diff options
| -rw-r--r-- | kvmd/configs/nginx/nginx.conf.example (renamed from kvmd/configs/nginx/nginx.conf) | 31 | ||||
| -rw-r--r-- | kvmd/testenv/nginx.conf | 18 | ||||
| -rw-r--r-- | kvmd/web/js/session.js | 2 | ||||
| -rw-r--r-- | os/platforms/v1/Dockerfile.part | 9 |
4 files changed, 38 insertions, 22 deletions
diff --git a/kvmd/configs/nginx/nginx.conf b/kvmd/configs/nginx/nginx.conf.example index 51c52c46..cd30f572 100644 --- a/kvmd/configs/nginx/nginx.conf +++ b/kvmd/configs/nginx/nginx.conf.example @@ -10,13 +10,26 @@ events { } http { + access_log off; + include mime.types; default_type application/octet-stream; charset utf-8; sendfile on; keepalive_timeout 10; - # gzip on; + + client_body_temp_path /tmp/nginx.client_body_temp; + fastcgi_temp_path /tmp/nginx.fastcgi_temp; + proxy_temp_path /tmp/nginx.proxy_temp; + scgi_temp_path /tmp/nginx.scgi_temp; + uwsgi_temp_path /tmp/nginx.uwsgi_temp; + + server { + listen 80; + server_name localhost; + return 301 https://$host$request_uri; + } upstream kvmd { server localhost:8081 fail_timeout=0s max_fails=0; @@ -27,17 +40,15 @@ http { } server { - # access_log /tmp/nginx.access.log; - access_log off; - - listen 80; + listen 443 ssl http2; server_name localhost; - client_body_temp_path /tmp/nginx.client_body_temp; - fastcgi_temp_path /tmp/nginx.fastcgi_temp; - proxy_temp_path /tmp/nginx.proxy_temp; - scgi_temp_path /tmp/nginx.scgi_temp; - uwsgi_temp_path /tmp/nginx.uwsgi_temp; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + ssl_certificate ssl/server.crt; + ssl_certificate_key ssl/server.key; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location / { root /usr/share/kvmd/web; diff --git a/kvmd/testenv/nginx.conf b/kvmd/testenv/nginx.conf index c9322517..ed6698cf 100644 --- a/kvmd/testenv/nginx.conf +++ b/kvmd/testenv/nginx.conf @@ -10,13 +10,20 @@ events { } http { + access_log off; + include /etc/nginx/mime.types; default_type application/octet-stream; charset utf-8; sendfile on; keepalive_timeout 10; - # gzip on; + + client_body_temp_path /tmp/nginx.client_body_temp; + fastcgi_temp_path /tmp/nginx.fastcgi_temp; + proxy_temp_path /tmp/nginx.proxy_temp; + scgi_temp_path /tmp/nginx.scgi_temp; + uwsgi_temp_path /tmp/nginx.uwsgi_temp; upstream kvmd { server localhost:8081 fail_timeout=0s max_fails=0; @@ -27,18 +34,9 @@ http { } server { - # access_log /tmp/nginx.access.log; - access_log off; - listen 8080; server_name localhost; - client_body_temp_path /tmp/nginx.client_body_temp; - fastcgi_temp_path /tmp/nginx.fastcgi_temp; - proxy_temp_path /tmp/nginx.proxy_temp; - scgi_temp_path /tmp/nginx.scgi_temp; - uwsgi_temp_path /tmp/nginx.uwsgi_temp; - location / { root /web; index index.html; diff --git a/kvmd/web/js/session.js b/kvmd/web/js/session.js index 238ff877..d3bbf91c 100644 --- a/kvmd/web/js/session.js +++ b/kvmd/web/js/session.js @@ -20,7 +20,7 @@ var session = new function() { }; this.startPoller = function() { - __ws = new WebSocket("ws://" + location.host + "/kvmd/ws"); + __ws = new WebSocket((location.protocol == "https:" ? "wss" : "ws") + "://" + location.host + "/kvmd/ws"); __ws.onopen = __wsOpenHandler; __ws.onmessage = __wsMessageHandler; __ws.onerror = __wsErrorHandler; diff --git a/os/platforms/v1/Dockerfile.part b/os/platforms/v1/Dockerfile.part index 4b355acb..b66d52bf 100644 --- a/os/platforms/v1/Dockerfile.part +++ b/os/platforms/v1/Dockerfile.part @@ -19,5 +19,12 @@ RUN sed -i -e "s/console=ttyAMA0\,115200//g" /boot/cmdline.txt \ && sed -i -e "s/kgdboc=ttyAMA0\,115200//g" /boot/cmdline.txt RUN systemctl mask [email protected] -RUN cp /usr/share/kvmd/configs/nginx/nginx.conf /etc/nginx/ +RUN cp /usr/share/kvmd/configs/nginx/nginx.conf.example /etc/nginx/ RUN cp /usr/share/kvmd/configs/kvmd/v1.yaml /etc/kvmd.yaml + +RUN mkdir /etc/nginx/ssl \ + && cd /etc/nginx/ssl \ + && openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 3650 \ + -subj "/C=RU/ST=Moscow/L=Moscow/O=Pi-KVM/OU=Pi-KVM/CN=localhost" \ + && chmod 400 server.key \ + && chmod 444 server.crt |