;
#
# location / {
# proxy_pass http://127.0.0.1:6080;
#
# # Forward the Host header, which is used to route requests for
# # static content published from Sandstorm apps.
# proxy_set_header Host $http_host;
#
# # Forward WebSocket.
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection $connection_upgrade;
# proxy_set_header X-Real-IP $remote_addr;
# }
#
# # Allow large spk uploads from the /install form and allow grains to receive large uploads.
# client_max_body_size 1024m;
# }