64 lines
1.5 KiB
Markdown
64 lines
1.5 KiB
Markdown
# Nginx on VPN
|
|
|
|
Configure server with OpenVPN and CA
|
|
|
|
### Install OpenVPN
|
|
|
|
`sudo apt install nginx`
|
|
|
|
### nginx config
|
|
|
|
`sudo vi /etc/nginx/sites-av.../default`
|
|
|
|
```
|
|
server {
|
|
listen 10.8.0.1:443 ssl;
|
|
# server_name _; # You can omit this line or use '_'
|
|
|
|
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
|
|
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
|
|
|
|
# SSL settings
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
ssl_session_tickets off;
|
|
|
|
# Add Diffie-Hellman parameter for DHE ciphersuites
|
|
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
|
|
|
|
|
# Add security headers
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-Frame-Options DENY;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
# Reverse proxy settings
|
|
location / {
|
|
proxy_pass http://<SERVER_B_IP>:80;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
}
|
|
```
|
|
|
|
### SSL Certs
|
|
|
|
```
|
|
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
|
|
-keyout /etc/ssl/private/nginx-selfsigned.key \
|
|
-out /etc/ssl/certs/nginx-selfsigned.crt \
|
|
-subj "/CN=10.8.0.1"
|
|
```
|
|
|
|
`sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048`
|
|
|
|
```
|
|
sudo nginx -t
|
|
sudo systemctl reload nginx
|
|
``` |