marcelocmenezes · February 23, 2024 12:53
diff --git a/cmd b/cmd
 openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout c:\certificates\nginx-selfsigned.key -out c:\certificates\nginx-selfsigned.crt

 openssl dhparam -out c:\nginx\dhparam.pem 4096
diff --git a/gistfile1.txt b/gistfile1.txt
 ssl_protocols TLSv1.3;
 ssl_prefer_server_ciphers on;
 ssl_dhparam c:\\nginx\\dhparam.pem;
 ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
 ssl_ecdh_curve secp384r1;
 ssl_session_timeout  10m;
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off;
 ssl_stapling on;
 ssl_stapling_verify on;
 resolver 8.8.8.8 8.8.4.4 valid=300s;
 resolver_timeout 5s;
 # Disable strict transport security for now. You can uncomment the following
 # line if you understand the implications.
 #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;
 add_header X-XSS-Protection "1; mode=block";
diff --git a/nginx\conf\nginx.conf b/nginx\conf\nginx.conf
 worker_processes  2;

 events {
    worker_connections  1024;
 }

 http {

    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

    upstream websocket {
        server 172.63.120.38:20000;
    }

    server {
        listen 20000 ssl;
        listen [::]:20000 ssl;

        include c:\\nginx\\snippets\\self-signed.conf;
        include c:\\nginx\\snippets\\ssl-params.conf;

        location / {
            
            proxy_pass http://websocket;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            proxy_set_header Host $host;

            proxy_set_header  X-Forwarded-Host $remote_addr;
            proxy_set_header  X-Forwarded-For $remote_addr;  

        }
    }

 }
diff --git a/nginx\snippets\self-signed.conf b/nginx\snippets\self-signed.conf
 ssl_certificate c:\\certificates\\nginx-selfsigned.crt;
 ssl_certificate_key c:\\certificates\\nginx-selfsigned.key;
	openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout c:\certificates\nginx-selfsigned.key -out c:\certificates\nginx-selfsigned.crt

	openssl dhparam -out c:\nginx\dhparam.pem 4096
	ssl_protocols TLSv1.3;
	ssl_prefer_server_ciphers on;
	ssl_dhparam c:\\nginx\\dhparam.pem;
	ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
	ssl_ecdh_curve secp384r1;
	ssl_session_timeout 10m;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;
	# Disable strict transport security for now. You can uncomment the following
	# line if you understand the implications.
	#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	worker_processes 2;

	events {
	worker_connections 1024;
	}

	http {

	map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
	}

	upstream websocket {
	server 172.63.120.38:20000;
	}

	server {
	listen 20000 ssl;
	listen [::]:20000 ssl;

	include c:\\nginx\\snippets\\self-signed.conf;
	include c:\\nginx\\snippets\\ssl-params.conf;

	location / {

	proxy_pass http://websocket;

	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $connection_upgrade;
	proxy_set_header Host $host;

	proxy_set_header X-Forwarded-Host $remote_addr;
	proxy_set_header X-Forwarded-For $remote_addr;

	}
	}

	}
	ssl_certificate c:\\certificates\\nginx-selfsigned.crt;
	ssl_certificate_key c:\\certificates\\nginx-selfsigned.key;