website/docs: Improve example nginx reverse proxy config (goauthentik…

…#8160) Signed-off-by: Daniel Lo Nigro <[email protected]>
CanaryTek · Jan 23, 2024 · a62cca3 · a62cca3
1 parent ff5d15b
commit a62cca3
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/website/docs/installation/reverse-proxy.md b/website/docs/installation/reverse-proxy.md
@@ -13,6 +13,8 @@ If you want to access authentik behind a reverse-proxy, there are a few headers
 -   `Host`: Required for various security checks, WebSocket handshake, and Outpost and Proxy Provider communication.
 -   `Connection: Upgrade` and `Upgrade: WebSocket`: Required to upgrade protocols for requests to the WebSocket endpoints under HTTP/1.1.
 
+It is also recommended to use a [modern TLS configuration](https://ssl-config.mozilla.org/) and disable SSL/TLS protocols older than TLS 1.3.
+
 The following nginx configuration can be used as a starting point for your own configuration.
 
 ```
@@ -32,21 +34,21 @@ map $http_upgrade $connection_upgrade_keepalive {
 server {
     # HTTP server config
     listen 80;
+    listen [::]:80;
     server_name sso.domain.tld;
-
     # 301 redirect to HTTPS
-    location / {
-            return 301 https://$host$request_uri;
-    }
+    return 301 https://$host$request_uri;
 }
 server {
     # HTTPS server config
     listen 443 ssl http2;
+    listen [::]:443 ssl http2;
     server_name sso.domain.tld;
 
     # TLS certificates
     ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
+    add_header Strict-Transport-Security "max-age=63072000" always;
 
     # Proxy site
     location / {