Copied from wefork wiki 'install from source' page

2025-12-16 15:30:13 +01:00 · 2017-02-04 16:39:22 +02:00 · 2017-02-04 16:39:22 +02:00 · d3197d95df
commit d3197d95df
parent 41f66c6d10
1 changed files with 77 additions and 0 deletions
--- a/Nginx-Webserver-Config.md
+++ b/Nginx-Webserver-Config.md
@ -0,0 +1,77 @@
+## Nginx webserver config
+
+If you use Wekan at root url, change /wekan to / .
+
+```
+server_tokens off; # for security-by-obscurity: stop displaying nginx version
+
+# this section is needed to proxy web-socket connections
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+# HTTP
+server {
+    listen 80 default_server; # if this is not a default server, remove "default_server"
+    listen [::]:80 default_server ipv6only=on;
+
+    root /usr/share/nginx/html; # root is irrelevant
+    index index.html index.htm; # this is also irrelevant
+
+    server_name example.com; # the domain on which we want to host the application. Since we set "default_server" previously, nginx will answer all hosts anyway.
+
+    # redirect non-SSL to SSL
+    location / {
+        rewrite     ^ https://$server_name$request_uri? permanent;
+    }
+}
+
+# HTTPS server
+server {
+    listen 443 ssl spdy; # we enable SPDY here
+    server_name example.com; # this domain must match Common Name (CN) in the SSL certificate
+
+    root html; # irrelevant
+    index index.html; # irrelevant
+
+    ssl_certificate /etc/nginx/ssl/example.com.pem; # full path to SSL certificate and CA certificate concatenated together
+    ssl_certificate_key /etc/nginx/ssl/example.com.key; # full path to SSL key
+
+    # performance enhancement for SSL
+    ssl_stapling on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 5m;
+
+    # safety enhancement to SSL: make sure we actually use a safe cipher
+    ssl_prefer_server_ciphers on;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
+
+    # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+    # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
+    add_header Strict-Transport-Security "max-age=31536000;";
+
+    # If your application is not compatible with IE <= 10, this will redirect visitors to a page advising a browser update
+    # This works because IE 11 does not present itself as MSIE anymore
+    if ($http_user_agent ~ "MSIE" ) {
+        return 303 https://browser-update.org/update.html;
+    }
+
+    # pass all requests to Meteor
+    location /wekan {
+        proxy_pass http://127.0.0.1:3000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade; # allow websockets
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP
+
+        # this setting allows the browser to cache the application in a way compatible with Meteor
+        # on every applicaiton update the name of CSS and JS file is different, so they can be cache infinitely (here: 30 days)
+        # the root path (/) MUST NOT be cached
+        if ($uri != '/wekan') {
+            expires 30d;
+        }
+    }
+}
+```