|
| 1 | +# Secure Mergin Maps installation |
| 2 | + |
| 3 | +::: warning |
| 4 | +This sections aims to provide some guidelines and a minimalistic example on how to secure a <MainPlatformName /> deployment. |
| 5 | + |
| 6 | +Further security enhancements should be implemented by experts in accordance to cybersecurity policies in place. |
| 7 | + |
| 8 | +::: |
| 9 | +For security and privacy reasons <MainPlatformName /> deployments should enable HTTPS secured connection via certificate file. |
| 10 | + |
| 11 | +We provide a template configuration file <GitHubRepo id="MerginMaps/server/blob/master/ssl-proxy.conf" desc="ssl-proxy.conf" />as base for your configuration. |
| 12 | + |
| 13 | +Let's have a quick look at the main sections: |
| 14 | + |
| 15 | +``` shell |
| 16 | + server { |
| 17 | + listen 443 ssl; |
| 18 | + server_name merginmaps.company.com; # FIXME |
| 19 | + client_max_body_size 4G; |
| 20 | + ... |
| 21 | +``` |
| 22 | +
|
| 23 | +Here we enable SSL via the default `443` port and configure name-based HTTPS server via `server_name`. Here you should change this according to your target server name. |
| 24 | +
|
| 25 | +We don't recommend setting a `client_max_body_size` higher than specified, because that might lead to timeouts while uploading your data to Mergin Maps. |
| 26 | +
|
| 27 | +Next, you need to point your certificate files to NGINX configuration. This is done on the next lines on the secured configuration: |
| 28 | +
|
| 29 | +``` shell |
| 30 | + ... |
| 31 | + ssl_certificate_key /etc/letsencrypt/live/merginmaps.company.com/privkey.pem; # FIXME |
| 32 | + ssl_certificate /etc/letsencrypt/live/merginmaps.company.com/fullchain.pem; # FIXME |
| 33 | + ... |
| 34 | +``` |
| 35 | +
|
| 36 | +The above example uses automated keys generated by CertBot. For more information, visit [CertBot](https://certbot.eff.org/instructions) website and check how you can generate your own keys. |
| 37 | +
|
| 38 | +Some extra security settings for HTTP headers are provided. Please review them and update in accordance to your requirements. |
| 39 | +
|
| 40 | +```shell |
| 41 | + # Prevent crawlers from indexing and following links for all content served from the mergin app |
| 42 | + add_header X-Robots-Tag "none"; |
| 43 | +
|
| 44 | + # Protect against clickjacking iframe |
| 45 | + add_header Content-Security-Policy "frame-ancestors 'self';" always; |
| 46 | +
|
| 47 | + # Add a HSTS policy to prevent plain http from browser |
| 48 | + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; |
| 49 | +
|
| 50 | + # Set cookies security flags |
| 51 | + proxy_cookie_flags ~ secure httponly samesite=strict; |
| 52 | +
|
| 53 | + location / { |
| 54 | + root /var/www/html; |
| 55 | +
|
| 56 | + # The lines below were copied from application proxy |
| 57 | + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 58 | + proxy_set_header X-Forwarded-Proto $scheme; |
| 59 | + proxy_set_header Host $http_host; |
| 60 | + # we don't want nginx trying to do something clever with |
| 61 | + # redirects, we set the Host: header above already. |
| 62 | + proxy_redirect off; |
| 63 | + proxy_pass http://app_server; |
| 64 | + } |
| 65 | +``` |
0 commit comments