Skip to content

Commit

Permalink
Re-added bind mounts for nginx conf files; re-enabled ssh for local i…
Browse files Browse the repository at this point in the history 
…nstallation in nginx
  • Loading branch information
@monotasker
monotasker committed Mar 21, 2024
1 parent 8251551 commit 4d51cd4
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 16 deletions.
2 changes: 2 additions & 0 deletions docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ services:
file: docker-services.yml
service: frontend
volumes:
- ./docker/nginx/nginx.conf:/etc/nginx/nginx.conf
- ./docker/nginx/conf.d:/etc/nginx/conf.d
- ${INVENIO_LOCAL_INSTANCE_PATH}/static:/opt/invenio/var/instance/static
extra_hosts:
- "host.docker.internal:host-gateway"
Expand Down
32 changes: 16 additions & 16 deletions docker/nginx/conf.d/default.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,36 +24,36 @@ server {
server_name _;
# return 301 https://$host$request_uri;
# # TODO: switch off
# }
}

# # TODO: switch off
# # HTTPS server
# server {
# listen 443 ssl http2; # IPv4
# listen [::]:443 ssl http2; # IPv6
# server_name _;
# charset utf-8;
# keepalive_timeout 5;
server {
listen 443 ssl http2; # IPv4
listen [::]:443 ssl http2; # IPv6
server_name _;
charset utf-8;
keepalive_timeout 5;

# SSL configuration according to best practices from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# The provided certificate (test.crt) and private key (test.key) is only for
# testing and must never be used in production environment.
# TODO: change certificates for production

# ssl_certificate /etc/ssl/certs/test.crt;
# ssl_certificate_key /etc/ssl/private/test.key;
# ssl_session_timeout 1d;
# ssl_session_cache shared:SSL:50m;
# ssl_session_tickets off;
ssl_certificate /etc/ssl/certs/test.crt;
ssl_certificate_key /etc/ssl/private/test.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# TODO: switch off
# Accepted protocols and ciphers
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;

# add_header Strict-Transport-Security "max-age=15768000"; # 6 months
add_header Strict-Transport-Security "max-age=15768000"; # 6 months

# Request ID tracing (allows end-to-end tracking of requests for better
# troubleshooting)
Expand Down

0 comments on commit 4d51cd4

Please sign in to comment.