From 7b6a6abb4bb58e264a794b752e555d5a79e2f8b6 Mon Sep 17 00:00:00 2001 From: Hjf288 Date: Mon, 28 Dec 2015 23:43:06 +0000 Subject: GIT-1682: Complete the SSL configuration section of the documentation and normalise the spacing in the NGINX config examples --- doc/install/Production-Debian.md | 72 +++++++++++++++++++++++----------------- doc/install/Production-RHEL6.md | 72 +++++++++++++++++++++++----------------- doc/install/Production-RHEL7.md | 72 +++++++++++++++++++++++----------------- doc/install/Production-Ubuntu.md | 71 ++++++++++++++++++++++----------------- 4 files changed, 167 insertions(+), 120 deletions(-) diff --git a/doc/install/Production-Debian.md b/doc/install/Production-Debian.md index 4b942a088..efabb8c21 100644 --- a/doc/install/Production-Debian.md +++ b/doc/install/Production-Debian.md @@ -224,19 +224,20 @@ exit 0 * Below is a sample configuration with the minimum settings required to configure Mattermost ``` server { - server_name mattermost.example.com; + server_name mattermost.example.com; + location / { - client_max_body_size 50M; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Frame-Options SAMEORIGIN; - proxy_pass http://localhost:8065; + client_max_body_size 50M; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass http://10.10.10.2:8065; } - } + } ``` * Remove the existing file with * ``` sudo rm /etc/nginx/sites-enabled/default``` @@ -268,28 +269,39 @@ exit 0 * ``` server { - listen 80; - server_name mattermost.example.com; - return 301 https://$server_name$request_uri; + listen 80; + server_name mattermost.example.com; + return 301 https://$server_name$request_uri; } - + server { - listen 443 ssl; - server_name mattermost.example.com; - - ssl on; - ssl_certificate /home/mattermost/cert/mattermost.crt; - ssl_certificate_key /home/mattermost/cert/mattermost.key; - ssl_session_timeout 5m; - ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; + listen 443 ssl; + server_name mattermost.example.com; - # add to location / above - location / { - gzip off; - proxy_set_header X-Forwarded-Ssl on; + ssl on; + ssl_certificate /home/ubuntu/cert/mattermost.crt; + ssl_certificate_key /home/ubuntu/cert/mattermost.key; + ssl_dhparam /home/ubuntu/cert/dhparam.pem; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + location / { + gzip off; + proxy_set_header X-Forwarded-Ssl on; + client_max_body_size 50M; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass http://10.10.10.2:8065; + } + } ``` diff --git a/doc/install/Production-RHEL6.md b/doc/install/Production-RHEL6.md index e3c6423c3..fab534cc6 100644 --- a/doc/install/Production-RHEL6.md +++ b/doc/install/Production-RHEL6.md @@ -124,19 +124,20 @@ enabled=1 * Below is a sample configuration with the minimum settings required to configure Mattermost ``` server { - server_name mattermost.example.com; + server_name mattermost.example.com; + location / { - client_max_body_size 50M; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Frame-Options SAMEORIGIN; - proxy_pass http://10.10.10.2:8065; + client_max_body_size 50M; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass http://10.10.10.2:8065; } - } + } ``` * Remove the existing file with: * ``` sudo mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak``` @@ -168,28 +169,39 @@ enabled=1 * ``` server { - listen 80; - server_name mattermost.example.com; - return 301 https://$server_name$request_uri; + listen 80; + server_name mattermost.example.com; + return 301 https://$server_name$request_uri; } - + server { - listen 443 ssl; - server_name mattermost.example.com; - - ssl on; - ssl_certificate /opt/mattermost/cert/mattermost.crt; - ssl_certificate_key /opt/mattermost/cert/mattermost.key; - ssl_session_timeout 5m; - ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; + listen 443 ssl; + server_name mattermost.example.com; - # add to location / above - location / { - gzip off; - proxy_set_header X-Forwarded-Ssl on; + ssl on; + ssl_certificate /home/ubuntu/cert/mattermost.crt; + ssl_certificate_key /home/ubuntu/cert/mattermost.key; + ssl_dhparam /home/ubuntu/cert/dhparam.pem; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + location / { + gzip off; + proxy_set_header X-Forwarded-Ssl on; + client_max_body_size 50M; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass http://10.10.10.2:8065; + } + } ``` ## Finish Mattermost Server setup diff --git a/doc/install/Production-RHEL7.md b/doc/install/Production-RHEL7.md index a479ec5ad..bddd06e0b 100644 --- a/doc/install/Production-RHEL7.md +++ b/doc/install/Production-RHEL7.md @@ -131,19 +131,20 @@ enabled=1 * Below is a sample configuration with the minimum settings required to configure Mattermost ``` server { - server_name mattermost.example.com; + server_name mattermost.example.com; + location / { - client_max_body_size 50M; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Frame-Options SAMEORIGIN; - proxy_pass http://10.10.10.2:8065; + client_max_body_size 50M; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass http://10.10.10.2:8065; } - } + } ``` * Remove the existing file with: * ``` sudo mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak``` @@ -175,28 +176,39 @@ enabled=1 * ``` server { - listen 80; - server_name mattermost.example.com; - return 301 https://$server_name$request_uri; + listen 80; + server_name mattermost.example.com; + return 301 https://$server_name$request_uri; } - + server { - listen 443 ssl; - server_name mattermost.example.com; - - ssl on; - ssl_certificate /opt/mattermost/cert/mattermost.crt; - ssl_certificate_key /opt/mattermost/cert/mattermost.key; - ssl_session_timeout 5m; - ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; + listen 443 ssl; + server_name mattermost.example.com; - # add to location / above - location / { - gzip off; - proxy_set_header X-Forwarded-Ssl on; + ssl on; + ssl_certificate /home/ubuntu/cert/mattermost.crt; + ssl_certificate_key /home/ubuntu/cert/mattermost.key; + ssl_dhparam /home/ubuntu/cert/dhparam.pem; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + location / { + gzip off; + proxy_set_header X-Forwarded-Ssl on; + client_max_body_size 50M; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass http://10.10.10.2:8065; + } + } ``` ## Finish Mattermost Server setup diff --git a/doc/install/Production-Ubuntu.md b/doc/install/Production-Ubuntu.md index da3487f45..e3f91f2a1 100644 --- a/doc/install/Production-Ubuntu.md +++ b/doc/install/Production-Ubuntu.md @@ -107,19 +107,20 @@ exec bin/platform * Below is a sample configuration with the minimum settings required to configure Mattermost ``` server { - server_name mattermost.example.com; + server_name mattermost.example.com; + location / { - client_max_body_size 50M; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Frame-Options SAMEORIGIN; - proxy_pass http://10.10.10.2:8065; + client_max_body_size 50M; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass http://10.10.10.2:8065; } - } + } ``` * Remove the existing file with * ``` sudo rm /etc/nginx/sites-enabled/default``` @@ -151,29 +152,39 @@ exec bin/platform 4. Modify the file at `/etc/nginx/sites-available/mattermost` and add the following lines: ``` server { - listen 80; - server_name mattermost.example.com; - return 301 https://$server_name$request_uri; + listen 80; + server_name mattermost.example.com; + return 301 https://$server_name$request_uri; } server { - listen 443 ssl; - server_name mattermost.example.com; - - ssl on; - ssl_certificate /home/ubuntu/cert/mattermost.crt; - ssl_certificate_key /home/ubuntu/cert/mattermost.key; - ssl_dhparam /home/ubuntu/cert/dhparam.pem; - ssl_session_timeout 5m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; + listen 443 ssl; + server_name mattermost.example.com; + + ssl on; + ssl_certificate /home/ubuntu/cert/mattermost.crt; + ssl_certificate_key /home/ubuntu/cert/mattermost.key; + ssl_dhparam /home/ubuntu/cert/dhparam.pem; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; - # add to location / above - location / { - gzip off; - proxy_set_header X-Forwarded-Ssl on; + location / { + gzip off; + proxy_set_header X-Forwarded-Ssl on; + client_max_body_size 50M; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass http://10.10.10.2:8065; + } + } ``` -- cgit v1.2.3-1-g7c22 From e419d12e231121ff3b75dbfd76e3bc691479d83e Mon Sep 17 00:00:00 2001 From: Hjf288 Date: Tue, 29 Dec 2015 11:38:24 +0000 Subject: Add missing DH param generation instructions to SSL section --- doc/install/Production-Debian.md | 4 ++-- doc/install/Production-RHEL6.md | 2 +- doc/install/Production-RHEL7.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/install/Production-Debian.md b/doc/install/Production-Debian.md index efabb8c21..e33dd2960 100644 --- a/doc/install/Production-Debian.md +++ b/doc/install/Production-Debian.md @@ -265,8 +265,8 @@ exit 0 Common Name (e.g. server FQDN or YOUR name) []:mattermost.example.com Email Address []:admin@mattermost.example.com ``` -1. Modify the file at `/etc/nginx/sites-available/mattermost` and add the following lines - * +1. Run `openssl dhparam -out dhparam.pem 4096` (it will take some time). +1. Modify the file at `/etc/nginx/sites-available/mattermost` and add the following lines: ``` server { listen 80; diff --git a/doc/install/Production-RHEL6.md b/doc/install/Production-RHEL6.md index fab534cc6..d73295ebc 100644 --- a/doc/install/Production-RHEL6.md +++ b/doc/install/Production-RHEL6.md @@ -165,8 +165,8 @@ enabled=1 Common Name (e.g. server FQDN or YOUR name) []:mattermost.example.com Email Address []:admin@mattermost.example.com ``` +1. Run `openssl dhparam -out dhparam.pem 4096` (it will take some time). 1. Modify the file at `/etc/nginx/conf.d/mattermost.conf` and add the following lines - * ``` server { listen 80; diff --git a/doc/install/Production-RHEL7.md b/doc/install/Production-RHEL7.md index bddd06e0b..4e003dd46 100644 --- a/doc/install/Production-RHEL7.md +++ b/doc/install/Production-RHEL7.md @@ -172,8 +172,8 @@ enabled=1 Common Name (e.g. server FQDN or YOUR name) []:mattermost.example.com Email Address []:admin@mattermost.example.com ``` +1. Run `openssl dhparam -out dhparam.pem 4096` (it will take some time). 1. Modify the file at `/etc/nginx/conf.d/mattermost.conf` and add the following lines - * ``` server { listen 80; -- cgit v1.2.3-1-g7c22