Commit d43d6792 authored by Jérome Perrin's avatar Jérome Perrin

software/nginx-push-stream: enable HTTP2 and TLS

with a self sign certificate for now

config generated using https://ssl-config.mozilla.org/#server=nginx&version=1.19.2&config=modern&openssl=1.1.1k&hsts=false&ocsp=false&guideline=5.6
parent 635f6ec4
...@@ -4,8 +4,8 @@ md5sum = eb4c69df9a8dbb94fb76d0a6c11e360f ...@@ -4,8 +4,8 @@ md5sum = eb4c69df9a8dbb94fb76d0a6c11e360f
[template-nginx-configuration] [template-nginx-configuration]
filename = template-nginx.cfg.in filename = template-nginx.cfg.in
md5sum = b957c4cbaa4d5644688a38f1eca7a516 md5sum = 6f3ab2e441ff435182930b4b1140afd7
[template-nginx] [template-nginx]
filename = instance-nginx.cfg.in filename = instance-nginx.cfg.in
md5sum = 4a8c49421c7a36901d3ab8c0b4a07769 md5sum = ac425cdab9c374985c84ea4928c0ce1b
...@@ -54,7 +54,24 @@ subscriber-location-prefix = /sub ...@@ -54,7 +54,24 @@ subscriber-location-prefix = /sub
subscriber-allow-credential = 'false' subscriber-allow-credential = 'false'
subscriber-allow-methods = 'GET, HEAD, OPTIONS' subscriber-allow-methods = 'GET, HEAD, OPTIONS'
subscriber-allow-headers = 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since' subscriber-allow-headers = 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since'
base-url = http://[$${nginx-configuration:ip}]:$${nginx-configuration:port} base-url = https://[$${nginx-configuration:ip}]:$${nginx-configuration:port}
# Generate a self-signed TLS certificate.
[nginx-certificate]
recipe = plone.recipe.command
command =
if [ ! -e $${:key-file} ]
then
${openssl:location}/bin/openssl req -x509 -nodes -days 3650 \
-subj "/C=AA/ST=X/L=X/O=Dis/CN=$${nginx-configuration:ip}" \
-newkey rsa:1024 -keyout $${:key-file} \
-out $${:cert-file}
fi
update-command = $${:command}
key-file = $${directory:ssl}/${:_buildout_section_name_}.key
cert-file = $${directory:ssl}/${:_buildout_section_name_}.cert
common-name = $${nginx-configuration:ip}
stop-on-error = true
[promises] [promises]
recipe = recipe =
......
...@@ -54,9 +54,21 @@ http { ...@@ -54,9 +54,21 @@ http {
## ##
push_stream_shared_memory_size 32m; push_stream_shared_memory_size 32m;
server { server {
listen [$${nginx-configuration:ip}]:$${nginx-configuration:port}; listen [$${nginx-configuration:ip}]:$${nginx-configuration:port} ssl http2;
listen $${nginx-configuration:local-ip}:$${nginx-configuration:port}; listen $${nginx-configuration:local-ip}:$${nginx-configuration:port} ssl http2;
# generated 2021-08-02, Mozilla Guideline v5.6, nginx 1.19.2, OpenSSL 1.1.1k, modern configuration, no HSTS, no OCSP
# https://ssl-config.mozilla.org/#server=nginx&version=1.19.2&config=modern&openssl=1.1.1k&hsts=false&ocsp=false&guideline=5.6
ssl_certificate $${nginx-certificate:cert-file};
ssl_certificate_key $${nginx-certificate:key-file};
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
fastcgi_temp_path $${directory:varnginx} 1 2; fastcgi_temp_path $${directory:varnginx} 1 2;
uwsgi_temp_path $${directory:varnginx} 1 2; uwsgi_temp_path $${directory:varnginx} 1 2;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment