# This is an example nginx config used to serve your Sandstorm server over SSL/TLS/HTTPS. # # Definitions like these should go in the "http" block of your nginx config. Replace "example.com" # with the domain of your Sandstorm install. On a Debian/Ubuntu system, you can copy this into # /etc/nginx/sites-enabled/. # This magic stanza is ESSENTIAL to avoid breaking WebSockets. # # Specifically, for WebSocket forwarding, we want to forward the `Connection` header. # This "map" declaration helps with that. map $http_upgrade $connection_upgrade { default upgrade; '' close; } # The following stanza does a HTTP -> HTTPS redirect. server { listen 80; server_name example.com *.example.com; return 301 https://$host$request_uri$is_args$args; } # Configuration for Sandstorm shell and apps, over HTTPS. server { # http2 requires Nginx >=1.9.5 listen 443 ssl http2; server_name example.com *.example.com; ssl_certificate /etc/nginx/ssl/sandstorm.crt; ssl_certificate_key /etc/nginx/ssl/sandstorm.key; ssl_session_timeout 5m; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem ssl_dhparam /path/to/dhparam.pem; # Configure SSL with forward secrecy and other goodies. # Ciphersuite taken from https://wiki.mozilla.org/Security/Server_Side_TLS # "Intermediate compatibility" as of 2019-09-12 # TLSv1.3 requires Nginx >=1.13.0 & OpenSSL >=1.1.1 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # HSTS prevents attackers from tricking you into connecting via HTTP in the # future, but if you actually intend to access the server via non-SSL in the # future then you should probably delete this line. add_header Strict-Transport-Security "max-age=63072000" always; # OCSP stapling, requires Intermediate cert #ssl_stapling on; #ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; location / { proxy_pass http://127.0.0.1:6080; # Forward the Host header, which is used to route requests for # static content published from Sandstorm apps. proxy_set_header Host $http_host; # Forward WebSocket. proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Real-IP $remote_addr; } # Allow large spk uploads from the /install form and allow grains to receive large uploads. client_max_body_size 1024m; } ### The following commented-out configuration works for HTTP reverse proxying, if ### for some reason you can't use HTTPS. In that case, remove the HTTP->HTTPS ### redirect config stanza above. # server { # listen 80; # server_name example.com *.example.com; # # location / { # proxy_pass http://127.0.0.1:6080; # # # Forward the Host header, which is used to route requests for # # static content published from Sandstorm apps. # proxy_set_header Host $http_host; # # # Forward WebSocket. # proxy_http_version 1.1; # proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection $connection_upgrade; # proxy_set_header X-Real-IP $remote_addr; # } # # # Allow large spk uploads from the /install form and allow grains to receive large uploads. # client_max_body_size 1024m; # }