try updating it

diff --git a/etc/nginx/sites-available/default b/etc/nginx/sites-available/default
index 4cbff3ddbb05c612868c599b7474d01f87a85ed9..6858f145a3f63d7b6eed7f435f66e18d88cf98f6 100644 (file)
--- a/etc/nginx/sites-available/default
+++ b/etc/nginx/sites-available/default
@@ -41,48 +41,6 @@ server {
   }
 
 
-  # Matter most (Chat / Slack alternative)
-  location /chat/ {
-    client_max_body_size 50M;
-    proxy_set_header Connection "";
-    proxy_set_header Host $http_host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header X-Frame-Options SAMEORIGIN;
-    proxy_buffers 256 16k;
-    proxy_buffer_size 16k;
-    proxy_read_timeout 600s;
-    # proxy_cache mattermost_cache;
-    proxy_cache_revalidate on;
-    proxy_cache_min_uses 2;
-    proxy_cache_use_stale timeout;
-    proxy_cache_lock on;
-    proxy_http_version 1.1;
-    proxy_pass http://localhost:8065;
-  }
-  location ~ /chat/api/v[0-9]+/(users/)?websocket$ {
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "upgrade";
-    client_max_body_size 50M;
-    proxy_set_header Host $http_host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header X-Frame-Options SAMEORIGIN;
-    proxy_buffers 256 16k;
-    proxy_buffer_size 16k;
-    client_body_timeout 60;
-    send_timeout 300;
-    lingering_timeout 5;
-    proxy_connect_timeout 90;
-    proxy_send_timeout 300;
-    proxy_read_timeout 90s;
-    proxy_http_version 1.1;
-    proxy_pass http://localhost:8065;
-  }
-
-
   # default favicon
   location = /favicon.ico {
     alias /var/www/favicon.gif;

diff --git a/etc/nginx/sites-available/mattermost b/etc/nginx/sites-available/mattermost
new file mode 100644 (file)
index 0000000..d6caa8c
--- /dev/null
+++ b/etc/nginx/sites-available/mattermost
@@ -0,0 +1,94 @@
+upstream backend {
+   server 127.0.0.1:8065;
+   keepalive 32;
+}
+
+proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
+
+server {
+  # listen 80 default_server;
+  server_name   dev.nutra.tk;
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+   listen 443 ssl http2;
+   server_name    mattermost.example.com;
+
+   http2_push_preload on; # Enable HTTP/2 Server Push
+
+   ssl on;
+   ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem;
+   ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem;
+   ssl_session_timeout 1d;
+
+   # Enable TLS versions (TLSv1.3 is required upcoming HTTP/3 QUIC).
+   ssl_protocols TLSv1.2 TLSv1.3;
+
+   # Enable TLSv1.3's 0-RTT. Use $ssl_early_data when reverse proxying to
+   # prevent replay attacks.
+   #
+   # @see: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
+   ssl_early_data on;
+
+   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
+   ssl_prefer_server_ciphers on;
+   ssl_session_cache shared:SSL:50m;
+   # HSTS (ngx_http_headers_module is required) (15768000 seconds = six months)
+   add_header Strict-Transport-Security max-age=15768000;
+   # OCSP Stapling ---
+   # fetch OCSP records from URL in ssl_certificate and cache them
+   ssl_stapling on;
+   ssl_stapling_verify on;
+
+   add_header X-Early-Data $tls1_3_early_data;
+
+   location ~ /chat/api/v[0-9]+/(users/)?websocket$ {
+       proxy_set_header Upgrade $http_upgrade;
+       proxy_set_header Connection "upgrade";
+       client_max_body_size 50M;
+       proxy_set_header Host $http_host;
+       proxy_set_header X-Real-IP $remote_addr;
+       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-Frame-Options SAMEORIGIN;
+       proxy_buffers 256 16k;
+       proxy_buffer_size 16k;
+       client_body_timeout 60;
+       send_timeout 300;
+       lingering_timeout 5;
+       proxy_connect_timeout 90;
+       proxy_send_timeout 300;
+       proxy_read_timeout 90s;
+       proxy_http_version 1.1;
+       proxy_pass http://backend;
+   }
+
+   location /chat/ {
+       client_max_body_size 50M;
+       proxy_set_header Connection "";
+       proxy_set_header Host $http_host;
+       proxy_set_header X-Real-IP $remote_addr;
+       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+       proxy_set_header X-Forwarded-Proto $scheme;
+       proxy_set_header X-Frame-Options SAMEORIGIN;
+       proxy_buffers 256 16k;
+       proxy_buffer_size 16k;
+       proxy_read_timeout 600s;
+       proxy_cache mattermost_cache;
+       proxy_cache_revalidate on;
+       proxy_cache_min_uses 2;
+       proxy_cache_use_stale timeout;
+       proxy_cache_lock on;
+       proxy_http_version 1.1;
+       proxy_pass http://backend;
+   }
+}
+
+# This block is useful for debugging TLS v1.3. Please feel free to remove this
+# and use the `$ssl_early_data` variable exposed by NGINX directly should you
+# wish to do so.
+map $ssl_early_data $tls1_3_early_data {
+  "~." $ssl_early_data;
+  default "";
+}

diff --git a/etc/nginx/sites-enabled/mattermost b/etc/nginx/sites-enabled/mattermost
new file mode 120000 (symlink)
index 0000000..cfe1edf
--- /dev/null
+++ b/etc/nginx/sites-enabled/mattermost
@@ -0,0 +1 @@
+/etc/nginx/sites-available/mattermost
\ No newline at end of file