Last active
October 30, 2022 22:31
-
-
Save DonSYS91/be70f2a49776ab0eb1622a015cbcab51 to your computer and use it in GitHub Desktop.
Revisions
-
DonSYS91 revised this gist
Oct 30, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,7 +2,7 @@ This guide shows how to install and configure NGINX Docker with reverse proxy configurations and full grade A+ SSL Labs while also obtaining a LetsEncrypt cert via acme.sh client and CloudFlare DNS API. To learn how to obtain CloudFlare DNS token check [here](https://github.com/acmesh-official/acme.sh/wiki/dnsapi#using-the-new-cloudflare-api-token-you-will-get-this-after-normal-login-and--scroll-down-on-dashboard-and-copy-credentials) or check acme.sh docs if you want to use a different method but you need to edit the script on your own. ``` # Variables {edit here} -
Oct 30, 2022 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,7 +2,7 @@ This guide shows how to install and configure NGINX Docker with reverse proxy configurations and full grade A+ SSL Labs while also obtaining a LetsEncrypt cert via acme.sh client and CloudFlare DNS API. To learn how to obtain CloudFlare DNS token check [here](https://github.com/acmesh-official/acme.sh/wiki/dnsapi#using-the-new-cloudflare-api-token-you-will-get-this-after-normal-login-and--scroll-down-on-dashboard-and-copy-credentials) or check acme.sh docs if you wanna use a different link. ``` # Variables {edit here} @@ -14,7 +14,7 @@ export CF_Token="" export PROXYADDRESS="http://proxy" # End Variables {end edit} # ACME.SH Installtion and Cert Issue {Paste in the terminal beginning from here} cd /opt git clone https://github.com/acmesh-official/acme.sh.git cd ./acme.sh -
Oct 29, 2022 . 1 changed file with 0 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -40,9 +40,7 @@ sed -i "s|PROXY_ADDRESS|$PROXY_ADDRESS|" /opt/nginx/conf.d/${DOMAIN}.conf # Docker NGINX + MariaDB Installation docker network create --driver bridge --subnet 172.18.0.0/16 --gateway 172.18.0.1 DockerBridge01 docker run -d --restart unless-stopped --name nginx-mainline --ip 172.18.0.2 --net DockerBridge01 -v /opt/nginx/conf.d/:/etc/nginx/conf.d/ -p 80:80 -p 443:443 nginx:mainline # Install Cert and reload NGINX ./acme.sh --install-cert -d ${DOMAIN} --ecc --key-file /opt/nginx/conf.d/${DOMAIN}/web.key --fullchain-file /opt/nginx/conf.d/${DOMAIN}/web.crt --reloadcmd "docker exec nginx-mainline nginx -s reload" ``` -
Oct 29, 2022 . 1 changed file with 10 additions and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,8 @@ # Docker Installation: NGINX Secure Conf with full SSL Labs A+ and Reverse Proxy This guide shows how to install and configure NGINX Docker with reverse proxy configurations and full grade A+ SSL Labs while also obtaining a LetsEncrypt cert via acme.sh client and CloudFlare DNS API. To learn how to obtain CloudFlare DNS token check [here](https://github.com/acmesh-official/acme.sh/wiki/dnsapi#using-the-new-cloudflare-api-token-you-will-get-this-after-normal-login-and--scroll-down-on-dashboard-and-copy-credentials). ``` # Variables {edit here} @@ -9,31 +11,32 @@ export ACME_EMAIL= export CF_Zone_ID="" export CF_Account_ID="" export CF_Token="" export PROXYADDRESS="http://proxy" # End Variables {end edit} # ACME.SH Installtion and Cert Issue {Paste in the terminal beginnging from here} cd /opt git clone https://github.com/acmesh-official/acme.sh.git cd ./acme.sh ./acme.sh --install -m ${ACME_EMAIL} ./acme.sh --upgrade --auto-upgrade ./acme.sh --set-default-ca --server letsencrypt ./acme.sh --issue --dns dns_cf -d ${DOMAIN} --keylength ec-384 --ocsp # Docker Installtion and Configuration curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - add-apt-repository "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/debian $(lsb_release -cs) stable" apt update -y apt install -y docker-ce docker-ce-cli containerd.io systemctl start docker systemctl enable docker # NGINX Configurations mkdir -p /opt/nginx/conf.d/${DOMAIN} wget -O /opt/nginx/conf.d/${DOMAIN}.conf https://gist.github.com/DonSYS91/be70f2a49776ab0eb1622a015cbcab51/raw/7256444dbfa86f6ea9fc9a416368adfa2ffd8d35/web.conf sed -i "s/DOMAIN/$DOMAIN/" /opt/nginx/conf.d/${DOMAIN}.conf sed -i "s|PROXY_ADDRESS|$PROXY_ADDRESS|" /opt/nginx/conf.d/${DOMAIN}.conf # Docker NGINX + MariaDB Installation docker network create --driver bridge --subnet 172.18.0.0/16 --gateway 172.18.0.1 DockerBridge01 docker run -d --restart unless-stopped --name nginx-mainline --ip 172.18.0.2 --net DockerBridge01 -v /opt/nginx/conf.d/:/etc/nginx/conf.d/ -p 80:80 -p 443:443 nginx:mainline -
Oct 29, 2022 . 1 changed file with 30 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,6 +2,7 @@ This guide shows how to install and configure NGINX Docker with reverse proxy configurations and full grade A+ SSL Labs while also obtaining a LetsEncrypt cert via acme.sh client and CloudFlare DNS API ``` # Variables {edit here} export DOMAIN= export ACME_EMAIL= @@ -13,3 +14,32 @@ export KEYPATH="" export PROXYADDRESS="" # End Variables # ACME.SH Installtion and Cert Issue cd /opt git clone https://github.com/acmesh-official/acme.sh.git cd ./acme.sh ./acme.sh --install -m ${ACME_EMAIL} ./acme.sh --upgrade --auto-upgrade ./acme.sh --set-default-ca --server letsencrypt ./acme.sh --issue --dns dns_cf -d ${DOMAIN} --keylength ec-384 --ocsp # Docker Installtion and Configuration curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - add-apt-repository "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/debian $(lsb_release -cs) stable" apt update -y apt install -y docker-ce docker-ce-cli containerd.io systemctl start docker systemctl enable docker # NGINX Config mkdir -p /opt/nginx/conf.d/${DOMAIN} wget -O /opt/nginx/conf.d/${DOMAIN}.conf https://gist.github.com/DonSYS91/be70f2a49776ab0eb1622a015cbcab51/raw/7256444dbfa86f6ea9fc9a416368adfa2ffd8d35/web.conf sed -i "s/DOMAIN/$DOMAIN/" /opt/nginx/conf.d/${DOMAIN}.conf sed -i "s|PROXY_ADDRESS|$PROXY_ADDRESS|" /opt/nginx/conf.d/${DOMAIN}.conf # Docker NGINX + MariaDB Installation docker network create --driver bridge --subnet 172.18.0.0/16 --gateway 172.18.0.1 DockerBridge01 docker run -d --restart unless-stopped --name nginx-mainline --ip 172.18.0.2 --net DockerBridge01 -v /opt/nginx/conf.d/:/etc/nginx/conf.d/ -p 80:80 -p 443:443 nginx:mainline docker run -d --restart unless-stopped --name mariadb --ip 172.18.0.3 --net DockerBridge01 -e MYSQL_ROOT_PASSWORD=${MySQL_ROOT} -e MYSQL_DATABASE=${MySQL_DB} -e MYSQL_USER=${MySQL_USER} -e MYSQL_PASSWORD=${MySQL_PASS} -v /opt/mariadb:/var/lib/mysql -d mariadb:latest # Install Cert and reload NGINX ./acme.sh --install-cert -d ${DOMAIN} --ecc --key-file /opt/nginx/conf.d/${DOMAIN}/web.key --fullchain-file /opt/nginx/conf.d/${DOMAIN}/web.crt --reloadcmd "docker exec nginx-mainline nginx -s reload" ``` -
Oct 29, 2022 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -13,8 +13,8 @@ server { listen [::]:443 ssl http2; server_name DOMAIN; ssl_certificate /etc/nginx/conf.d/DOMAIN/web.crt; ssl_certificate_key /etc/nginx/conf.d/DOMAIN/web.key; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; -
Oct 29, 2022 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -13,8 +13,8 @@ server { listen [::]:443 ssl http2; server_name DOMAIN; ssl_certificate /etc/nginx/conf.d/DOMAIN/DOMAIN.crt; ssl_certificate_key /etc/nginx/conf.d/DOMAIN/DOMAIN.key; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; -
Oct 29, 2022 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -13,8 +13,8 @@ server { listen [::]:443 ssl http2; server_name DOMAIN; ssl_certificate CERT_PATH; ssl_certificate_key KEY_PATH; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; @@ -35,7 +35,7 @@ server { ssl_stapling_verify on; location / { proxy_pass PROXY_ADDRESS; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -
Oct 29, 2022 . 2 changed files with 6 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,8 +8,8 @@ export ACME_EMAIL= export CF_Zone_ID="" export CF_Account_ID="" export CF_Token="" export CERTPATH="" export KEYPATH="" export PROXYADDRESS="" # End Variables This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -13,8 +13,8 @@ server { listen [::]:443 ssl http2; server_name DOMAIN; ssl_certificate CERTPATH; ssl_certificate_key KEYPATH; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; @@ -35,7 +35,7 @@ server { ssl_stapling_verify on; location / { proxy_pass PROXYADDRESS; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -
Oct 29, 2022 . 1 changed file with 3 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,5 +8,8 @@ export ACME_EMAIL= export CF_Zone_ID="" export CF_Account_ID="" export CF_Token="" export CERT_PATH="" export KEY_PATH="" export PROXY_ADDRESS="" # End Variables -
Oct 29, 2022 . 2 changed files with 15 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,12 @@ # Docker Installation: NGINX Secure Conf with full SSL Labs A+ and Reverse Proxy This guide shows how to install and configure NGINX Docker with reverse proxy configurations and full grade A+ SSL Labs while also obtaining a LetsEncrypt cert via acme.sh client and CloudFlare DNS API # Variables {edit here} export DOMAIN= export ACME_EMAIL= export CF_Zone_ID="" export CF_Account_ID="" export CF_Token="" # End Variables This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -13,8 +13,8 @@ server { listen [::]:443 ssl http2; server_name DOMAIN; ssl_certificate CERT_PATH; ssl_certificate_key KEY_PATH; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; @@ -35,7 +35,7 @@ server { ssl_stapling_verify on; location / { proxy_pass PROXY_ADDRESS; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -
Oct 29, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -42,6 +42,6 @@ server { proxy_set_header X-Forwarded-Proto $scheme; } # CloudFlare DNS resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; } -
Oct 29, 2022 . No changes.There are no files selected for viewing
-
Oct 29, 2022 . 1 changed file with 7 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,7 @@ server { listen 80; listen [::]:80; server_name DOMAIN; location / { return 301 https://$host$request_uri; @@ -10,9 +11,10 @@ server { server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name DOMAIN; ssl_certificate /etc/nginx/conf.d/DOMAIN/web.crt; ssl_certificate_key /etc/nginx/conf.d/DOMAIN/web.key; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; @@ -33,7 +35,7 @@ server { ssl_stapling_verify on; location / { proxy_pass http://172.18.0.4; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -
Oct 29, 2022 . No changes.There are no files selected for viewing
-
Oct 29, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -38,7 +38,7 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # replace with the IP address of your resolver resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; -
Oct 29, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -32,7 +32,7 @@ server { ssl_stapling on; ssl_stapling_verify on; location / { proxy_pass http://172.18.0.3; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; -
Oct 29, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,45 @@ server { listen 80 default_server; listen [::]:80 default_server; location / { return 301 https://$host$request_uri; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; ssl_certificate /etc/nginx/conf.d/web.crt; ssl_certificate_key /etc/nginx/conf.d/web.key; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; # intermediate configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"; ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256; ssl_conf_command Options ServerPreference,PrioritizeChaCha,NoRenegotiation,NoResumptionOnRenegotiation; ssl_ecdh_curve secp521r1:secp384r1; # HSTS (ngx_http_headers_module is required) (31536000 seconds) add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; location / { proxy_pass http://172.18.0.3; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # replace with the IP address of your resolver resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; }