NGINX (SSL Config)
The recommended way to run Faraday is using SSL via Nginx
Nginx¶
New Faraday release 3.14 can generate a ngnix configuration for you
Installing Nginx¶
You can find a detailed guide on how to install nginx in the official Nginx documentation
Configure NGINX¶
After installing and configuring NGINX, Faraday's setup should be as follows:
1 2 |
|
Note: For both cases, NGINX on port 80 redirecting to HTTPS.
Generating Certificates¶
In order to generate self signed certificates, run the following command:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/faraday.key -out /etc/ssl/faraday.crt
Be sure to type the Common Name of this certificate. If you don't type a Common Name, then Faraday will not be launched.
For further information about certificates, follow this link.
Sample Configuration Files¶
Below you can find a sample config files for NGINX. You can use this same configuration by pasting it inside the folder /etc/nginx/sites-enabled/ or in conf.d and naming the file as you want.
faraday-manage generate-nginx-config --fqdn faraday.mydomain.com --port 5985 --ws-port 9000 --ssl-certificate /etc/ssl/faraday.crt --ssl-key /etc/ssl/faraday.key
Generating Faraday nginx config for server: faraday.mydomain.com
Faraday
- Port: 5985
- Websocket Port: 9000
SSL: certificate [/etc/ssl/faraday.crt] - key [/etc/ssl/faraday.key ]
Confirm [Y/n]: y
NGINX Config
#####################################
# Expires map
map $sent_http_content_type $expires {
default off;
text/html max;
text/css max;
application/javascript max;
~image/ max;
}
server {
server_name faraday.mydomain.com;
listen 443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-XSS-Protection "1; mode = block";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
client_max_body_size 150M;
ssl on;
ssl_session_cache shared:SSL:50m;
ssl_certificate /etc/ssl/faraday.crt;
ssl_certificate_key /etc/ssl/faraday.key
gzip on;
gzip_types application/javascript text/css;
expires $expires;
location / {
alias /opt/faraday/lib/python3.8/site-packages/faraday/server/www/;
}
location /_api/ {
proxy_pass http://localhost:5985/_api/;
proxy_redirect http:// $scheme://;
proxy_read_timeout 300;
proxy_cookie_path / "/; secure";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /websockets {
proxy_http_version 1.1;
proxy_pass http://localhost:9000/websockets;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
server_name faraday.mydomain.com;
listen 80 ;
# https redirect
if ($host = faraday.mydomain.com) {
return 301 https://$host$request_uri;
}
return 404;
}
Now you can access to https://faraday.mydomain.com