From 10639ec0520f563a32b6b718df4c0d486c109f9c Mon Sep 17 00:00:00 2001
From: Robert Schadek <rburners@gmail.com>
Date: Mon, 5 Feb 2024 10:30:01 +0100
Subject: [PATCH] nginx with tls via letsencrypt as entry in sites-available

---
 ...ith-Paperless-ngx-nginx-letsencrypt-fix.md | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)
 rename Using-a-Reverse-Proxy-with-Paperless-ngx-nginx---letsencrypt-fix.md => Using-a-Reverse-Proxy-with-Paperless-ngx-nginx-letsencrypt-fix.md (83%)

diff --git a/Using-a-Reverse-Proxy-with-Paperless-ngx-nginx---letsencrypt-fix.md b/Using-a-Reverse-Proxy-with-Paperless-ngx-nginx-letsencrypt-fix.md
similarity index 83%
rename from Using-a-Reverse-Proxy-with-Paperless-ngx-nginx---letsencrypt-fix.md
rename to Using-a-Reverse-Proxy-with-Paperless-ngx-nginx-letsencrypt-fix.md
index 034cd0c..102d4c1 100644
--- a/Using-a-Reverse-Proxy-with-Paperless-ngx-nginx---letsencrypt-fix.md
+++ b/Using-a-Reverse-Proxy-with-Paperless-ngx-nginx-letsencrypt-fix.md
@@ -30,6 +30,7 @@ http {
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Host $server_name;
+            add_header Referrer-Policy "strict-origin-when-cross-origin";
         }
     }
 }
@@ -44,6 +45,59 @@ towards the end of the section.
 
 Some have found adding the P3P header (`add_header P3P 'CP=""';` see [#817](https://github.com/paperless-ngx/paperless-ngx/issues/817)) works; only [IE and Edge](https://en.wikipedia.org/wiki/P3P) support it.
 
+## nginx with tls via letsencrypt as entry in sites-available
+
+File /etc/nginx/sites-available/SUBDOMAIN.DOMAIN.conf looks like this. Replace SUBDOMAIN.DOMAIN with your domain.
+
+```nginx
+server {
+	server_name SUBDOMAIN.DOMAIN;
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2; # Listen on IPv6
+	ssl_certificate /etc/letsencrypt/live/SUBDOMAIN.DOMAIN/fullchain.pem; # managed by Certbot
+	ssl_certificate_key /etc/letsencrypt/live/SUBDOMAIN.DOMAIN/privkey.pem; # managed by Certbot
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+	client_max_body_size 10M;
+	add_header Referrer-Policy "no-referrer" always;
+
+	location / {
+		# Adjust host and port as required.
+		proxy_pass http://127.0.0.1:8000/;
+
+		# These configuration options are required for WebSockets to work.
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "upgrade";
+
+		proxy_redirect off;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Host $server_name;
+		add_header Referrer-Policy "strict-origin-when-cross-origin";
+	}
+}
+
+server {
+    listen 80;
+    server_name SUBDOMAIN.DOMAIN;
+    return 301 https://$server_name$request_uri;
+}
+```
+
+in /etc/nginx.conf 
+
+```nginx
+http {
+    include sites-enabled/*;
+}
+```
+
+```sh
+ln -s /etc/nginx/sites-available/SUBDOMAIN.DOMAIN.conf /etc/nginx/sites-enabled/SUBDOMAIN.DOMAIN.conf
+systemctl restart nginx
+```
+
 # Apache
 
 Below is an example of an apache2 conf file that you may customize to fit your environment and needs.