website/docs: Improve example nginx reverse proxy config
Signed-off-by: Daniel Lo Nigro <d@d.sb>
This commit is contained in:
parent
7c116acf0f
commit
f4e65795fd
|
@ -13,6 +13,8 @@ If you want to access authentik behind a reverse-proxy, there are a few headers
|
||||||
- `Host`: Required for various security checks, WebSocket handshake, and Outpost and Proxy Provider communication.
|
- `Host`: Required for various security checks, WebSocket handshake, and Outpost and Proxy Provider communication.
|
||||||
- `Connection: Upgrade` and `Upgrade: WebSocket`: Required to upgrade protocols for requests to the WebSocket endpoints under HTTP/1.1.
|
- `Connection: Upgrade` and `Upgrade: WebSocket`: Required to upgrade protocols for requests to the WebSocket endpoints under HTTP/1.1.
|
||||||
|
|
||||||
|
It is also recommended to use a [modern TLS configuration](https://ssl-config.mozilla.org/) and disable SSL/TLS protocols older than TLS 1.3.
|
||||||
|
|
||||||
The following nginx configuration can be used as a starting point for your own configuration.
|
The following nginx configuration can be used as a starting point for your own configuration.
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -32,21 +34,21 @@ map $http_upgrade $connection_upgrade_keepalive {
|
||||||
server {
|
server {
|
||||||
# HTTP server config
|
# HTTP server config
|
||||||
listen 80;
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
server_name sso.domain.tld;
|
server_name sso.domain.tld;
|
||||||
|
|
||||||
# 301 redirect to HTTPS
|
# 301 redirect to HTTPS
|
||||||
location / {
|
return 301 https://$host$request_uri;
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
server {
|
server {
|
||||||
# HTTPS server config
|
# HTTPS server config
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
server_name sso.domain.tld;
|
server_name sso.domain.tld;
|
||||||
|
|
||||||
# TLS certificates
|
# TLS certificates
|
||||||
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
|
||||||
# Proxy site
|
# Proxy site
|
||||||
location / {
|
location / {
|
||||||
|
|
Reference in New Issue