# mattermost # config can be tested on https://www.ssllabs.com/ssltest/ and a good nginx config generator # can be found at https://ssl-config.mozilla.org/ # proxy cache proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off; # upstream used in proxy_pass below upstream backend { # ip where Mattermost is running; this relies on a working DNS inside the Docker network # and uses the hostname of the mattermost container (see service name in docker-compose.yml) server mattermost:8065; keepalive 64; } # vhosts definitions server { server_name _; listen 80 default_server; listen [::]:80 default_server; # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. return 301 https://$host$request_uri; } server { server_name _; listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; # logging access_log /var/log/nginx/mm.access.log; error_log /var/log/nginx/mm.error.log warn; # gzip for performance gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; ## ssl ssl_dhparam /dhparams4096.pem; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; # intermediate configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /cert.pem; ssl_certificate_key /key.pem; # enable TLSv1.3's 0-RTT. Use $ssl_early_data when reverse proxying to prevent replay attacks. # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data ssl_early_data on; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; #resolver 1.1.1.1; # verify chain of trust of OCSP response using Root CA and Intermediate certs #ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; ## security headers # https://securityheaders.com/ # https://scotthelme.co.uk/tag/security-headers/ add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy no-referrer; add_header Strict-Transport-Security "max-age=63072000" always; add_header Permissions-Policy "interest-cohort=()"; ## locations # ACME-challenge location ^~ /.well-known { default_type "text/plain"; root /usr/share/nginx/html; allow all; } # disable Google bots from indexing this site location = /robots.txt { add_header Content-Type text/plain; return 200 "User-agent: *\nDisallow: /\n"; } location ~ /api/v[0-9]+/(users/)?websocket$ { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; client_max_body_size 50M; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header Early-Data $ssl_early_data; proxy_buffers 256 16k; proxy_buffer_size 16k; client_body_timeout 60; send_timeout 300; lingering_timeout 5; proxy_connect_timeout 90; proxy_send_timeout 300; proxy_read_timeout 90s; proxy_http_version 1.1; proxy_pass http://backend; } location / { client_max_body_size 50M; proxy_set_header Connection ""; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Frame-Options SAMEORIGIN; proxy_set_header Early-Data $ssl_early_data; proxy_buffers 256 16k; proxy_buffer_size 16k; proxy_read_timeout 600s; proxy_cache mattermost_cache; proxy_cache_revalidate on; proxy_cache_min_uses 2; proxy_cache_use_stale timeout; proxy_cache_lock on; proxy_http_version 1.1; proxy_pass http://backend; } }