From 5b44bb596441b077094c46c763c4aba97e3af1dd Mon Sep 17 00:00:00 2001 From: Anton Podlozny <47890723+apodl1@users.noreply.github.com> Date: Mon, 26 Feb 2024 20:14:36 +0200 Subject: [PATCH 1/2] Add a clarifying comment to nginx ssl-lines for a situation with a subdomain and certbot Signed-off-by: Anton Podlozny <47890723+apodl1@users.noreply.github.com> --- reverse-proxy.md | 1 + 1 file changed, 1 insertion(+) diff --git a/reverse-proxy.md b/reverse-proxy.md index eb9c72bf..51d965b6 100644 --- a/reverse-proxy.md +++ b/reverse-proxy.md @@ -357,6 +357,7 @@ server { proxy_set_header Connection $connection_upgrade; } + #if running nginx on a subdomain (eg. nextcloud.example.com) of a domain that already has an wildcard ssl certificate from certbot on this machine, the in the below lines should be replaced with just the domain (eg. example.com), not the subdomain. In this case the subdomain should already be secured without additional actions ssl_certificate /etc/letsencrypt/live//fullchain.pem; # managed by certbot on host machine ssl_certificate_key /etc/letsencrypt/live//privkey.pem; # managed by certbot on host machine From 913394073b868d2f07c4f2e675e96cd1c68e0644 Mon Sep 17 00:00:00 2001 From: Simon L Date: Wed, 3 Apr 2024 15:37:58 +0200 Subject: [PATCH 2/2] finish this Signed-off-by: Simon L --- reverse-proxy.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/reverse-proxy.md b/reverse-proxy.md index 51d965b6..f2ad3af2 100644 --- a/reverse-proxy.md +++ b/reverse-proxy.md @@ -102,6 +102,10 @@ Add this as a new Apache site config: SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 SSLHonorCipherOrder off SSLSessionTickets off + + # If running apache on a subdomain (eg. nextcloud.example.com) of a domain that already has an wildcard ssl certificate from certbot on this machine, + # the in the below lines should be replaced with just the domain (eg. example.com), not the subdomain. + # In this case the subdomain should already be secured without additional actions SSLCertificateFile /etc/letsencrypt/live//fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live//privkey.pem @@ -357,7 +361,9 @@ server { proxy_set_header Connection $connection_upgrade; } - #if running nginx on a subdomain (eg. nextcloud.example.com) of a domain that already has an wildcard ssl certificate from certbot on this machine, the in the below lines should be replaced with just the domain (eg. example.com), not the subdomain. In this case the subdomain should already be secured without additional actions + # If running nginx on a subdomain (eg. nextcloud.example.com) of a domain that already has an wildcard ssl certificate from certbot on this machine, + # the in the below lines should be replaced with just the domain (eg. example.com), not the subdomain. + # In this case the subdomain should already be secured without additional actions ssl_certificate /etc/letsencrypt/live//fullchain.pem; # managed by certbot on host machine ssl_certificate_key /etc/letsencrypt/live//privkey.pem; # managed by certbot on host machine