Re: NEW net/traccar

Mon, 17 Dec 2018 02:17:35 -0800 


On 12/17/18 10:35 AM, Landry Breuil wrote:

+Listening locally can be achieved by putting the following stanza in 
traccar.xml
+
+       <entry key='web.address'>127.0.0.1</entry>


Why not doing it by default then ? :)



I have thought about making it default, but this might not be what 
everyone wants either. Besides, this will make life harder for people 
who want to give a quick test at the server.





+Then you will need to configure a reverse proxy to make the UI available.
+The following is an example using nginx as an SSL reverse proxy:
+
+server {
+       add_header Cache-Control no-cache;
+       add_header x-frame-options SAMEORIGIN;
+       add_header X-Content-Type-Options nosniff;
+       add_header X-XSS-Protection "1; mode=block";
+
+       listen  443;
+       listen  [::]:443;
+
+       expires 31d;
+       ssl On;
+       ssl_certificate fullcert_nokey.pem;
+       ssl_certificate_key privkey.pem;
+       server_name traccar.example.com;
+       root /var/empty;
+
+       location / {
+               proxy_pass http://127.0.0.1:8082/;
+               proxy_set_header Host $host;
+               proxy_http_version 1.1;
+               proxy_set_header Upgrade $http_upgrade;
+               proxy_set_header Connection "upgrade";
+               proxy_buffering     off;
+               proxy_connect_timeout 43200000;
+               proxy_send_timeout    43200000;
+               proxy_read_timeout    43200000;
+               proxy_redirect off;
+               proxy_set_header Proxy "";
+               proxy_cookie_path /api "/api; secure; HttpOnly";
+       }


Nice, where is this vhost coming from ? I dont think you need to specify
root. I have a slightly different one but i'm not sure of all bits:

         location / {
         proxy_pass         http://localhost:8082;
         }

         location /api/socket {
                 proxy_pass         http://localhost:8082/api/socket;

                 proxy_buffers 8 32k;
                 proxy_buffer_size 64k;
                 proxy_read_timeout 86400;

                 proxy_http_version 1.1;
                 proxy_set_header   Upgrade $http_upgrade;
                 proxy_set_header   Connection "upgrade";
         }

i'm not sure of the api/socket thing for websockets nor the timeouts,
but to me only this path should have the upgrade/connection thing.
Why the proxy_cookie_path ?




Maybe the config could indeed be simplified, but I wanted to give 
something more secure by default as provided by the add-header.
The proxy_cookie_path is there to mark the cookies as secure and 
HttpOnly to harden again the security of the site. It's not strictly needed.
The timeouts and buffering settings are the ones I am using after a lot 
of testing. I don't remember what was the problem with the buffering, 
but there was one.
About the connection "upgrade", I am not sure it's really detrimental to 
keep it for the whole site. If the socket changes, there is no 
reconfiguration needed.





Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature





























					Reply via email to