Compare commits
28 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
c3ecd245be | ||
|
|
5b52f713bd | ||
|
|
d8c52f8d74 | ||
|
|
2b12534f90 | ||
|
|
6f8c34c0f3 | ||
|
|
ad76445269 | ||
|
|
bb1e8066c4 | ||
|
|
43501880ff | ||
|
|
a758c2c52b | ||
|
|
7647cce8c1 | ||
|
|
c8b5a40f99 | ||
|
|
124a8ba340 | ||
|
|
8d916d82fa | ||
|
|
1f5c1b24f1 | ||
|
|
66ab03e4fe | ||
|
|
bccdcd527d | ||
|
|
689a8f88db | ||
|
|
6a4ab2bd12 | ||
|
|
7c80c1fdb5 | ||
|
|
85375bfcfd | ||
|
|
8553ee32aa | ||
|
|
9eb10f5cf3 | ||
|
|
189bc354fe | ||
|
|
0f0612f484 | ||
|
|
0d5ff88269 | ||
|
|
8a288119d9 | ||
|
|
8f81794e44 | ||
|
|
5f86258eed |
@ -1,5 +1,3 @@
|
||||
sudo: required
|
||||
|
||||
services:
|
||||
- docker
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@ The following people help to maintain this open source project:
|
||||
|:--------------------------------------|:--------------|
|
||||
| Carlos Tadeu Panato Junior - @cpanato | Feb 18 2018 |
|
||||
|
||||
In case something happens where no maintainers are able to complete their responsibilies, the following sponsoring organization can help find a new maintainer:
|
||||
In case something happens where no maintainers are able to complete their responsibilities, the following sponsoring organization can help find a new maintainer:
|
||||
|
||||
| Sponsoring Organization | Start Date |
|
||||
|:-------------------------------|:--------------|
|
||||
|
||||
17
README.md
17
README.md
@ -1,6 +1,12 @@
|
||||
# Production Docker deployment for Mattermost
|
||||
|
||||
This project enables deployment of a Mattermost server in a multi-node production configuration using Docker.
|
||||
## WARNING:
|
||||
|
||||
The current state of this repository doesn't work out-of-the box since Mattermost server v5.31+ requires PostgreSQL versions of 10 or higher.
|
||||
|
||||
We're actively working on a fix to this repository. Until then, please refer to these upgrade instructions: https://github.com/mattermost/mattermost-docker/issues/489#issuecomment-790277661
|
||||
|
||||
This project enables a deployment of a Mattermost server in a multi-node production configuration using Docker.
|
||||
|
||||
[](https://travis-ci.org/mattermost/mattermost-docker)
|
||||
|
||||
@ -67,6 +73,13 @@ If your database use some custom host and port, it is also possible to configure
|
||||
* `DB_HOST`: database host address
|
||||
* `DB_PORT_NUMBER`: database port
|
||||
|
||||
Use this optional variable if your PostgreSQL connection requires encryption (you may need a certificate authority file and/or a certificate revocation list - check the documentation for your database provider). See the [PostgreSQL notes on encrypted connections](https://www.postgresql.org/docs/current/libpq-ssl.html) for recommendations on what values to use when encryption is needed.
|
||||
* `DB_SSLMODE`: defaults to `disable`, indicating no encryption
|
||||
|
||||
PostgreSQL allows two other variables `sslrootcert` and `sslcrl` for connection strings. However these are not broadly supported when the connection string is specified as a URI. If you need these parameters, use the PostgreSQL-specified environment variables
|
||||
* `PGSSLROOTCERT` specifies the location of CA file
|
||||
* `PGSSLCRL` specifies the location of a certificate revocation list file
|
||||
|
||||
If you use a Mattermost configuration file on a different location than the default one (`/mattermost/config/config.json`) :
|
||||
* `MM_CONFIG`: configuration file location inside the container.
|
||||
|
||||
@ -189,7 +202,7 @@ docker-compose build app
|
||||
docker-compose run app -upgrade_db_30
|
||||
docker-compose up -d
|
||||
```
|
||||
See the [offical Upgrade Guide](http://docs.mattermost.com/administration/upgrade.html) for more details.
|
||||
See the [official Upgrade Guide](http://docs.mattermost.com/administration/upgrade.html) for more details.
|
||||
|
||||
## Installation using Docker Swarm Mode
|
||||
|
||||
|
||||
@ -2,13 +2,14 @@ FROM alpine:3.10
|
||||
|
||||
# Some ENV variables
|
||||
ENV PATH="/mattermost/bin:${PATH}"
|
||||
ENV MM_VERSION=5.23.0
|
||||
ENV MM_INSTALL_TYPE=docker
|
||||
|
||||
# Build argument to set Mattermost edition
|
||||
ARG edition=enterprise
|
||||
ARG PUID=2000
|
||||
ARG PGID=2000
|
||||
ARG MM_BINARY=
|
||||
ARG MM_VERSION=5.31.0
|
||||
|
||||
|
||||
# Install some needed packages
|
||||
@ -18,7 +19,7 @@ RUN apk add --no-cache \
|
||||
jq \
|
||||
libc6-compat \
|
||||
libffi-dev \
|
||||
libcap \
|
||||
libcap \
|
||||
linux-headers \
|
||||
mailcap \
|
||||
netcat-openbsd \
|
||||
@ -28,15 +29,15 @@ RUN apk add --no-cache \
|
||||
|
||||
# Get Mattermost
|
||||
RUN mkdir -p /mattermost/data /mattermost/plugins /mattermost/client/plugins \
|
||||
&& if [ ! -z "$MM_BINARY" ]; then curl $MM_BINARY | tar -xvz ; \
|
||||
elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz | tar -xvz ; \
|
||||
else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz | tar -xvz ; fi \
|
||||
&& cp /mattermost/config/config.json /config.json.save \
|
||||
&& rm -rf /mattermost/config/config.json \
|
||||
&& addgroup -g ${PGID} mattermost \
|
||||
&& adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \
|
||||
&& chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins \
|
||||
&& setcap cap_net_bind_service=+ep /mattermost/bin/mattermost
|
||||
&& if [ ! -z "$MM_BINARY" ]; then curl $MM_BINARY | tar -xvz ; \
|
||||
elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; \
|
||||
else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; fi \
|
||||
&& cp /mattermost/config/config.json /config.json.save \
|
||||
&& rm -rf /mattermost/config/config.json \
|
||||
&& addgroup -g ${PGID} mattermost \
|
||||
&& adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \
|
||||
&& chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins \
|
||||
&& setcap cap_net_bind_service=+ep /mattermost/bin/mattermost
|
||||
|
||||
USER mattermost
|
||||
|
||||
|
||||
@ -2,65 +2,72 @@
|
||||
|
||||
# Function to generate a random salt
|
||||
generate_salt() {
|
||||
tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 48 | head -n 1
|
||||
tr -dc 'a-zA-Z0-9' </dev/urandom | fold -w 48 | head -n 1
|
||||
}
|
||||
|
||||
# Read environment variables or set default values
|
||||
DB_HOST=${DB_HOST:-db}
|
||||
DB_PORT_NUMBER=${DB_PORT_NUMBER:-5432}
|
||||
# see https://www.postgresql.org/docs/current/libpq-ssl.html
|
||||
# for usage when database connection requires encryption
|
||||
# filenames should be escaped if they contain spaces
|
||||
# i.e. $(printf %s ${MY_ENV_VAR:-''} | jq -s -R -r @uri)
|
||||
# the location of the CA file can be set using environment var PGSSLROOTCERT
|
||||
# the location of the CRL file can be set using PGSSLCRL
|
||||
# The URL syntax for connection string does not support the parameters
|
||||
# sslrootcert and sslcrl reliably, so use these PostgreSQL-specified variables
|
||||
# to set names if using a location other than default
|
||||
DB_USE_SSL=${DB_USE_SSL:-disable}
|
||||
MM_DBNAME=${MM_DBNAME:-mattermost}
|
||||
MM_CONFIG=${MM_CONFIG:-/mattermost/config/config.json}
|
||||
|
||||
if [ "${1:0:1}" = '-' ]; then
|
||||
set -- mattermost "$@"
|
||||
_1=$(echo "$1" | awk '{ s=substr($0, 0, 1); print s; }')
|
||||
if [ "$_1" = '-' ]; then
|
||||
set -- mattermost "$@"
|
||||
fi
|
||||
|
||||
if [ "$1" = 'mattermost' ]; then
|
||||
# Check CLI args for a -config option
|
||||
for ARG in $@;
|
||||
do
|
||||
case "$ARG" in
|
||||
-config=*)
|
||||
MM_CONFIG=${ARG#*=};;
|
||||
esac
|
||||
for ARG in "$@"; do
|
||||
case "$ARG" in
|
||||
-config=*) MM_CONFIG=${ARG#*=} ;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ ! -f $MM_CONFIG ]
|
||||
then
|
||||
if [ ! -f "$MM_CONFIG" ]; then
|
||||
# If there is no configuration file, create it with some default values
|
||||
echo "No configuration file" $MM_CONFIG
|
||||
echo "No configuration file $MM_CONFIG"
|
||||
echo "Creating a new one"
|
||||
# Copy default configuration file
|
||||
cp /config.json.save $MM_CONFIG
|
||||
# Substitue some parameters with jq
|
||||
jq '.ServiceSettings.ListenAddress = ":8000"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.LogSettings.EnableConsole = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.LogSettings.ConsoleLevel = "ERROR"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.FileSettings.Directory = "/mattermost/data/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.FileSettings.EnablePublicLink = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.FileSettings.PublicLinkSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.EmailSettings.SendEmailNotifications = false' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.EmailSettings.FeedbackEmail = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.EmailSettings.SMTPServer = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.EmailSettings.SMTPPort = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.EmailSettings.InviteSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.EmailSettings.PasswordResetSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.RateLimitSettings.Enable = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.SqlSettings.DriverName = "postgres"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.SqlSettings.AtRestEncryptKey = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.PluginSettings.Directory = "/mattermost/plugins/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
cp /config.json.save "$MM_CONFIG"
|
||||
# Substitute some parameters with jq
|
||||
jq '.ServiceSettings.ListenAddress = ":8000"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.LogSettings.EnableConsole = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.LogSettings.ConsoleLevel = "ERROR"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.FileSettings.Directory = "/mattermost/data/"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.FileSettings.EnablePublicLink = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq ".FileSettings.PublicLinkSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.EmailSettings.SendEmailNotifications = false' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.EmailSettings.FeedbackEmail = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.EmailSettings.SMTPServer = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.EmailSettings.SMTPPort = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq ".EmailSettings.InviteSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq ".EmailSettings.PasswordResetSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.RateLimitSettings.Enable = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.SqlSettings.DriverName = "postgres"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq ".SqlSettings.AtRestEncryptKey = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.PluginSettings.Directory = "/mattermost/plugins/"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
else
|
||||
echo "Using existing config file" $MM_CONFIG
|
||||
echo "Using existing config file $MM_CONFIG"
|
||||
fi
|
||||
|
||||
# Configure database access
|
||||
if [[ -z "$MM_SQLSETTINGS_DATASOURCE" && ! -z "$MM_USERNAME" && ! -z "$MM_PASSWORD" ]]
|
||||
then
|
||||
echo -ne "Configure database connection..."
|
||||
if [ -z "$MM_SQLSETTINGS_DATASOURCE" ] && [ -n "$MM_USERNAME" ] && [ -n "$MM_PASSWORD" ]; then
|
||||
echo "Configure database connection..."
|
||||
# URLEncode the password, allowing for special characters
|
||||
ENCODED_PASSWORD=$(printf %s $MM_PASSWORD | jq -s -R -r @uri)
|
||||
export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=disable&connect_timeout=10"
|
||||
echo OK
|
||||
ENCODED_PASSWORD=$(printf %s "$MM_PASSWORD" | jq -s -R -r @uri)
|
||||
export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=$DB_USE_SSL&connect_timeout=10"
|
||||
echo "OK"
|
||||
else
|
||||
echo "Using existing database connection"
|
||||
fi
|
||||
|
||||
@ -5,7 +5,7 @@ export WAL_LEVEL=${WAL_LEVEL:-minimal}
|
||||
export ARCHIVE_MODE=${ARCHIVE_MODE:-off}
|
||||
export ARCHIVE_TIMEOUT=${ARCHIVE_TIMEOUT:-60}
|
||||
|
||||
function update_conf () {
|
||||
function update_conf() {
|
||||
wal=$1
|
||||
# PGDATA is defined in upstream postgres dockerfile
|
||||
config_file=$PGDATA/postgresql.conf
|
||||
@ -23,11 +23,11 @@ function update_conf () {
|
||||
sed -i "s/archive_command =.*$//g" $config_file
|
||||
|
||||
# Configure wal-e
|
||||
if [ "$wal" = true ] ; then
|
||||
if [ "$wal" = true ]; then
|
||||
/docker-entrypoint-initdb.d/setup-wale.sh
|
||||
fi
|
||||
echo "log_timezone = $DEFAULT_TIMEZONE" >> $config_file
|
||||
echo "timezone = $DEFAULT_TIMEZONE" >> $config_file
|
||||
echo "log_timezone = $DEFAULT_TIMEZONE" >>$config_file
|
||||
echo "timezone = $DEFAULT_TIMEZONE" >>$config_file
|
||||
}
|
||||
|
||||
if [ "${1:0:1}" = '-' ]; then
|
||||
@ -46,7 +46,7 @@ if [ "$1" = 'postgres' ]; then
|
||||
done
|
||||
|
||||
# Setup wal-e env variables
|
||||
if [ "$wal_enable" = true ] ; then
|
||||
if [ "$wal_enable" = true ]; then
|
||||
for v in ${VARS[@]}; do
|
||||
export $v="${!v}"
|
||||
done
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
# wal-e specific configuration
|
||||
echo "wal_level = $WAL_LEVEL" >> $PGDATA/postgresql.conf
|
||||
echo "archive_mode = $ARCHIVE_MODE" >> $PGDATA/postgresql.conf
|
||||
echo "archive_command = '/usr/bin/wal-e wal-push %p'" >> $PGDATA/postgresql.conf
|
||||
echo "archive_timeout = $ARCHIVE_TIMEOUT" >> $PGDATA/postgresql.conf
|
||||
echo "wal_level = $WAL_LEVEL" >>$PGDATA/postgresql.conf
|
||||
echo "archive_mode = $ARCHIVE_MODE" >>$PGDATA/postgresql.conf
|
||||
echo "archive_command = '/usr/bin/wal-e wal-push %p'" >>$PGDATA/postgresql.conf
|
||||
echo "archive_timeout = $ARCHIVE_TIMEOUT" >>$PGDATA/postgresql.conf
|
||||
|
||||
@ -27,6 +27,7 @@ services:
|
||||
# - edition=team
|
||||
# - PUID=1000
|
||||
# - PGID=1000
|
||||
# - MM_VERSION=5.31
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- ./volumes/app/mattermost/config:/mattermost/config:rw
|
||||
@ -54,11 +55,13 @@ services:
|
||||
web:
|
||||
build: web
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
- "80:8080"
|
||||
- "443:8443"
|
||||
read_only: true
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
# This directory must have cert files if you want to enable SSL
|
||||
- ./volumes/web/cert:/cert:ro
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
cap_drop:
|
||||
- ALL
|
||||
|
||||
@ -1,17 +1,38 @@
|
||||
FROM nginx:mainline-alpine
|
||||
FROM nginxinc/nginx-unprivileged:mainline-alpine
|
||||
|
||||
USER root
|
||||
|
||||
# Remove default configuration and add our custom Nginx configuration files
|
||||
RUN rm /etc/nginx/conf.d/default.conf \
|
||||
&& apk add --no-cache curl
|
||||
|
||||
COPY ["./mattermost", "./mattermost-ssl", "/etc/nginx/sites-available/"]
|
||||
COPY ./security.conf /etc/nginx/conf.d/
|
||||
|
||||
# Add and setup entrypoint
|
||||
COPY entrypoint.sh /
|
||||
|
||||
RUN chown -R nginx:nginx /etc/nginx/sites-available && \
|
||||
chown -R nginx:nginx /var/cache/nginx && \
|
||||
chown -R nginx:nginx /var/log/nginx && \
|
||||
chown -R nginx:nginx /etc/nginx/conf.d && \
|
||||
chown nginx:nginx entrypoint.sh
|
||||
RUN touch /var/run/nginx.pid && \
|
||||
chown -R nginx:nginx /var/run/nginx.pid
|
||||
|
||||
COPY ./security.conf /etc/nginx/conf.d/
|
||||
|
||||
RUN chown -R nginx:nginx /etc/nginx/conf.d/security.conf
|
||||
|
||||
RUN chmod u+x /entrypoint.sh
|
||||
|
||||
RUN sed -i "/^http {/a \ proxy_buffering off;\n" /etc/nginx/nginx.conf
|
||||
RUN sed -i '/temp_path/d' /etc/nginx/nginx.conf \
|
||||
&& sed -i 's!/tmp/nginx.pid!/var/run/nginx.pid!g' /etc/nginx/nginx.conf
|
||||
|
||||
USER nginx
|
||||
|
||||
#Healthcheck to make sure container is ready
|
||||
HEALTHCHECK CMD curl --fail http://localhost:80 || exit 1
|
||||
HEALTHCHECK CMD curl --fail http://localhost:8080 || exit 1
|
||||
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
||||
|
||||
|
||||
@ -4,7 +4,7 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen 8080;
|
||||
|
||||
location ~ /api/v[0-9]+/(users/)?websocket$ {
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
|
||||
20
web/mattermost-ssl
Normal file → Executable file
20
web/mattermost-ssl
Normal file → Executable file
@ -1,7 +1,7 @@
|
||||
server {
|
||||
listen 80 default_server;
|
||||
server_name _;
|
||||
return 301 https://$host$request_uri;
|
||||
listen 8080 default_server;
|
||||
server_name _;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
|
||||
@ -10,14 +10,16 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen 8443 ssl http2;
|
||||
|
||||
ssl_certificate /cert/cert.pem;
|
||||
ssl_certificate_key /cert/key-no-password.pem;
|
||||
ssl_session_timeout 5m;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers HIGH:MEDIUM:!SSLv2:!PSK:!SRP:!ADH:!AECDH;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
# Please update the ciphers in this file every 6 months.
|
||||
# https://ssl-config.mozilla.org/
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
location ~ /api/v[0-9]+/(users/)?websocket$ {
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
@ -33,7 +35,7 @@ server {
|
||||
proxy_buffers 256 16k;
|
||||
proxy_buffer_size 16k;
|
||||
proxy_read_timeout 600s;
|
||||
proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
|
||||
proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
|
||||
}
|
||||
|
||||
location / {
|
||||
@ -50,7 +52,7 @@ server {
|
||||
proxy_buffers 256 16k;
|
||||
proxy_buffer_size 16k;
|
||||
proxy_read_timeout 600s;
|
||||
proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
|
||||
proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user