From 85216305e7dbd8f720060f8a24ad117e79d470f6 Mon Sep 17 00:00:00 2001
From: Luclu7 <luclu7@luclu7.fr>
Date: Mon, 26 Jun 2017 14:09:47 +0200
Subject: [PATCH] Better with HTTPS.

Please generate certificates with Let's encrypt and remplace certs paths in the nginx configuration file.
---
 deploy/nginx.conf | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/deploy/nginx.conf b/deploy/nginx.conf
index 32fe193f5..0b2a534df 100644
--- a/deploy/nginx.conf
+++ b/deploy/nginx.conf
@@ -4,9 +4,29 @@ upstream funkwhale-api {
 }
 
 server {
-    listen      80;
+  listen 80;
+  listen [::]:80;
+  server_name demo.funkwhale.audio;
+  # useful for Let's Encrypt
+  location /.well-known/acme-challenge/ { allow all; }
+  location / { return 301 https://$host$request_uri; }
+}
+
+server {
+    listen      443 ssl http2;
+    listen [::]:443 ssl http2;
     server_name demo.funkwhale.audio;
 
+    # TLS
+    ssl_protocols TLSv1.2;
+    ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+    # HSTS
+    add_header Strict-Transport-Security "max-age=31536000";
+
     root /srv/funkwhale/front/dist;
 
     location / {
-- 
GitLab