The Wiki NGINX Configuration

This instance of wiki runs behind an nginx reverse proxy using the following configuration:

``` server { listen 443 quic; listen [::]:443 quic; listen 443 ssl; listen [::]:443 ssl; http2 on; server_name CHANGEME; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_certificate /CHANGEME/fullchain.pem; ssl_certificate_key /CHANGEME/privkey.pem; add_header Strict-Transport-Security max-age=15768000; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://query.search.federatedwiki.org; img-src 'self' data:; object-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; font-src 'self' https://maxcdn.bootstrapcdn.com; connect-src 'self' data: https://query.search.federatedwiki.org"; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin"; location / { proxy_pass http://fedwiki; proxy_set_header Host $host; proxy_busy_buffers_size 512k; proxy_buffers 4 512k; proxy_buffer_size 256k; } } server { listen 80; listen [::]:80; server_name wiki.r.bdr.sh; location / { proxy_pass http://fedwiki; proxy_set_header Host $host; proxy_busy_buffers_size 512k; proxy_buffers 4 512k; proxy_buffer_size 256k; } } upstream fedwiki { server localhost:3999; } ```

Some things worth noting:

* We have decided to make wiki available via both `HTTP` and `HTTPS`. * Our `Content-Security-Policy` might not work for you, and you might require something more or less permissive, especially if you're using farm mode. * We increase the size of the buffers to deal with the OIDC response. * We use farm mode, but this configuration should work the same for both. * You will need to change the `server_name` directives, and the `ssl_certificate` paths.