On Tue, Apr 2, 2024 at 9:03 AM Jesus Malena <jesus.mal...@gmail.com> wrote:
> Hi Nick,
>
> Thanks for the quick response. I should have added my NginX configuration
> here as well so that this information would be more complete. Below is my
> NginX config.
>
> # HTTPS server
>
> upstream guacservice {
> server 127.0.0.1:8080;
> }
>
> server {
> listen 443 ssl http2;
> server_name guactest.mytestserver.com;
> server_tokens off;
>
> access_log /var/log/nginx/ssl_access.log main;
>
> ssl_certificate ssl/guactest_mytestserver_com.pem;
> ssl_certificate_key ssl/guactest_mytestserver_com.pem;
> ssl_session_timeout 5m;
>
> ssl_protocols TLSv1.2 TLSv1.3;
> ssl_ciphers
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:!aNULL:!MD5:!DSS;
>
> ssl_prefer_server_ciphers on;
> gzip on;
> gzip_types text/javascript;
> gzip_proxied no-cache no-store private expired auth;
> gzip_min_length 1000;
>
> location / {
> add_header Front-End-Https on;
> add_header Strict-Transport-Security "max-age=16000000;
> includeSubDomains; always;";
> proxy_pass http://guacservice;
> proxy_hide_header X-Powered-By;
> proxy_set_header X-NginX-Proxy true;
> proxy_set_header Host $http_host;
> proxy_set_header X-Real-IP $http_true_client_ip;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_cookie_path ~(.*) "$1; secure; SameSite=None";
>
> proxy_redirect default;
> proxy_redirect http://$host https://$host;
> proxy_redirect http://hostname https://$host;
> }
> location = /404.html {}
> location = /50x.html {}
> }
>
> server {
> listen 80;
> server_name _;
> server_tokens off;
>
> location / {
> rewrite ^(.*) https://$http_host$1 redirect;
> }
>
> location /nginx_status {
> stub_status on; access_log off;
> allow 127.0.0.1;
> deny all;
> }
> }
>
> There are some settings which you have suggested which I do not have
> which deal with websockets so I will have to look into those and implement
> them once I validate from the documentation. I will also have to go over
> some of my settings in this section and update some of these accordingly,
> like the proxy_set_header Host $http_host to just proxy_set_header Host
> $host as this is cleaner based on NginX documentation, but the
> X-Forwarded-Proto one is one that I do have set. There may be some
> additional cleanup that may need to be done on the above configuration, but
> this above configuration does work. If you see any glaring configuration
> issues above please let me know.
>
>
I would say just add the additional headers that I mentioned - it is a more
complete list than is in the manual (manual needs some updating in that
respect).
-Nick
>
