Add automatic SSL certificate generation
All checks were successful
Build and Push / build-all (push) Successful in 15s
All checks were successful
Build and Push / build-all (push) Successful in 15s
This commit is contained in:
doomtube
parent
1220c5101d
commit
38ecb718e7
8 changed files with 92 additions and 31 deletions
|
|
@ -91,17 +91,43 @@ http {
|
|||
# Default for most uploads (images, stickers)
|
||||
client_max_body_size 5m;
|
||||
|
||||
# ==========================================================================
|
||||
# HTTP Server - Redirect to HTTPS (except ACME challenges)
|
||||
# ==========================================================================
|
||||
server {
|
||||
listen 80;
|
||||
server_name localhost;
|
||||
server_name _;
|
||||
|
||||
# ACME challenge endpoint for Let's Encrypt certificate validation
|
||||
# This must come before any access control blocks
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
try_files $uri =404;
|
||||
}
|
||||
|
||||
# Redirect all other HTTP traffic to HTTPS
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
# ==========================================================================
|
||||
# HTTPS Server - Main application server
|
||||
# ==========================================================================
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name beeta.realms.pub;
|
||||
|
||||
# SSL certificates (obtained by certbot on host, mounted via docker-compose)
|
||||
ssl_certificate /etc/letsencrypt/live/beeta.realms.pub/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/beeta.realms.pub/privkey.pem;
|
||||
|
||||
# Modern SSL configuration
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 1d;
|
||||
|
||||
# Site-wide uberban check - blocks banned fingerprints from all endpoints
|
||||
access_by_lua_block {
|
||||
-- Skip OPTIONS requests (CORS preflight)
|
||||
|
|
@ -114,7 +140,7 @@ http {
|
|||
|
||||
# Security headers for the whole server
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
|
||||
|
||||
# Fixed: Serve uploaded files with correct configuration
|
||||
location /uploads/ {
|
||||
# Use root directive with absolute path to avoid alias+try_files bug
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue