stoyanovgeorge/graylog_nginx_config

## graylog_nginx_config
$ cat /etc/nginx/snippets/graylog_self-signed.conf
ssl_certificate /etc/ssl/certs/graylog-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/graylog-selfsigned.key;

####################################################################################

$ cat /etc/nginx/snippets/graylog_ssl-params.conf
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
# ssl_stapling on; # Requires nginx >= 1.3.7
# ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

######################################################################################

$ cat /etc/nginx/sites-available/graylog_nginx

server {
        listen 80;
        listen [::]:80;
        server_name 10.88.167.242;
        return 301 https://$host$request_uri;
}

server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name 10.88.167.242;
        # root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
        # SSL Configuration
        include snippets/graylog_self-signed.conf;
        include snippets/graylog_ssl-params.conf;
        # Logs Locations
        access_log  /var/log/nginx/graylog_access.log;
        error_log  /var/log/nginx/graylog_error.log;
        location / {
                    proxy_set_header Host $http_host;
                    proxy_set_header X-Forwarded-Host $host;
                    proxy_set_header X-Forwarded-Server $host;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Graylog-Server-URL https://$server_name/;
                    proxy_pass       http://127.0.0.1:9000;
        }
}

########################################################################################
Source: https://www.keycdn.com/support/http-strict-transport-security
	$ cat /etc/nginx/snippets/graylog_self-signed.conf
	ssl_certificate /etc/ssl/certs/graylog-selfsigned.crt;
	ssl_certificate_key /etc/ssl/private/graylog-selfsigned.key;

	####################################################################################

	$ cat /etc/nginx/snippets/graylog_ssl-params.conf
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/nginx/dhparam.pem;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
	ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
	ssl_session_timeout 10m;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off; # Requires nginx >= 1.5.9
	# ssl_stapling on; # Requires nginx >= 1.3.7
	# ssl_stapling_verify on; # Requires nginx => 1.3.7
	resolver 1.1.1.1 1.0.0.1 valid=300s;
	resolver_timeout 5s;
	# Disable strict transport security for now. You can uncomment the following
	# line if you understand the implications.
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";

	######################################################################################

	$ cat /etc/nginx/sites-available/graylog_nginx

	server {
	listen 80;
	listen [::]:80;
	server_name 10.88.167.242;
	return 301 https://$host$request_uri;
	}

	server {
	listen 443 ssl;
	listen [::]:443 ssl;
	server_name 10.88.167.242;
	# root /var/www/html;
	index index.html index.htm index.nginx-debian.html;
	# SSL Configuration
	include snippets/graylog_self-signed.conf;
	include snippets/graylog_ssl-params.conf;
	# Logs Locations
	access_log /var/log/nginx/graylog_access.log;
	error_log /var/log/nginx/graylog_error.log;
	location / {
	proxy_set_header Host $http_host;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Server $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Graylog-Server-URL https://$server_name/;
	proxy_pass http://127.0.0.1:9000;
	}
	}

	########################################################################################
	Source: https://www.keycdn.com/support/http-strict-transport-security