Nginx
Subdomain directory
server {
server_name memo.parmentier.io "~^(?<sub>.+)\.memorandum\.parmentier\.io$";
root /var/www/memorandum/$sub;
# if empty
if ($sub = "") {
return 301 http://devel.memorandum.parmentier.io$request_uri;
}
}
Reverse proxy
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name subdomain.domain.tld;
# ssl_trusted_certificate /root/certs/ca.crt; # optional
ssl_certificate /path/subdomain.domain.tld.crt;
ssl_certificate_key /path/subdomain.domain.tld.key;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://internal-service/;
proxy_read_timeout 90;
}
}
Secure reverse proxy
Reduce the chance of man-in-the-middle if you don't trust the in-between network (e.g., no vlan at home)
server {
listen 443 ssl;
server_name subdomain.domain.tld;
ssl_certificate /path/subdomain.domain.tld.crt;
ssl_certificate_key /path/subdomain.domain.tld.key;
location / {
# ...
# Secure reverse proxy with SSL
proxy_ssl_trusted_certificate /root/certs/internal.crt;
proxy_ssl_certificate /root/certs/internal.crt;
proxy_ssl_certificate_key /root/certs/internal.key;
proxy_ssl_verify on;
proxy_ssl_session_reuse on;
# ...
proxy_pass https://internal-service/;
}
}
Notes:
- in some case the domain is not in the certificate, you can use
proxy_ssl_name "subdomain.domain.tld";source. For a real fix, regenerate the certificates with the right domain. proxy_ssl_trusted_certificateconsider a self-signed certificate with no authority (ca), explaining why we use the certificate himself
SSL
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256";
Note: use openssl ciphers
Tips
Check before restart
nginx -T && echo OK
Custom 404
Just add error_page 404 /custom_404.html;