website/docs: Improve example nginx reverse proxy config

Signed-off-by: Daniel Lo Nigro <d@d.sb>
This commit is contained in:
Daniel Lo Nigro 2024-01-13 21:39:07 -08:00 committed by GitHub
parent 7c116acf0f
commit f4e65795fd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 4 deletions

View File

@ -13,6 +13,8 @@ If you want to access authentik behind a reverse-proxy, there are a few headers
- `Host`: Required for various security checks, WebSocket handshake, and Outpost and Proxy Provider communication. - `Host`: Required for various security checks, WebSocket handshake, and Outpost and Proxy Provider communication.
- `Connection: Upgrade` and `Upgrade: WebSocket`: Required to upgrade protocols for requests to the WebSocket endpoints under HTTP/1.1. - `Connection: Upgrade` and `Upgrade: WebSocket`: Required to upgrade protocols for requests to the WebSocket endpoints under HTTP/1.1.
It is also recommended to use a [modern TLS configuration](https://ssl-config.mozilla.org/) and disable SSL/TLS protocols older than TLS 1.3.
The following nginx configuration can be used as a starting point for your own configuration. The following nginx configuration can be used as a starting point for your own configuration.
``` ```
@ -32,21 +34,21 @@ map $http_upgrade $connection_upgrade_keepalive {
server { server {
# HTTP server config # HTTP server config
listen 80; listen 80;
listen [::]:80;
server_name sso.domain.tld; server_name sso.domain.tld;
# 301 redirect to HTTPS # 301 redirect to HTTPS
location / {
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
}
} }
server { server {
# HTTPS server config # HTTPS server config
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name sso.domain.tld; server_name sso.domain.tld;
# TLS certificates # TLS certificates
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
add_header Strict-Transport-Security "max-age=63072000" always;
# Proxy site # Proxy site
location / { location / {