Erweiterung der http.conf (Gateway)-Datei
sudo -s vi http.conf
upstream php-handler {
server unix:/run/php/php7.4-fpm.sock;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name ihre.domain.de ihre. ihre.mantisdomain.de;
root /var/www;
location ^~ /.well-known/acme-challenge {
default_type text/plain;
root /var/www/letsencrypt;
}
location / {
return 301 https://$server_name$request_uri;
}
}
Anlegen des Mantis Bug Tracker-vHosts
cd /etc/nginx/conf.d/
touch mantis.conf && nano mantis.conf
server { server_name ihre.mantisdomain.de; listen 443 ssl http2; listen [::]:443 ssl http2; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; ssl_trusted_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; #ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem; #ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem; #ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem; #ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem; #ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384'; ssl_ecdh_curve X448:secp521r1:secp384r1:prime256v1; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; fastcgi_hide_header X-Powered-By; fastcgi_read_timeout 3600; fastcgi_send_timeout 3600; fastcgi_connect_timeout 3600; root /var/www/mantis/; client_max_body_size 10240M; fastcgi_buffers 64 4K; gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; access_log /var/log/nginx/mantis.access.log; error_log /var/log/nginx/mantis.error.log warn; charset utf-8; location ^~ / { index index.php; location ~ ^/favicon.ico$ { root /var/www/mantis/skins/default/images; log_not_found off; access_log off; expires max; } location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { deny all; } location ~ ^/(bin|SQL|config|temp|logs)/ { deny all; } location ~ /\.(js|css|png|jpg|jpeg|gif|ico)$ { expires max; log_not_found off; } location /api/rest { try_files $uri /api/rest/index.php$is_args$args; } location ~ \.php$ { fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } location ~ /\.(js|css|png|jpg|jpeg|gif|ico)$ { expires max; log_not_found off; } } }
Erweitern der SSL-Zertifikate
Das bestehende SSL-Zertifikat wird um die neue mantis-Domain erweitert:
su - acmeuser
acme.sh --issue -d ihre.domain.de -d ihre.mantisdomain.de --server letsencrypt --keylength 4096 -w /var/www/letsencrypt --key-file /etc/letsencrypt/rsa-certs/privkey.pem --ca-file /etc/letsencrypt/rsa-certs/chain.pem --cert-file /etc/letsencrypt/rsa-certs/cert.pem --fullchain-file /etc/letsencrypt/rsa-certs/fullchain.pem --reloadcmd "sudo /bin/systemctl reload nginx.service"
acme.sh --issue -d ihre.domain.de -d ihre.mantisdomain.de --server letsencrypt --keylength ec-384 -w /var/www/letsencrypt --key-file /etc/letsencrypt/ecc-certs/privkey.pem --ca-file /etc/letsencrypt/ecc-certs/chain.pem --cert-file /etc/letsencrypt/ecc-certs/cert.pem --fullchain-file /etc/letsencrypt/ecc-certs/fullchain.pem --reloadcmd "sudo /bin/systemctl reload nginx.service"
exit
sed -i '/ssl-cert-snakeoil/d' /etc/nginx/conf.d/mantis.conf sed -i s/#\ssl/\ssl/g /etc/nginx/conf.d/mantis.conf
Nun starten wir den Webserver neu:
nginx -t
service nginx restart