From 38441a2bd3921660bf64fdf27a7320942f43ea72 Mon Sep 17 00:00:00 2001 From: Philipp Heckel Date: Wed, 2 Nov 2022 14:24:59 -0400 Subject: [PATCH] Additional nginx config --- docs/config.md | 92 ++++++++++++++++++++++++++++++++++++++++++++++-- docs/releases.md | 1 + 2 files changed, 91 insertions(+), 2 deletions(-) diff --git a/docs/config.md b/docs/config.md index cb89f72..071218d 100644 --- a/docs/config.md +++ b/docs/config.md @@ -441,8 +441,94 @@ by forwarding the `Connection` and `Upgrade` headers accordingly. In this example, ntfy runs on `:2586` and we proxy traffic to it. We also redirect HTTP to HTTPS for GET requests against a topic or the root domain: -=== "nginx (/etc/nginx/sites-*/ntfy)" +=== "nginx (convenient)" ``` + # /etc/nginx/sites-*/ntfy + # + # This config allows insecure HTTP POST/PUT requests against topics to allow a short curl syntax (without -L + # and "https://" prefix). It also disables output buffering, which has worked well for the ntfy.sh server. + # + # This is how ntfy.sh is configured. + + server { + listen 80; + server_name ntfy.sh; + + location / { + # Redirect HTTP to HTTPS, but only for GET topic addresses, since we want + # it to work with curl without the annoying https:// prefix + set $redirect_https ""; + if ($request_method = GET) { + set $redirect_https "yes"; + } + if ($request_uri ~* "^/([-_a-z0-9]{0,64}$|docs/|static/)") { + set $redirect_https "${redirect_https}yes"; + } + if ($redirect_https = "yesyes") { + return 302 https://$http_host$request_uri$is_args$query_string; + } + + proxy_pass http://127.0.0.1:2586; + proxy_http_version 1.1; + + proxy_buffering off; + proxy_request_buffering off; + proxy_redirect off; + + proxy_set_header Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_connect_timeout 3m; + proxy_send_timeout 3m; + proxy_read_timeout 3m; + + client_max_body_size 20m; # Must be >= attachment-file-size-limit in /etc/ntfy/server.yml + } + } + + server { + listen 443 ssl; + server_name ntfy.sh; + + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + ssl_prefer_server_ciphers on; + + ssl_certificate /etc/letsencrypt/live/ntfy.sh/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ntfy.sh/privkey.pem; + + location / { + proxy_pass http://127.0.0.1:2586; + proxy_http_version 1.1; + + proxy_buffering off; + proxy_request_buffering off; + proxy_redirect off; + + proxy_set_header Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_connect_timeout 3m; + proxy_send_timeout 3m; + proxy_read_timeout 3m; + + client_max_body_size 20m; # Must be >= attachment-file-size-limit in /etc/ntfy/server.yml + } + } + ``` + +=== "nginx (more secure)" + ``` + # /etc/nginx/sites-*/ntfy + # + # This config requires the use of the -L flag in curl to redirect to HTTPS, and it keeps nginx output buffering + # enabled. While recommended, I have had issues with that in the past. + server { listen 80; server_name ntfy.sh; @@ -496,8 +582,10 @@ or the root domain: } ``` -=== "Apache2 (/etc/apache2/sites-*/ntfy.conf)" +=== "Apache2" ``` + # /etc/apache2/sites-*/ntfy.conf + ServerName ntfy.sh diff --git a/docs/releases.md b/docs/releases.md index 3ab52fc..ae64f1a 100644 --- a/docs/releases.md +++ b/docs/releases.md @@ -27,6 +27,7 @@ and the [ntfy Android app](https://github.com/binwiederhier/ntfy-android/release * Updated [example](https://ntfy.sh/docs/examples/#gatus) with official [Gatus](https://github.com/TwiN/gatus) integration (thanks to [@TwiN](https://github.com/TwiN)) * Added [Kubernetes install instructions](https://ntfy.sh/docs/install/#kubernetes) ([#452](https://github.com/binwiederhier/ntfy/pull/452), thanks to [@gmemstr](https://github.com/gmemstr)) * Added [additional NixOS links for self-hosting](https://ntfy.sh/docs/install/#nixos-nix) ([#462](https://github.com/binwiederhier/ntfy/pull/462), thanks to [@wamserma](https://github.com/wamserma)) +* Added additional [more secure nginx config example](https://ntfy.sh/docs/config/#nginxapache2caddy) ([#451](https://github.com/binwiederhier/ntfy/pull/451), thanks to [SuperSandro2000](https://github.com/SuperSandro2000)) **Additional translations:**