SSL encryption #43
SSL encryption #43
Conversation
- improve ssl inst
Update README.md
|
|
README.md
Outdated
| @@ -26,6 +26,13 @@ Document Server and Nextcloud Docker installation will install the preconfigured | |||
| docker-compose up -d | |||
| ``` | |||
|
|
|||
| To enable SSL encryption, create `certs` folder and copy the private key named as `tls.key` and the certificate named as `tls.crt` to it. | |||
There was a problem hiding this comment.
I don't have a lot of context about how this works. Where should the certs folder be created? And where can I get the tls.key and tls.crt to copy?
There was a problem hiding this comment.
in folder where docker-compose.yml and ssl.yml is
There was a problem hiding this comment.
Thank you. Where can I find the tls.key and tls.cert? Do I need to generate those some where? Do I need to get them from letsencrypt?
There was a problem hiding this comment.
yes, you can get them from letsencrypt for your domain.
if you do not have your own domain, you can generate a self-signed certificate.
There was a problem hiding this comment.
I've spent a few hours trying to get a tls.key and tls.cert. The letsencrypt website told me to use certbot, so I installed that, and ran sudo certbot certonly --standalone, which generated some .pem files. I don't see any of the files you mentioned anywhere. I can't even find them in the certbot docs: https://certbot.eff.org/docs/search.html?q=tls.crt
Can you tell me what needs to be done to get these files?
There was a problem hiding this comment.
put in certs fullchain.pem as tls.crt and privkey.pem as tls.key
There was a problem hiding this comment.
Amazing! It's working! <3 Thank you so much for your help!
For the sake of other people being able to follow the directions, it might be helpful to add a link to certbot directions and mention that the pem files should be renamed. I never would have guessed that.
This reverts commit 1b7f5bb.
README.md
Outdated
| @@ -26,6 +26,13 @@ Document Server and Nextcloud Docker installation will install the preconfigured | |||
| docker-compose up -d | |||
| ``` | |||
|
|
|||
| To enable SSL encryption, create `certs` folder and copy the private key named as `tls.key` and the certificate named as `tls.crt` to it. | |||
There was a problem hiding this comment.
| To enable SSL encryption, create `certs` folder and copy the private key named as `tls.key` and the certificate named as `tls.crt` to it. | |
| To enable SSL encryption, first create a self-signed certificate or [get one from a certificate authority](https://certbot.eff.org/), then create a `certs` folder at the base of this repo and copy your certificate and private key files into it, naming them `tls.cert` and `tls.key`, respectively. |
| ssl_certificate_key /etc/nginx/certs/tls.key; | ||
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
| ssl_ciphers HIGH:!aNULL:!MD5; | ||
|
|
There was a problem hiding this comment.
Nextcloud's security warnings page (/index.php/settings/admin/overview) was complaining that the X-Frame-Options "SAMEORIGIN" header wasn't set. I'm not an nginx expert, so I'm not sure if this is the best place to add it, but adding this line here fixed the warning for me. For some reason, adding it in common.conf didn't seem to work.
| add_header X-Frame-Options "SAMEORIGIN" always; |
|
It seems that with this setup, there is something still missing with the SSL config, that negates most of the benefits of having the document server installed. The DocumentServer is unable to save changes to Nextcloud. Basically when the DocumentServer makes a request to I think the solution is something related to making sure that the SSL certificates are working for internal requests between the document server and nextcloud, and that the certificates are installed on both containers. I spent several hours trying different variations, and haven't quite figured out the solution yet. This thread might have some hints https://help.nextcloud.com/t/warning-the-document-could-not-be-saved/26550 |
No description provided.