114 lines
3.2 KiB
Nginx Configuration File
114 lines
3.2 KiB
Nginx Configuration File
# ---
|
|
# type:
|
|
#
|
|
# 1. Adjust variables 'grafana_host_name' and 'grafana_port' and if not a
|
|
# standard installation also nginx concerning variables
|
|
#
|
|
# 2. source README.nginx
|
|
#
|
|
# ---
|
|
|
|
grafana_host_name="grafana.ndneu.de"
|
|
grafana_port=3002
|
|
|
|
|
|
nginx_path_sites_available="/etc/nginx/sites-available"
|
|
nginx_path_sites_enabled="/etc/nginx/sites-enabled"
|
|
nginx_config_file="${nginx_path_sites_available}/${grafana_host_name}.conf"
|
|
|
|
cat << EOF > ${nginx_config_file}
|
|
# This is required to proxy Grafana Live WebSocket connections.
|
|
map \$http_upgrade \$connection_upgrade {
|
|
default upgrade;
|
|
'' close;
|
|
}
|
|
|
|
upstream grafana {
|
|
server localhost:${grafana_port};
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name ${grafana_host_name};
|
|
|
|
return 301 https://\$server_name\$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name grafana.ndneu.de;
|
|
|
|
# Include location directive for Let's Encrypt ACME Challenge
|
|
#
|
|
# Needed for (automated) updating certificate
|
|
#
|
|
include snippets/letsencrypt-acme-challenge.conf;
|
|
|
|
|
|
# Use Mozilla's guidelines for SSL/TLS settings
|
|
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
|
ssl_certificate /var/lib/dehydrated/certs/grafana.ndneu.de/fullchain.pem;
|
|
ssl_certificate_key /var/lib/dehydrated/certs/grafana.ndneu.de/privkey.pem;
|
|
|
|
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
|
|
#
|
|
# To generate a dhparam.pem file, run in a terminal
|
|
# openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048
|
|
#
|
|
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
|
|
|
|
# Speeds things up a little bit when resuming a session
|
|
ssl_session_timeout 1d;
|
|
#ssl_session_cache shared:MozSSL:10m;
|
|
ssl_session_tickets off;
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
ssl_prefer_server_ciphers off;
|
|
|
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
|
|
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
|
|
|
|
|
|
# OCSP stapling
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
|
|
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
|
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
|
|
|
|
root /usr/share/nginx/html;
|
|
|
|
index index.html index.htm;
|
|
|
|
location / {
|
|
proxy_set_header Host \$host;
|
|
proxy_pass http://grafana;
|
|
}
|
|
|
|
# Proxy Grafana Live WebSocket connections.
|
|
location /api/live/ {
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade \$http_upgrade;
|
|
proxy_set_header Connection \$connection_upgrade;
|
|
proxy_set_header Host \$host;
|
|
proxy_pass http://grafana;
|
|
}
|
|
}
|
|
EOF
|
|
|
|
# Delete existin symlink
|
|
#
|
|
if [[ -f "${nginx_path_sites_enabled}/$(basename "${nginx_config_file}")" ]] ; then
|
|
rm "${nginx_path_sites_enabled}/$(basename "${nginx_config_file}")"
|
|
fi
|
|
|
|
# Activate site
|
|
#
|
|
ln -s "../sites-available/$(basename "${nginx_config_file}")" \
|
|
"${nginx_path_sites_enabled}/$(basename "${nginx_config_file}")"
|