add examples/treamviewer-ssl.conf

cebccc74 · tee · ebb8e3f5 · ebb8e3f5 · cebccc74
Commit cebccc74 authored 4 years ago by tee
--- a/examples/hls-ssl.conf
+++ b/examples/hls-ssl.conf
-# nginx hls server config
-# things to change: replace CHANGE_ME_SERVER_NAME
-# with the FQDN of the server and adapt the path/names of your SSL setup
-# 20210301 wot
-
-http {
-	server {
-		listen 80 default_server;
-		listen [::]:80 default_server;
-
-		server_name CHANGE_ME_SERVER_NAME;
-
-		# testing
-		return 302 https://$server_name$request_uri;
-		# permanent
-		#return 301 https://$server_name$request_uri;
-	}
-
-	server {
-		listen [::]:443 ssl ipv6only=on;
-		listen 443 ssl;
-
-		server_name CHANGE_ME_SERVER_NAME;
-
-		client_max_body_size 10M;
-		client_body_buffer_size 128k;
-		charset utf-8;
-
-		access_log /var/log/nginx/access.log;
-		error_log /var/log/nginx/error.log;
-
-		# ssl/tls block
-		ssl_certificate /etc/ssl/certs/CHANGE_ME_SERVER_NAME/server.cert;
-		ssl_certificate_key /etc/ssl/certs/CHANGE_ME_SERVER_NAME/server.key;
-		#ssl_certificate /etc/dehydrated/certs/CHANGE_ME_SERVER_NAME/fullchain.pem;
-		#ssl_certificate_key /etc/dehydrated/certs/CHANGE_ME_SERVER_NAME/privkey.pem;
-
-		ssl_session_timeout 5m;
-		# if your OS is old
-		# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-		# if your OS is recent
-		ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
-		ssl_prefer_server_ciphers on;
-		ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
-		ssl_session_cache shared:SSL:10m;
-		# DH parameters. generate with
-		# openssl dhparam -out ssl/dhparam.pem -outform pem 4096
-		ssl_dhparam ssl/dhparam.pem;
-
-		# HSTS. Only activate after being fully done with the ssl cert install
-		#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
-		#add_header Public-Key-Pins 'pin-sha256=""; pin-sha256=""; max-age=2592000; includeSubDomains';
-		#ssl_stapling on;
-		#ssl_stapling_verify on;
-
-		location /.well-known/acme-challenge {
-			alias /srv/dehydrated;
-		}
-		# /ssl
-
-		#add_header Cache-Control no-cache;
-		add_header x-frame-options SAMEORIGIN;
-		add_header X-Content-Type-Options nosniff;
-		add_header X-XSS-Protection "1; mode=block";
-
-
-		location / {
-			#include proxy_params;
-			# if the system does not have proxy_params:
-			proxy_set_header Host $http_host;
-			proxy_set_header X-Real-IP $remote_addr;
-			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-			proxy_set_header X-Forwarded-Proto $scheme;
-
-			proxy_pass http://127.0.0.1:8000;
-		}
-
-		location ~ /.git/ {
-			deny all;
-		}
-
-		location /hls {
-			# Disable cache
-			add_header Cache-Control no-cache;
-
-			# CORS setup
-			add_header 'Access-Control-Allow-Origin' '*' always;
-			add_header 'Access-Control-Expose-Headers' 'Content-Length';
-
-			# allow CORS preflight requests
-			if ($request_method = 'OPTIONS') {
-				add_header 'Access-Control-Allow-Origin' '*';
-				add_header 'Access-Control-Max-Age' 1728000;
-				add_header 'Content-Type' 'text/plain charset=UTF-8';
-				add_header 'Content-Length' 0;
-				return 204;
-			}
-			root /data;
-		}
-
-		location /socket.io {
-			#include proxy_params;
-			# if the system does not have proxy_params:
-			proxy_set_header Host $http_host;
-			proxy_set_header X-Real-IP $remote_addr;
-			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-			proxy_set_header X-Forwarded-Proto $scheme;
-			# -
-			proxy_http_version 1.1;
-			proxy_buffering off;
-			proxy_set_header Upgrade $http_upgrade;
-			proxy_set_header Connection "Upgrade";
-			proxy_pass http://127.0.0.1:8000/socket.io;
-		}
-	}
-}
-
--- a/examples/streamviewer-ssl.conf
+++ b/examples/streamviewer-ssl.conf
+
+# nginx hls ssl server config
+# things to change: replace CHANGE_ME_SERVER_NAME
+# with the FQDN of the server and adapt the path/names of your SSL setup
+# 20210408 wot
+
+server {
+    server_name CHANGE_ME_SERVER_NAME;
+    listen 80;
+    listen [::]:80;
+
+	# testing
+	return 302 https://$server_name$request_uri;
+	# forever
+	#return 301 https://$server_name$request_uri;
+}
+
+server {
+    server_name CHANGE_ME_SERVER_NAME;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    add_header Cache-Control   no-cache;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;";
+    add_header x-frame-options SAMEORIGIN;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+
+    client_max_body_size 10M;
+    client_body_buffer_size 128k;
+    charset utf-8;
+
+    access_log /var/log/nginx.access.log;
+    error_log /var/log/nginx.error.log;
+
+    ssl on;
+    #ssl_certificate /etc/dehydrated/certs/CHANGE_ME_SERVER_NAME/fullchain.pem;
+    #ssl_certificate_key /etc/dehydrated/certs/CHANGE_ME_SERVER_NAME/privkey.pem;
+
+    ssl_certificate /etc/ssl/certs/CHANGE_ME_SERVER_NAME.cert;
+    ssl_certificate_key /etc/ssl/private/CHANGE_ME_SERVER_NAME.key;
+
+	ssl_session_timeout 5m;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+
+    #ssl_session_cache shared:SSL:10m;
+    #ssl_session_cache shared:SSL:10m;
+    ssl_dhparam /etc/ssl/dh2048.pem;
+    #ssl_stapling on;
+    #ssl_stapling_verify on;
+    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+    #add_header Public-Key-Pins 'pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains';
+
+	location ^~ /.well-known/acme-challenge/ {
+      alias /srv/dehydrated/;
+	}
+
+    location / {
+        include proxy_params;
+        proxy_pass http://127.0.0.1:8000;
+    }
+
+    location ~ /.git/ {
+  		deny all;
+    }
+
+    location /hls {
+            # Disable cache
+            add_header Cache-Control no-cache;
+
+            # CORS setup
+            add_header 'Access-Control-Allow-Origin' '*' always;
+            add_header 'Access-Control-Expose-Headers' 'Content-Length';
+
+            # allow CORS preflight requests
+            if ($request_method = 'OPTIONS') {
+            	add_header 'Access-Control-Allow-Origin' '*';
+            	add_header 'Access-Control-Max-Age' 1728000;
+            	add_header 'Content-Type' 'text/plain charset=UTF-8';
+            	add_header 'Content-Length' 0;
+            	return 204;
+            }
+            root /data/video;
+    }
+
+    location /socket.io {
+        include proxy_params;
+        proxy_http_version 1.1;
+        proxy_buffering off;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_pass http://127.0.0.1:8000/socket.io;
+    }
+}