stoyanovgeorge · June 29, 2020 08:32
diff --git a/graylog_nginx_config b/graylog_nginx_config
 $ cat /etc/nginx/snippets/graylog_self-signed.conf
 ssl_certificate /etc/ssl/certs/graylog-selfsigned.crt;
 ssl_certificate_key /etc/ssl/private/graylog-selfsigned.key;

 ####################################################################################

 $ cat /etc/nginx/snippets/graylog_ssl-params.conf
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_prefer_server_ciphers on;
 ssl_dhparam /etc/nginx/dhparam.pem;
 ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
 ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
 ssl_session_timeout  10m;
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off; # Requires nginx >= 1.5.9
 # ssl_stapling on; # Requires nginx >= 1.3.7
 # ssl_stapling_verify on; # Requires nginx => 1.3.7
 resolver 1.1.1.1 1.0.0.1 valid=300s;
 resolver_timeout 5s;
 # Disable strict transport security for now. You can uncomment the following
 # line if you understand the implications.
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;
 add_header X-XSS-Protection "1; mode=block";

 ######################################################################################

 $ cat /etc/nginx/sites-available/graylog_nginx

 server {
        listen 80;
        listen [::]:80;
        server_name 10.88.167.242;
        return 301 https://$host$request_uri;
 }

 server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name 10.88.167.242;
        # root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
        # SSL Configuration
        include snippets/graylog_self-signed.conf;
        include snippets/graylog_ssl-params.conf;
        # Logs Locations
        access_log  /var/log/nginx/graylog_access.log;
        error_log  /var/log/nginx/graylog_error.log;
        location / {
                    proxy_set_header Host $http_host;
                    proxy_set_header X-Forwarded-Host $host;
                    proxy_set_header X-Forwarded-Server $host;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Graylog-Server-URL https://$server_name/;
                    proxy_pass       http://127.0.0.1:9000;
        }
 }

 ########################################################################################
 Source: https://www.keycdn.com/support/http-strict-transport-security
	$ cat /etc/nginx/snippets/graylog_self-signed.conf
	ssl_certificate /etc/ssl/certs/graylog-selfsigned.crt;
	ssl_certificate_key /etc/ssl/private/graylog-selfsigned.key;

	####################################################################################

	$ cat /etc/nginx/snippets/graylog_ssl-params.conf
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/nginx/dhparam.pem;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
	ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
	ssl_session_timeout 10m;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off; # Requires nginx >= 1.5.9
	# ssl_stapling on; # Requires nginx >= 1.3.7
	# ssl_stapling_verify on; # Requires nginx => 1.3.7
	resolver 1.1.1.1 1.0.0.1 valid=300s;
	resolver_timeout 5s;
	# Disable strict transport security for now. You can uncomment the following
	# line if you understand the implications.
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";

	######################################################################################

	$ cat /etc/nginx/sites-available/graylog_nginx

	server {
	listen 80;
	listen [::]:80;
	server_name 10.88.167.242;
	return 301 https://$host$request_uri;
	}

	server {
	listen 443 ssl;
	listen [::]:443 ssl;
	server_name 10.88.167.242;
	# root /var/www/html;
	index index.html index.htm index.nginx-debian.html;
	# SSL Configuration
	include snippets/graylog_self-signed.conf;
	include snippets/graylog_ssl-params.conf;
	# Logs Locations
	access_log /var/log/nginx/graylog_access.log;
	error_log /var/log/nginx/graylog_error.log;
	location / {
	proxy_set_header Host $http_host;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Server $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Graylog-Server-URL https://$server_name/;
	proxy_pass http://127.0.0.1:9000;
	}
	}

	########################################################################################
	Source: https://www.keycdn.com/support/http-strict-transport-security