From d1f7627d5f1ccca18c7873ff5b9225493624082d Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Wed, 6 Mar 2024 08:37:09 -0800
Subject: [PATCH] Destroyed Using a Reverse Proxy with Paperless ngx nginx
 letsencrypt fix (markdown)

---
 ...ith-Paperless-ngx-nginx-letsencrypt-fix.md | 187 ------------------
 1 file changed, 187 deletions(-)
 delete mode 100644 Using-a-Reverse-Proxy-with-Paperless-ngx-nginx-letsencrypt-fix.md

diff --git a/Using-a-Reverse-Proxy-with-Paperless-ngx-nginx-letsencrypt-fix.md b/Using-a-Reverse-Proxy-with-Paperless-ngx-nginx-letsencrypt-fix.md
deleted file mode 100644
index 102d4c1..0000000
--- a/Using-a-Reverse-Proxy-with-Paperless-ngx-nginx-letsencrypt-fix.md
+++ /dev/null
@@ -1,187 +0,0 @@
-If you want to expose paperless to the internet, you should hide it
-behind a reverse proxy with SSL enabled. The officially supported method is Nginx.
-
-# Nginx
-
-In addition to the usual configuration for SSL, the following
-configuration is required for paperless to operate:
-
-```nginx
-http {
-
-    # Adjust as required. This is the maximum size for file uploads.
-    # The default value 1M might be a little too small.
-    client_max_body_size 10M;
-
-    server {
-
-        location / {
-
-            # Adjust host and port as required.
-            proxy_pass http://localhost:8000/;
-
-            # These configuration options are required for WebSockets to work.
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "upgrade";
-
-            proxy_redirect off;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Host $server_name;
-            add_header Referrer-Policy "strict-origin-when-cross-origin";
-        }
-    }
-}
-```
-
-The `PAPERLESS_URL` configuration variable is also required when using a
-reverse proxy; consider setting `USE_X_FORWARD_HOST=true` and `USE_X_FORWARD_PORT=true`. Please refer to the [hosting and security](https://docs.paperless-ngx.com/configuration/#hosting-and-security) docs.
-
-Also read
-[this](https://channels.readthedocs.io/en/stable/deploying.html#nginx-supervisor-ubuntu),
-towards the end of the section.
-
-Some have found adding the P3P header (`add_header P3P 'CP=""';` see [#817](https://github.com/paperless-ngx/paperless-ngx/issues/817)) works; only [IE and Edge](https://en.wikipedia.org/wiki/P3P) support it.
-
-## nginx with tls via letsencrypt as entry in sites-available
-
-File /etc/nginx/sites-available/SUBDOMAIN.DOMAIN.conf looks like this. Replace SUBDOMAIN.DOMAIN with your domain.
-
-```nginx
-server {
-	server_name SUBDOMAIN.DOMAIN;
-	listen 443 ssl http2;
-	listen [::]:443 ssl http2; # Listen on IPv6
-	ssl_certificate /etc/letsencrypt/live/SUBDOMAIN.DOMAIN/fullchain.pem; # managed by Certbot
-	ssl_certificate_key /etc/letsencrypt/live/SUBDOMAIN.DOMAIN/privkey.pem; # managed by Certbot
-	include /etc/letsencrypt/options-ssl-nginx.conf;
-	client_max_body_size 10M;
-	add_header Referrer-Policy "no-referrer" always;
-
-	location / {
-		# Adjust host and port as required.
-		proxy_pass http://127.0.0.1:8000/;
-
-		# These configuration options are required for WebSockets to work.
-		proxy_http_version 1.1;
-		proxy_set_header Upgrade $http_upgrade;
-		proxy_set_header Connection "upgrade";
-
-		proxy_redirect off;
-		proxy_set_header Host $host;
-		proxy_set_header X-Real-IP $remote_addr;
-		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-		proxy_set_header X-Forwarded-Host $server_name;
-		add_header Referrer-Policy "strict-origin-when-cross-origin";
-	}
-}
-
-server {
-    listen 80;
-    server_name SUBDOMAIN.DOMAIN;
-    return 301 https://$server_name$request_uri;
-}
-```
-
-in /etc/nginx.conf 
-
-```nginx
-http {
-    include sites-enabled/*;
-}
-```
-
-```sh
-ln -s /etc/nginx/sites-available/SUBDOMAIN.DOMAIN.conf /etc/nginx/sites-enabled/SUBDOMAIN.DOMAIN.conf
-systemctl restart nginx
-```
-
-# Apache
-
-Below is an example of an apache2 conf file that you may customize to fit your environment and needs.
-
-```apache
-    DEFINE local_url 127.0.0.1
-    DEFINE local_port 8000
-    DEFINE url_prefix paperless
-    DEFINE public_url ${url_prefix}.my.domain
-    DEFINE email ${url_prefix}@my.domain
-    ServerTokens Prod
-    SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
-    SSLSessionCache "shmcb:${APACHE_LOG_DIR}/ssl_scache(512000)"
-    SSLSessionCacheTimeout 300
-### If you have Google's Mod PageSpeed, disable it ###
-#    ModPagespeed Off
-<VirtualHost *:80>
-    ServerName ${public_url}
-    DocumentRoot /var/www/html
-    ServerAdmin ${email}
-    ErrorLog ${APACHE_LOG_DIR}/${url_prefix}.error.log
-    CustomLog ${APACHE_LOG_DIR}/${url_prefix}.access.log combined
-    RewriteEngine On
-    RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
-    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
-</VirtualHost>
-<VirtualHost *:443>
-    ServerName ${public_url}
-    DocumentRoot /var/www/html
-    ServerAdmin ${email}
-    ErrorLog ${APACHE_LOG_DIR}/${url_prefix}.error.log
-    CustomLog ${APACHE_LOG_DIR}/${url_prefix}.access.log combined
-    SSLEngine On
-    SSLCertificateFile /etc/letsencrypt/live/my.domain/fullchain.pem
-    SSLCertificateKeyFile /etc/letsencrypt/live/my.domain/privkey.pem
-### Forbid the http1.0 protocol ###
-    Protocols h2 http/1.1
-    Timeout 360
-    ProxyRequests Off
-    ProxyPreserveHost On
-    ProxyTimeout 600
-    ProxyReceiveBufferSize 4096
-    SSLProxyEngine On
-    RequestHeader set Front-End-Https "On"
-    ServerSignature Off
-    SSLCompression Off
-    SSLUseStapling On
-    SSLStaplingResponderTimeout 5
-    SSLStaplingReturnResponderErrors Off
-    SSLSessionTickets Off
-    RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
-    Header always set Strict-Transport-Security "max-age=15552000; preload"
-    Header always set X-Content-Type-Options nosniff
-    Header always set X-Robots-Tag none
-    Header always set X-XSS-Protection "1; mode=block"
-    Header always set X-Frame-Options "SAMEORIGIN"
-    Header always set Referrer-Policy "strict-origin-when-cross-origin"
-    RequestHeader set X-Real-IP %{REMOTE_ADDR}s
-### Lax CSP and will not score the best on Mozilla Observatory or other platforms alike, but won't need to be updated with version changes ###
-    Header always set Content-Security-Policy "default-src 'none'; base-uri 'self'; font-src 'self' data: ${public_url}; media-src 'self' blob: data: https: ${public_url}; script-src 'self' 'unsafe-inline' ${public_url}; style-src 'self' 'unsafe-inline' ${public_url}; img-src 'self' data: blob: https: ${public_url}; worker-src * blob:; frame-src 'self' https://${public_url}; connect-src 'self' wss: https: ${public_url}; form-action 'self'; frame-ancestors 'self' https://${public_url} https://my.domain https://*.my.domain; manifest-src 'self'; object-src 'self' https://${public_url}"
-    Header always set Permissions-Policy 'geolocation=(self "https://${public_url}"), midi=(self "https://${public_url}"), sync-xhr=(self "https://${public_url}"), microphone=(self "https://${public_url}"), camera=(self "https://${public_url}"), magnetometer=(self "https://${public_url}"), gyroscope=(self "https://${public_url}"), fullscreen=(self "https://${public_url}"), payment=(self "https://${public_url}")'
-    SSLHonorCipherOrder Off
-### Use next two for very secure connections ###
-    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
-### Use next two for secure connections and support more endpoints ###
-    #SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
-    #SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
-### Actually proxy the traffic and really the only important part ###
-    AllowEncodedSlashes On
-    RewriteEngine On
-    SetEnvIf Cookie "(^|;\ *)csrftoken=([^;\ ]+)" csrftoken=$2
-    RequestHeader set  X-CSRFToken "%{csrftoken}e"
-### Proxy Websockets Section 1 (works for me) ###
-    RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
-    RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
-    RewriteRule ^/?(.*) "ws://${local_url}:${local_port}/$1" [P,L]
-### Proxy Websockets Section 2 (untested) ###
-    #RewriteCond %{HTTP:UPGRADE} =websocket [NC]
-    #RewriteRule ^/ws/(.*) ws://${local_url}:${local_port}/ws/$1 [P,L]
-### Proxy everything else ###
-    ProxyPass / http://${local_url}:${local_port}/ connectiontimeout=6 timeout=60
-    ProxyPassReverse / http://${local_url}:${local_port}/
-### If Docker and/or Paperless-NGX server is down but webserver is up, show error page ###
-    ErrorDocument 503 '<!DOCTYPE html>\n<html xml:lang="en" lang="en" dir="ltr" prefix="og: http://ogp.me/ns#">\n<meta http-equiv="refresh" content="15" />\n<head id="head">\n<meta http-equiv="X-UA-Compatible" content="IE=edge"/>\n<title>Offline</title>\n<style>html{width:100%}body{background-color:#a6a6a6;text-align:center;font-family:Helvetica,Tahoma}</style>\n</head>\n<body>\n<h1>${public_url}</h1>\n<p>Appears to be offline... will try again every 15 seconds.<br><br>Nothing happening? Contact the <a href="mailto:${email}" target="_blank">admin</a>.</p>\n</body>\n</html>'
-</VirtualHost>
-```
\ No newline at end of file