From 399f07cf3ad884a86f47236bdef3f402dc8c9422 Mon Sep 17 00:00:00 2001 From: Oliver Giles Date: Sat, 24 Jul 2021 20:08:11 +1200 Subject: [PATCH] add example config for nginx reverse proxy --- UserManual.md | 2 ++ examples/nginx-ssl-reverse-proxy.conf | 52 +++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 examples/nginx-ssl-reverse-proxy.conf diff --git a/UserManual.md b/UserManual.md index bd16d07..345dec8 100644 --- a/UserManual.md +++ b/UserManual.md @@ -98,6 +98,8 @@ Laminar uses Server Sent Events to provide a responsive, auto-updating display w If you use a reverse proxy to host Laminar at a subfolder instead of a subdomain root, the `` needs to be updated to ensure all links point to their proper targets. This can be done by setting `LAMINAR_BASE_URL` in `/etc/laminar.conf`. +See [this example configuration file for nginx](https://github.com/ohwgiles/laminar/blob/master/examples/nginx-ssl-reverse-proxy.conf). + ## More configuration options See the [reference section](#Service-configuration-file) diff --git a/examples/nginx-ssl-reverse-proxy.conf b/examples/nginx-ssl-reverse-proxy.conf new file mode 100644 index 0000000..6c48ec0 --- /dev/null +++ b/examples/nginx-ssl-reverse-proxy.conf @@ -0,0 +1,52 @@ +server { + listen [::]:80; + listen 80; + server_name laminar.example.com; + + # rule for letsencrypt ACME challenge requests + location ^~ /.well-known/acme-challenge/ { + default_type "text/plain"; + alias /srv/www/acme-challenge/; + } + + # redirect all other http to https + return 301 https://$server_name$request_uri; +} + +server { + # http2 is recommended because browsers will only open a small number of concurrent SSE streams over http1 + listen [::]:443 ssl http2; + listen 443 ssl http2; + server_name laminar.example.com; + + # modern tls only, see https://syslink.pl/cipherlist/ for a more complete example + ssl_protocols TLSv1.3; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + + # set according to ACME/letsencrypt client + ssl_certificate /path/to/certificate.crt; + ssl_certificate_key /path/to/private.key; + + # use "location /" if laminar is to be accessible at the (sub)domain root. + # alteratively, use a subdirectory such as "location /my-laminar/" and ensure that + # LAMINAR_BASE_URL=/my-laminar/ accordingly. + location / { + # set proxy_pass according to LAMINAR_BIND_HTTP. + # note that the laminar default for LAMINAR_BIND_HTTP is *:8080, which binds on all interfaces + # instead of just the loopback device and is almost certainly not what you want if you are using + # a reverse proxy. It should be set to 127.0.0.1:8080 at a minimum, or use unix sockets for more + # fine-grained control of permissions. + # see http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass + # and https://laminar.ohwg.net/docs.html#Running-on-a-different-HTTP-port-or-Unix-socket + proxy_pass http://127.0.0.1:8080; + + # required to allow laminar's SSE stream to pass correctly + proxy_http_version 1.1; + proxy_set_header Connection ""; + } + + # have nginx serve artefacts directly rather than having laminard do it + location /archive/ { + alias /var/lib/laminar/archive/; + } +}