-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL encryption #43
base: master
Are you sure you want to change the base?
SSL encryption #43
Conversation
- improve ssl inst
Update README.md
README.md
Outdated
@@ -26,6 +26,13 @@ Document Server and Nextcloud Docker installation will install the preconfigured | |||
docker-compose up -d | |||
``` | |||
|
|||
To enable SSL encryption, create `certs` folder and copy the private key named as `tls.key` and the certificate named as `tls.crt` to it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have a lot of context about how this works. Where should the certs
folder be created? And where can I get the tls.key
and tls.crt
to copy?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in folder where docker-compose.yml and ssl.yml is
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you. Where can I find the tls.key
and tls.cert
? Do I need to generate those some where? Do I need to get them from letsencrypt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, you can get them from letsencrypt for your domain.
if you do not have your own domain, you can generate a self-signed certificate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've spent a few hours trying to get a tls.key
and tls.cert
. The letsencrypt website told me to use certbot, so I installed that, and ran sudo certbot certonly --standalone
, which generated some .pem
files. I don't see any of the files you mentioned anywhere. I can't even find them in the certbot docs: https://certbot.eff.org/docs/search.html?q=tls.crt
Can you tell me what needs to be done to get these files?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
put in certs
fullchain.pem
as tls.crt
and privkey.pem
as tls.key
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Amazing! It's working! <3 Thank you so much for your help!
For the sake of other people being able to follow the directions, it might be helpful to add a link to certbot directions and mention that the pem files should be renamed. I never would have guessed that.
This reverts commit 1b7f5bb.
README.md
Outdated
@@ -26,6 +26,13 @@ Document Server and Nextcloud Docker installation will install the preconfigured | |||
docker-compose up -d | |||
``` | |||
|
|||
To enable SSL encryption, create `certs` folder and copy the private key named as `tls.key` and the certificate named as `tls.crt` to it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To enable SSL encryption, create `certs` folder and copy the private key named as `tls.key` and the certificate named as `tls.crt` to it. | |
To enable SSL encryption, first create a self-signed certificate or [get one from a certificate authority](https://certbot.eff.org/), then create a `certs` folder at the base of this repo and copy your certificate and private key files into it, naming them `tls.cert` and `tls.key`, respectively. |
ssl_certificate_key /etc/nginx/certs/tls.key; | ||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
ssl_ciphers HIGH:!aNULL:!MD5; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nextcloud's security warnings page (/index.php/settings/admin/overview
) was complaining that the X-Frame-Options "SAMEORIGIN" header wasn't set. I'm not an nginx expert, so I'm not sure if this is the best place to add it, but adding this line here fixed the warning for me. For some reason, adding it in common.conf
didn't seem to work.
add_header X-Frame-Options "SAMEORIGIN" always; |
It seems that with this setup, there is something still missing with the SSL config, that negates most of the benefits of having the document server installed. The DocumentServer is unable to save changes to Nextcloud. Basically when the DocumentServer makes a request to I think the solution is something related to making sure that the SSL certificates are working for internal requests between the document server and nextcloud, and that the certificates are installed on both containers. I spent several hours trying different variations, and haven't quite figured out the solution yet. This thread might have some hints https://help.nextcloud.com/t/warning-the-document-could-not-be-saved/26550 |
No description provided.