From f4e65795fd60d18b4cd78aa1fe77845819e95b1d Mon Sep 17 00:00:00 2001 From: Daniel Lo Nigro Date: Sat, 13 Jan 2024 21:39:07 -0800 Subject: [PATCH] website/docs: Improve example nginx reverse proxy config Signed-off-by: Daniel Lo Nigro --- website/docs/installation/reverse-proxy.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/website/docs/installation/reverse-proxy.md b/website/docs/installation/reverse-proxy.md index c123e4b18..c7931690b 100644 --- a/website/docs/installation/reverse-proxy.md +++ b/website/docs/installation/reverse-proxy.md @@ -13,6 +13,8 @@ If you want to access authentik behind a reverse-proxy, there are a few headers - `Host`: Required for various security checks, WebSocket handshake, and Outpost and Proxy Provider communication. - `Connection: Upgrade` and `Upgrade: WebSocket`: Required to upgrade protocols for requests to the WebSocket endpoints under HTTP/1.1. +It is also recommended to use a [modern TLS configuration](https://ssl-config.mozilla.org/) and disable SSL/TLS protocols older than TLS 1.3. + The following nginx configuration can be used as a starting point for your own configuration. ``` @@ -32,21 +34,21 @@ map $http_upgrade $connection_upgrade_keepalive { server { # HTTP server config listen 80; + listen [::]:80; server_name sso.domain.tld; - # 301 redirect to HTTPS - location / { - return 301 https://$host$request_uri; - } + return 301 https://$host$request_uri; } server { # HTTPS server config listen 443 ssl http2; + listen [::]:443 ssl http2; server_name sso.domain.tld; # TLS certificates ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; + add_header Strict-Transport-Security "max-age=63072000" always; # Proxy site location / {