website/docs: Improve example nginx reverse proxy config
Signed-off-by: Daniel Lo Nigro <d@d.sb>
This commit is contained in:
parent
7c116acf0f
commit
f4e65795fd
|
@ -13,6 +13,8 @@ If you want to access authentik behind a reverse-proxy, there are a few headers
|
|||
- `Host`: Required for various security checks, WebSocket handshake, and Outpost and Proxy Provider communication.
|
||||
- `Connection: Upgrade` and `Upgrade: WebSocket`: Required to upgrade protocols for requests to the WebSocket endpoints under HTTP/1.1.
|
||||
|
||||
It is also recommended to use a [modern TLS configuration](https://ssl-config.mozilla.org/) and disable SSL/TLS protocols older than TLS 1.3.
|
||||
|
||||
The following nginx configuration can be used as a starting point for your own configuration.
|
||||
|
||||
```
|
||||
|
@ -32,21 +34,21 @@ map $http_upgrade $connection_upgrade_keepalive {
|
|||
server {
|
||||
# HTTP server config
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name sso.domain.tld;
|
||||
|
||||
# 301 redirect to HTTPS
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
server {
|
||||
# HTTPS server config
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name sso.domain.tld;
|
||||
|
||||
# TLS certificates
|
||||
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
# Proxy site
|
||||
location / {
|
||||
|
|
Reference in New Issue