diff options
author | Corey Hulen <corey@hulen.com> | 2015-10-26 10:00:46 -0700 |
---|---|---|
committer | Corey Hulen <corey@hulen.com> | 2015-10-26 10:00:46 -0700 |
commit | f523d41cae391697d9fbfc1857b03803b2b3bc96 (patch) | |
tree | 2dd6b5cb3acb852f1802f9889a7b3655c9cb708b /doc | |
parent | c590b6404208c9aaab0c5ed8d51e8415661658d9 (diff) | |
parent | e266599c34790975b33d3a57273b9cbe764424bc (diff) | |
download | chat-f523d41cae391697d9fbfc1857b03803b2b3bc96.tar.gz chat-f523d41cae391697d9fbfc1857b03803b2b3bc96.tar.bz2 chat-f523d41cae391697d9fbfc1857b03803b2b3bc96.zip |
Merge pull request #1186 from mattermost/nginx-improvement
Adding more secure nginx instructions
Diffstat (limited to 'doc')
-rw-r--r-- | doc/install/Production-Ubuntu.md | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/doc/install/Production-Ubuntu.md b/doc/install/Production-Ubuntu.md index 836af3995..2e02cca38 100644 --- a/doc/install/Production-Ubuntu.md +++ b/doc/install/Production-Ubuntu.md @@ -119,7 +119,7 @@ exec bin/platform ## Set up Nginx with SSL (Recommended) 1. You will need a SSL cert from a certificate authority. -1. For simplicity we will generate a test certificate. +2. For simplicity we will generate a test certificate. * ``` mkdir ~/cert``` * ``` cd ~/cert``` * ``` sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mattermost.key -out mattermost.crt``` @@ -133,8 +133,8 @@ exec bin/platform Common Name (e.g. server FQDN or YOUR name) []:mattermost.example.com Email Address []:admin@mattermost.example.com ``` -1. Modify the file at `/etc/nginx/sites-available/mattermost` and add the following lines - * +3. Run `openssl dhparam -out dhparam.pem 4096` (it will take some time). +4. Modify the file at `/etc/nginx/sites-available/mattermost` and add the following lines: ``` server { listen 80; @@ -149,9 +149,10 @@ exec bin/platform ssl on; ssl_certificate /home/ubuntu/cert/mattermost.crt; ssl_certificate_key /home/ubuntu/cert/mattermost.key; + ssl_dhparam /home/ubuntu/cert/dhparam.pem; ssl_session_timeout 5m; - ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; # add to location / above |