Modified NGINX configuration after further testing.
This commit is contained in:
parent
788a539758
commit
8011108116
2 changed files with 12 additions and 72 deletions
16
INSTALL.txt
16
INSTALL.txt
|
@ -32,6 +32,8 @@ As Root: cmd: su - postgres
|
||||||
cmd: createuser -s -d -e -r -P <DB User> ( Pwd: <DB Password> )
|
cmd: createuser -s -d -e -r -P <DB User> ( Pwd: <DB Password> )
|
||||||
cmd: createdb oidc_db -O <DB User>
|
cmd: createdb oidc_db -O <DB User>
|
||||||
cmd: psql oidc_db < oidc_db_v2.sql
|
cmd: psql oidc_db < oidc_db_v2.sql
|
||||||
|
Note: There will be a series of 8 error messages followed by CREATE and ALTER statements. This is normal due to the format of the dump.
|
||||||
|
Ctrl-D
|
||||||
Ctrl-D
|
Ctrl-D
|
||||||
|
|
||||||
cmd: cd ..
|
cmd: cd ..
|
||||||
|
@ -69,9 +71,7 @@ Continue by:
|
||||||
cmd: ansible-playbook -K 01_install_cacert_oidc.yml
|
cmd: ansible-playbook -K 01_install_cacert_oidc.yml
|
||||||
Answer the password question for your "normal" user.
|
Answer the password question for your "normal" user.
|
||||||
|
|
||||||
cmd: cd ../..
|
cmd: cd ../../oidc-registration-php
|
||||||
|
|
||||||
As Root: cmd: certbot --nginx -d <your domain name> -d <your authserver domain name> -d <your idp domain name>
|
|
||||||
|
|
||||||
Edit misc/reverse-proxy.conf and change "<My Domain Name>" to the correct value.
|
Edit misc/reverse-proxy.conf and change "<My Domain Name>" to the correct value.
|
||||||
Also change "<Host IP>" to the correct value for your machine.
|
Also change "<Host IP>" to the correct value for your machine.
|
||||||
|
@ -86,12 +86,14 @@ From your working directory, do the following As Root:
|
||||||
cmd: cp misc/cas.pem /etc/nginx/certs
|
cmd: cp misc/cas.pem /etc/nginx/certs
|
||||||
cmd: chmod 751 /srv/hydra/bin
|
cmd: chmod 751 /srv/hydra/bin
|
||||||
cmd: chmod 751 /srv/hydra/bin/hydra
|
cmd: chmod 751 /srv/hydra/bin/hydra
|
||||||
cmd: cp -i /etc/letsencrypt/live/registercacert.buadh-brath.com/cert.pem idp.buadh-brath.com.pem
|
|
||||||
cmd: cp -i /etc/letsencrypt/live/registercacert.buadh-brath.com/privkey.pem idp.buadh-brath.com-key.pem
|
|
||||||
cmd: cd /srv/cacert/etc
|
cmd: cd /srv/cacert/etc
|
||||||
|
cmd: certbot --nginx -d <your domain name> -d <your authserver domain name> -d <Your IDP Domain Name>
|
||||||
|
cmd: cp -i /etc/letsencrypt/live/<Your Domain Name>/cert.pem <Your IDP Domain Name>.pem
|
||||||
|
cmd: cp -i /etc/letsencrypt/live/<Your Domain Name>/privkey.pem <Your IDP Domain Name>-key.pem
|
||||||
cmd: chown root:cacert *
|
cmd: chown root:cacert *
|
||||||
cmd: chmod 640 idp.buadh-brath.com-key.pem
|
cmd: chmod 640 <Your IDP Domain Name>-key.pem
|
||||||
cmd: systemd restart cacert-idp.service
|
cmd: systemctl restart cacert-idp.service
|
||||||
|
cmd: systemctl status cacert-idp.service
|
||||||
|
|
||||||
Exit Root, if necessary
|
Exit Root, if necessary
|
||||||
|
|
||||||
|
|
|
@ -1,39 +1,3 @@
|
||||||
server {
|
|
||||||
if ($host = authserver.<My Domain Name>) {
|
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
} # managed by Certbot
|
|
||||||
|
|
||||||
|
|
||||||
listen 80;
|
|
||||||
server_name authserver.<My Domain Name>;
|
|
||||||
return 404; # managed by Certbot
|
|
||||||
|
|
||||||
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
if ($host = idp.<My Domain Name>) {
|
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
} # managed by Certbot
|
|
||||||
|
|
||||||
|
|
||||||
listen 80;
|
|
||||||
server_name idp.<My Domain Name>;
|
|
||||||
return 404; # managed by Certbot
|
|
||||||
|
|
||||||
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
if ($host = <My Domain Name>) {
|
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
} # managed by Certbot
|
|
||||||
|
|
||||||
|
|
||||||
listen 80;
|
|
||||||
server_name <My Domain Name>;
|
|
||||||
return 404; # managed by Certbot
|
|
||||||
|
|
||||||
|
|
||||||
}
|
|
||||||
server {
|
server {
|
||||||
server_name authserver.<My Domain Name>;
|
server_name authserver.<My Domain Name>;
|
||||||
|
|
||||||
|
@ -44,14 +8,7 @@ server {
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
}
|
}
|
||||||
|
|
||||||
listen 443 ssl; # managed by Certbot
|
|
||||||
listen <Host IP>:4444 ssl;
|
listen <Host IP>:4444 ssl;
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/<My Domain Name>/fullchain.pem; # managed by Certbot
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/<My Domain Name>/privkey.pem; # managed by Certbot
|
|
||||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
|
||||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
|
||||||
|
|
||||||
}
|
}
|
||||||
server {
|
server {
|
||||||
server_name idp.<My Domain Name>;
|
server_name idp.<My Domain Name>;
|
||||||
|
@ -62,16 +19,7 @@ server {
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
}
|
}
|
||||||
|
|
||||||
listen 443 ssl; # managed by Certbot
|
|
||||||
listen <Host IP>:3000 ssl;
|
|
||||||
ssl_certificate /etc/letsencrypt/live/<My Domain Name>/fullchain.pem; # managed by Certbot
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/<My Domain Name>/privkey.pem; # managed by Certbot
|
|
||||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
|
||||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
server_name <My Domain Name>;
|
server_name <My Domain Name>;
|
||||||
|
|
||||||
|
@ -81,7 +29,6 @@ server {
|
||||||
|
|
||||||
ssl_verify_client on;
|
ssl_verify_client on;
|
||||||
ssl_client_certificate /etc/nginx/certs/cas.pem;
|
ssl_client_certificate /etc/nginx/certs/cas.pem;
|
||||||
# ssl_verify_depth 1;
|
|
||||||
|
|
||||||
location ~ ^/(.+\.php)$ {
|
location ~ ^/(.+\.php)$ {
|
||||||
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
|
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
|
||||||
|
@ -90,10 +37,8 @@ server {
|
||||||
}
|
}
|
||||||
include snippets/fastcgi-php.conf;
|
include snippets/fastcgi-php.conf;
|
||||||
include fastcgi_params;
|
include fastcgi_params;
|
||||||
# fastcgi_index index.php;
|
|
||||||
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
|
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
|
||||||
fastcgi_read_timeout 600s;
|
fastcgi_read_timeout 600s;
|
||||||
#fastcgi_param SCRIPT_FILENAME /srv/www.example.org/html$fastcgi_script_name;
|
|
||||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||||
fastcgi_intercept_errors on;
|
fastcgi_intercept_errors on;
|
||||||
fastcgi_param PHP_VALUE "memory_limit = 512M
|
fastcgi_param PHP_VALUE "memory_limit = 512M
|
||||||
|
@ -102,9 +47,9 @@ server {
|
||||||
max_execution_time = 240
|
max_execution_time = 240
|
||||||
max_input_time = 240
|
max_input_time = 240
|
||||||
upload_max_filesize = 16M";
|
upload_max_filesize = 16M";
|
||||||
client_body_buffer_size 128k;
|
client_body_buffer_size 128k;
|
||||||
http2_push_preload on;
|
http2_push_preload on;
|
||||||
fastcgi_param TLS_SUCCESS $ssl_client_verify;
|
fastcgi_param TLS_SUCCESS $ssl_client_verify;
|
||||||
fastcgi_param TLS_DN $ssl_client_s_dn;
|
fastcgi_param TLS_DN $ssl_client_s_dn;
|
||||||
fastcgi_param TLS_CERT $ssl_client_cert;
|
fastcgi_param TLS_CERT $ssl_client_cert;
|
||||||
fastcgi_param TLS_FP $ssl_client_fingerprint;
|
fastcgi_param TLS_FP $ssl_client_fingerprint;
|
||||||
|
@ -112,17 +57,10 @@ server {
|
||||||
fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;
|
fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# deny access to Apache .htaccess on Nginx with PHP,
|
# deny access to Apache .htaccess on Nginx with PHP,
|
||||||
# if Apache and Nginx document roots concur
|
# if Apache and Nginx document roots concur
|
||||||
location ~ /\.ht {
|
location ~ /\.ht {
|
||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
|
|
||||||
listen 443 ssl http2; # managed by Certbot
|
|
||||||
ssl_certificate /etc/letsencrypt/live/<My Domain Name>/fullchain.pem; # managed by Certbot
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/<My Domain Name>/privkey.pem; # managed by Certbot
|
|
||||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
|
||||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue