Add self-signed SSL cert back to web container.
This commit is contained in:
Buster "Silver Eagle" Neece
parent
ad808e513c
commit
56611698af
|
|
@ -48,7 +48,7 @@ VOLUME ["/var/azuracast/www", "/var/azuracast/backups", "/etc/letsencrypt", "/va
|
|||
#
|
||||
USER root
|
||||
|
||||
EXPOSE 80 2022
|
||||
EXPOSE 80 443 2022
|
||||
|
||||
# Nginx Proxy environment variables.
|
||||
ENV VIRTUAL_HOST="azuracast.local" \
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ services:
|
|||
- stations
|
||||
- redis
|
||||
env_file: azuracast.env
|
||||
environment: &default-environment
|
||||
environment:
|
||||
LANG: ${LANG:-en_US.UTF-8}
|
||||
AZURACAST_DC_REVISION: 8
|
||||
AZURACAST_SFTP_PORT: ${AZURACAST_SFTP_PORT:-2022}
|
||||
|
|
@ -58,8 +58,6 @@ services:
|
|||
volumes:
|
||||
- db_data:/var/lib/mysql
|
||||
env_file: azuracast.env
|
||||
environment:
|
||||
<<: *default-environment
|
||||
restart: always
|
||||
logging: *default-logging
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,20 @@ server {
|
|||
}
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen 80;
|
||||
listen 443 default_server http2 ssl;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/ssl.crt;
|
||||
ssl_certificate_key /etc/letsencrypt/ssl.key;
|
||||
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
|
||||
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
|
||||
ssl_session_timeout 10m;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
root /var/azuracast/www/web;
|
||||
index index.php;
|
||||
|
|
@ -30,6 +43,12 @@ server {
|
|||
add_header X-Robots-Tag none;
|
||||
add_header Referrer-Policy no-referrer-when-downgrade;
|
||||
|
||||
# LetsEncrypt handling
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/letsencrypt;
|
||||
try_files $uri =404;
|
||||
}
|
||||
|
||||
# Serve a static version of the nowplaying data for non-PHP-blocking delivery.
|
||||
location /api/nowplaying_static {
|
||||
expires 10s;
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ set -e
|
|||
source /bd_build/buildconfig
|
||||
set -x
|
||||
|
||||
$minimal_apt_get_install nginx nginx-common nginx-extras
|
||||
$minimal_apt_get_install nginx nginx-common nginx-extras openssl
|
||||
|
||||
# Install nginx and configuration
|
||||
cp /bd_build/nginx/nginx.conf /etc/nginx/nginx.conf
|
||||
|
|
@ -17,5 +17,14 @@ touch /tmp/azuracast_nginx_client/.tmpreaper
|
|||
touch /tmp/azuracast_fastcgi_temp/.tmpreaper
|
||||
chmod -R 777 /tmp/azuracast_*
|
||||
|
||||
# SSL self-signed cert generation
|
||||
openssl req -new -nodes -x509 -subj "/C=US/ST=Texas/L=Austin/O=IT/CN=localhost" \
|
||||
-days 365 -extensions v3_ca \
|
||||
-keyout /etc/letsencrypt/selfsigned.key \
|
||||
-out /etc/letsencrypt/selfsigned.crt
|
||||
|
||||
ln -s /etc/letsencrypt/selfsigned.key /etc/letsencrypt/ssl.key
|
||||
ln -s /etc/letsencrypt/selfsigned.crt /etc/letsencrypt/ssl.crt
|
||||
|
||||
# Generate the dhparam.pem file (takes a long time)
|
||||
openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096
|
||||
|
|
|
|||
Loading…
Reference in New Issue