Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
nginx config for openproject
# assume :
# - openproject installed in /opt/openproject
# - local port: 6000
# - external port: 6020
server {
listen 6020;
server_name SERVER_DOMAIN_NAME;
root /opt/openproject/public;
location ~ / {
proxy_pass_request_headers on;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:6000;
}
}
@AgusQuiroga

This comment has been minimized.

Copy link

@AgusQuiroga AgusQuiroga commented May 31, 2018

Be advised. If you set a HTTPS conection you should add:

proxy_set_header X-Forwarded-Proto $scheme;

@dakira

This comment has been minimized.

Copy link

@dakira dakira commented Jan 30, 2020

A full and secure nginx site config (using letsencrypt) could look something like this:

server {
    server_tokens off;
    # Enforce the use of HTTPS
    listen [::]:80;
    listen 80;
    server_name projects.example.com;
    return 301 https://$server_name$request_uri;
}

server {
    server_tokens off;
    listen [::]:443 ssl http2;
    listen 443 ssl http2;

    root /var/www/projects.example.com/public;
    index index.html index.htm index.php;

    access_log /var/log/nginx/projects.example.com.log;
    error_log  /var/log/nginx/projects.example.com-error.log error;

    server_name projects.example.com;

    charset utf-8;

    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options DENY always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Cache-Control "no-transform";

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 24h;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES;
    ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;

    ssl_certificate /etc/letsencrypt/live/projects.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/projects.example.com/privkey.pem;

    location / {
        proxy_pass         http://127.0.0.1:6000;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_read_timeout  1200s;

        client_max_body_size 0;
    }

    location = /favicon.ico { log_not_found off; access_log off; }
    location = /robots.txt  { log_not_found off; access_log off; }

    # block access to all hidden files except .well-known
    location ~* /\.(?!well-known\/) {
        deny all;
    }

    # give letsencrypt a place to write
    location /.well-known/acme-challenge/ {
        alias /var/www/projects.example.com/httpdocs/.well-known/acme-challenge/;
    }
}
@104e85bd

This comment has been minimized.

Copy link

@104e85bd 104e85bd commented Feb 16, 2020

I'm having problems with save notifications not being displayed until a new page has been loaded. For example, in the settings page, I'll hit save and then won't receive a notification about the successful save into I load up another page. I only have this issue with Chrome based browsers, not Firefox or even Edge. Anyone else run into this issue when using Nginx as a reverse proxy?

@djsparrow

This comment has been minimized.

Copy link

@djsparrow djsparrow commented Jun 22, 2021

For those of you that dont want to use the same port as 443 but the server port defind in the config. use this code insted:

server {
    server_tokens off;
    listen [::]:$server_port ssl http2;
    listen $server_port ssl http2;

    root /var/www/projects.example.com/public;
    index index.html index.htm index.php;

    access_log /var/log/nginx/projects.example.com.log;
    error_log  /var/log/nginx/projects.example.com-error.log error;

    server_name projects.example.com;

    charset utf-8;

    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options DENY always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Cache-Control "no-transform";

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 24h;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES;
    ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;

    ssl_certificate /etc/letsencrypt/live/projects.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/projects.example.com/privkey.pem;

    location / {
        proxy_pass         http://127.0.0.1:6000;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $host:$server_port;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_set_header   X-Forwarded-Server $host:$server_port;
        proxy_read_timeout  1200s;

        client_max_body_size 0;
    }

    location = /favicon.ico { log_not_found off; access_log off; }
    location = /robots.txt  { log_not_found off; access_log off; }

    # block access to all hidden files except .well-known
    location ~* /\.(?!well-known\/) {
        deny all;
    }

    # give letsencrypt a place to write
    location /.well-known/acme-challenge/ {
        alias /var/www/projects.example.com/httpdocs/.well-known/acme-challenge/;
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment