can verify stapling using openssl s_client -connect hostname:443 -status
status_request is RFC6066. there is also status_request_v2 (RFC6961) but this is
not implemented even in openssl libs yet
had to move the ~ login/logout regexp inside. This is because of
https://www.ruby-forum.com/t/proxy-pass-location-inheritance/239135
What it says is that a regexp inside a matching location prefix is
given precedence regardless of how it appears in the file. This means
that the negative regexp got precedence over login|logout and thus
went into infinite redirect. By moving it to same level, the regexps
are considered in order.
Some notes on nginx location:
* First, it will match the prefixes (= and the /). If =, the matching stops.
If /xx then the longest match is "remembered"
* It will then match the regex inside the longest match. First match wins
* It will then match the rest of the regex locations. First match win
* If no regex matched, it will then do the remembered longest prefix
fixes#762
the main reason this is under app and not domain is because it let's
the user know that an app has to be installed for the whole thing to work.
part of #703
when user goes to /logout and then goes to /, the browser will
serve up the cached / based on cache-control. This might make the
user believe they are not logged out.
fixes#753
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
"If the proxy_pass directive is specified with a URI, then when a request
is passed to the server, the part of a normalized request URI matching the
location is replaced by a URI specified in the directive"
we can just use container IP instead of all this httpPort exporting magic.
this is also required for exposing httpPaths feature (we have to otherwise
have multiple httpPorts).
'setup' endpoint for setup/restore. we show the setup wizard.
'ip' endpoint is post activation. we show a splash screen here.
Also, the https://ip will not respond to any api calls anymore
(since this will leak the admin fqdn otherwise).
We should probably make this customizable at some point.
Fixes#739
one of our users had the site reverse proxied. it broke after the
5.1 cipher change and they nailed it down to using this cipher.
https://security.stackexchange.com/questions/72926/is-tls-ecdhe-rsa-with-aes-128-cbc-sha256-a-safe-cipher-suite-to-use
says this is safe
The following prints the cipher suite:
log_format combined2 '$remote_addr - [$time_local] '
'$ssl_protocol/$ssl_cipher '
'"$request" $status $body_bytes_sent $request_time '
'"$http_referer" "$host" "$http_user_agent"';
