diff --git a/docker-compose.yaml b/docker-compose.yaml index 5f38934..bcce5ec 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -51,6 +51,7 @@ services: restart: unless-stopped volumes: - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro + - ./nginx/certs:/etc/nginx/certs:ro security_opt: - "label=disable" depends_on: diff --git a/generate-certs.sh b/generate-certs.sh new file mode 100644 index 0000000..3a0db0e --- /dev/null +++ b/generate-certs.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +# Create certificates directory +mkdir -p ./nginx/certs + +# Generate private key +openssl genrsa -out ./nginx/certs/server.key 2048 + +# Generate certificate signing request +openssl req -new -key ./nginx/certs/server.key -out ./nginx/certs/server.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=localhost" + +# Generate self-signed certificate (valid for 365 days) +openssl x509 -req -days 365 -in ./nginx/certs/server.csr -signkey ./nginx/certs/server.key -out ./nginx/certs/server.crt + +# Create certificate bundle +cat ./nginx/certs/server.crt > ./nginx/certs/server.pem +cat ./nginx/certs/server.key >> ./nginx/certs/server.pem + +# Set proper permissions +chmod 600 ./nginx/certs/server.key +chmod 644 ./nginx/certs/server.crt +chmod 644 ./nginx/certs/server.pem + +# Clean up CSR file +rm ./nginx/certs/server.csr + +echo "Self-signed certificates generated successfully!" +echo "Certificate: ./nginx/certs/server.crt" +echo "Private Key: ./nginx/certs/server.key" +echo "Bundle: ./nginx/certs/server.pem" \ No newline at end of file diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 7b3341d..38d343c 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -7,16 +7,26 @@ http { server drop-drop-shielded:3000; } + # HTTPS server server { - listen 14050; + listen 14050 ssl; server_name _; + # SSL configuration + ssl_certificate /etc/nginx/certs/server.crt; + ssl_certificate_key /etc/nginx/certs/server.key; + + # SSL settings + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + location / { proxy_pass http://drop_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto https; # Handle WebSocket connections if needed proxy_http_version 1.1;