jeans/home-assistant.io
jeans/home-assistant.io
1
0
Fork 0
mirror of https://github.com/home-assistant/home-assistant.io.git synced 2025-07-15 21:36:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Updating nginx docs for clarity (#2561)

Browse Source 
* Update nginx docs

Added step to remove passphrase from self-signed cert private key.
Removed http block since enabled sites now are included inside the http block in modern nginx configs

* Update nginx.markdown

Added note about sites-available directory in RPM-based distros (and possibly others)
This commit is contained in:
Patrick Easters 2017-05-30 06:24:19 -04:00 committed by Fabian Affolter
parent 9fcfb2368a
commit 243a1efa74
1 changed files with 44 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
source/_docs/ecosystem/nginx.markdown
View File

@ -40,6 +40,7 @@ If you do not own your own domain, you may generate a self-signed certificate. T
``` ```
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 9999 openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 9999
openssl rsa -in key.pem -out key.pem
sudo cp key.pem cert.pem /etc/nginx/ssl sudo cp key.pem cert.pem /etc/nginx/ssl
sudo chmod 600 /etc/nginx/ssl/key.pem /etc/nginx/ssl/cert.pem sudo chmod 600 /etc/nginx/ssl/key.pem /etc/nginx/ssl/cert.pem
sudo chown root:root /etc/nginx/ssl/key.pem /etc/nginx/ssl/cert.pem sudo chown root:root /etc/nginx/ssl/key.pem /etc/nginx/ssl/cert.pem
@ -58,6 +59,10 @@ sudo openssl dhparam -out dhparams.pem 2048
Create a new file `/etc/nginx/sites-available/hass` and copy the configuration file at the bottom of the page into it. Create a new file `/etc/nginx/sites-available/hass` and copy the configuration file at the bottom of the page into it.
<p class='note'>
Some Linux distributions (including CentOS and Fedora) will not have the `/etc/nginx/sites-available/` directory. In this case, remove the default server {} block from the `/etc/nginx/nginx.conf` file and paste the contents from the bottom of the page in its place. If doing this, proceed to step 7.
</p>
### {% linkable_title 6. Enable the Home Assistant configuration. %} ### {% linkable_title 6. Enable the Home Assistant configuration. %}
``` ```
@ -78,56 +83,54 @@ Forward ports 443 and 80 to your server on your router. Do not forward port 8123
### {% linkable_title NGINX Config %} ### {% linkable_title NGINX Config %}
``` ```
http { map $http_upgrade $connection_upgrade {
map $http_upgrade $connection_upgrade { default upgrade;
default upgrade; '' close;
'' close; }
}
server { server {
# Update this line to be your domain # Update this line to be your domain
server_name example.com; server_name example.com;
# These shouldn't need to be changed # These shouldn't need to be changed
listen [::]:80 default_server ipv6only=off; listen [::]:80 default_server ipv6only=off;
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
server { server {
# Update this line to be your domain # Update this line to be your domain
server_name example.com; server_name example.com;
# Ensure these lines point to your SSL certificate and key # Ensure these lines point to your SSL certificate and key
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Use these lines instead if you created a self-signed certificate # Use these lines instead if you created a self-signed certificate
# ssl_certificate /etc/nginx/ssl/cert.pem; # ssl_certificate /etc/nginx/ssl/cert.pem;
# ssl_certificate_key /etc/nginx/ssl/key.pem; # ssl_certificate_key /etc/nginx/ssl/key.pem;
# Ensure this line points to your dhparams file # Ensure this line points to your dhparams file
ssl_dhparam /etc/nginx/ssl/dhparams.pem; ssl_dhparam /etc/nginx/ssl/dhparams.pem;
# These shouldn't need to be changed # These shouldn't need to be changed
listen [::]:443 default_server ipv6only=off; # if your nginx version is >= 1.9.5 you can also add the "http2" flag here listen [::]:443 default_server ipv6only=off; # if your nginx version is >= 1.9.5 you can also add the "http2" flag here
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl on; ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
proxy_buffering off; proxy_buffering off;
location / { location / {
proxy_pass http://localhost:8123; proxy_pass http://localhost:8123;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_redirect http:// https://; proxy_redirect http:// https://;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
}
} }
} }
``` ```