nginx ssl configuration

docker-compose.yml

version: "3"
services:
  sotm-mongodb:
    image: grapeup/sotm-mongodb
    volumes:
      - ./data:/data/db
    restart: always
    logging:
      options:
        max-size: "10m"
        max-file: "10"
    ports:
      - 27017:27017
    networks:
      - webnet

  sotm-server:
    image: grapeup/sotm-server
    restart: always
    depends_on:
      - sotm-mongodb
    environment:
      MONGODB_PASSWORD: pass
      GRACE_PERIOD: 10
      VOTING_GRACE_PERIOD: 7
      LDAP_BASE: "dc=grapeup,dc=com"
      LDAP_URL: "ldap://ldap.vpn:389"
      LDAP_USERNAME: "cn=readonly,dc=grapeup,dc=com"
      LDAP_PASSWORD: Prygdur3
    logging:
      options:
        max-size: "10m"
        max-file: "10"
    networks:
      - webnet

  sotm-client:
    image: grapeup/sotm-client
    depends_on:
      - sotm-server
    ports:
      - 80:80
      - 443:443
    networks:
      - webnet
networks:
  webnet:

Dockerfile

FROM nginx
COPY nginx.conf /etc/nginx/conf.d/default.conf
COPY ./build /usr/share/nginx/html
RUN mkdir -p /etc/letsencrypt/archive/sotm.grapeup.com
WORKDIR /etc/letsencrypt/archive/sotm.grapeup.com
COPY fullchain1.pem ./fullchain1.pem
COPY privkey1.pem ./privkey1.pem

gistfile1.txt

https://www.youtube.com/watch?v=d4QDyHLHZ9c&t=331s

nginx.conf

server {
    listen 80;
    listen [::]:80;
    server_name  sotm.grapeup.com;
    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name  sotm.grapeup.com;

    proxy_set_header HOST $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    location /api/ {
        resolver 127.0.0.11 ipv6=off;
        set $my_target http://sotm-server:8082$request_uri;
        proxy_pass $my_target;
        client_max_body_size 50m;
    }

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/letsencrypt/archive/sotm.grapeup.com/fullchain1.pem;
    ssl_certificate_key /etc/letsencrypt/archive/sotm.grapeup.com/privkey1.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;


    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    resolver 8.8.8.8;

}