From 4bf185c86889474d6a0b04804d4b3a868c859777 Mon Sep 17 00:00:00 2001 From: Ryan Kraus Date: Sat, 16 Jan 2016 10:17:26 -0500 Subject: [PATCH] Added nginx sample configuration Added a sample nginx configuration with instructions detailing how to setup a very secure HTTPS server for HA that servers over standard ports without requiring HA to run as root. --- script/nginx-hass | 113 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 script/nginx-hass diff --git a/script/nginx-hass b/script/nginx-hass new file mode 100644 index 00000000000..9fc1725f043 --- /dev/null +++ b/script/nginx-hass @@ -0,0 +1,113 @@ +## +# +# Home Assistant - nginx Configuration File +# +# Using nginx as a proxy for Home Assistant allows you to serve Home Assisatnt +# securely over standard ports. This configuration file and instructions will +# walk you through setting up Home Assistant over a secure connection. +# +# 1) Get a domain name forwarded to your IP. +# Chances are, you have a dynamic IP Address (your ISP changes your address +# periodically). If this is true, you can use a Dynamic DNS service to obtain +# a domain and set it up to update with you IP. If you purchase your own +# domain name, you will be able to easily get a trusted SSL certificate +# later. +# +# +# 2) Install nginx on your server. +# This will vary depending on your OS. Check out Google for this. After +# installing, ensure that nginx is not running. +# +# +# 3) Obtain an SSL certificate. +# +# 3a) Using Let's Encrypt +# If you purchased your own domain, you can use https://letsencrypt.org/ to +# obtain a free, publicly trusted SSL certificate. This will allow you to +# work with services like IFTTT. Download and install per the instructions +# online and get a certificate using the following command. +# +# ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com +# +# Instead of example.com, use your domain. You will need to renew this +# certificate every 90 days. +# +# 3b) Using openssl +# If you do not own your own domain, you may generate a self-signed +# certificate. This will not work with IFTTT, but it will encrypt all of your +# Home Assistant traffic. +# +# openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 9999 +# sudo cp key.pem cert.pem /etc/nginx/ssl +# sudo chmod 600 /etc/nginx/ssl/key.pem /etc/nginx/ssl/cert.pem +# sudo chown root:root /etc/nginx/ssl/key.pem /etc/nginx/ssl/cert.pem +# +# +# 4) Create dhparams file +# As a fair warning, this file will take a while to generate. +# +# cd /etc/nginx/ssl +# sudo openssl dhparam -out dhparams.pem 2048 +# +# +# 5) Install this configuration file in nginx. +# +# cp nginx-hass /etc/nginx/sites-available/hass +# cd /etc/nginx/sites-enabled +# sudo unlink default +# sudo ln ../sites-available/hass default +# +# +# 6) Double check this configuration to ensure all settings are correct and +# start nginx. +# +# +# 7) Forward ports 443 and 80 to your server on your router. Do not forward +# port 8123. +# +## + +server { + # Update this line to be your domain + server_name example.com; + + + # These shouldn't need to be changed + listen 80 default_server; + listen [::]:80 default_server ipv6only=on; + return 301 https://$host$request_uri; +} + + +server { + # Update this line to be your domain + server_name example.com; + + # Ensure these lines point to your SSL certificate and key + ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; + # Use these lines instead if you created a self-signed certificate + # ssl_certificate /etc/nginx/ssl/cert.pem; + # ssl_certificate_key /etc/nginx/ssl/key.pem; + + # Ensure this line points to your dhparams file + ssl_dhparam /etc/nginx/ssl/dhparams.pem; + + + # These shouldn't need to be changed + listen 443 default_server; + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; + ssl on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + proxy_buffering off; + + location / { + proxy_pass http://localhost:8123; + proxy_set_header Host $host; + proxy_redirect http:// https://; + } +}