-
-
Notifications
You must be signed in to change notification settings - Fork 709
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add extended documentation about setting up the shell, inculding port…
- Loading branch information
Showing
2 changed files
with
92 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
# Definitions like these should go in the "http" block of your nginx config. | ||
# Replace "sandstorm.io" with your domain, and "alpha" with your host. | ||
|
||
server { | ||
# Redirect http -> https. | ||
listen 80; | ||
server_name alpha.sandstorm.io; | ||
return 301 https://alpha.sandstorm.io$request_uri; | ||
} | ||
|
||
# For WebSocket forwarding, we want to forward the `Connection` header. | ||
# This "map" declaration helps with that. | ||
map $http_upgrade $connection_upgrade { | ||
default upgrade; | ||
'' close; | ||
} | ||
|
||
# Configuration for Sandstorm shell. | ||
server { | ||
listen 443; | ||
server_name alpha.sandstorm.io; | ||
|
||
ssl on; | ||
ssl_certificate /etc/keys/sandstorm.crt; | ||
ssl_certificate_key /etc/keys/sandstorm.key; | ||
|
||
ssl_session_timeout 5m; | ||
|
||
# Configure SSL with perfect forward secrecy and other goodies. | ||
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | ||
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; | ||
ssl_prefer_server_ciphers on; | ||
|
||
# HSTS prevents attackers from tricking you into connecting via HTTP in the | ||
# future, but if you actually intend to access the server via non-SSL in the | ||
# future then you should probably delete this line. | ||
add_header Strict-Transport-Security max-age=31536000; | ||
|
||
# Prevent clickjacking on the Sandstorm shell. | ||
add_header X-Frame-Options DENY; | ||
|
||
location / { | ||
proxy_pass http://127.0.0.1:3000; | ||
|
||
# Forward WebSocket. | ||
proxy_http_version 1.1; | ||
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection $connection_upgrade; | ||
} | ||
|
||
# Allow large spk uploads from the /install form. | ||
client_max_body_size 256M; | ||
} | ||
|
||
# Configuration for Sandstorm apps. | ||
server { | ||
listen 443; | ||
server_name ~alpha-(?<port>7\d\d\d)\.sandstorm\.io; | ||
|
||
ssl on; | ||
ssl_certificate /etc/keys/sandstorm.crt; | ||
ssl_certificate_key /etc/keys/sandstorm.key; | ||
|
||
ssl_session_timeout 5m; | ||
|
||
# Configure SSL with perfect forward secrecy and other goodies. | ||
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | ||
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; | ||
ssl_prefer_server_ciphers on; | ||
|
||
# HSTS prevents attackers from tricking you into connecting via HTTP in the | ||
# future, but if you actually intend to access the server via non-SSL in the | ||
# future then you should probably delete this line. | ||
add_header Strict-Transport-Security max-age=31536000; | ||
|
||
location / { | ||
proxy_pass http://127.0.0.1:$port; | ||
|
||
# Forward WebSocket. | ||
proxy_http_version 1.1; | ||
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection $connection_upgrade; | ||
} | ||
} |