Cozy reverse proxy

How to setup a reverse proxy for Cozy

Server block configuration

/etc/nginx/sites-available/cozy.wildw1ng.com.conf

server {
    listen 443 ssl;
    http2  on;
    
#   listen [::]:443 ssl http2;

    server_name .cozy.wildw1ng.com;

    rewrite     https://$host$request_uri?  permanent;

    error_log   /var/log/nginx/cozy.wildw1ng.com.error.log;
    access_log  /var/log/nginx/cozy.wildw1ng.com.access.log;

    # These are the paths to your generated Let's Encrypt SSL certificates.
    ssl_certificate /etc/letsencrypt/live/wildw1ng.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/wildw1ng.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_session_cache   shared:SSL:60m;
    
    # Limit max upload size
    client_max_body_size 1g;

    location / {
        # IP address of cozy server
	    proxy_pass         http://10.0.1.15:8080;        
        proxy_http_version 1.1;
        proxy_redirect http:// https://;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection connection_upgrade;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }

    # Anti-MIME-Sniffing header
    add_header X-Content-Type-Options nosniff;

    # Anti-ClickJacking Header
    add_header  X-Frame-Options "SAMEORIGIN" always;
    
    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/wildw1ng.com/chain.pem; # managed by Certbot

    # OCSP stapling
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot
}

server {
    if ($host = .cozy.wildw1ng.com) {
    return 301 https://$host$request_uri;
    } # managed by Certbot
    listen       80;
#   listen  [::]:80;
    server_name *.cozy.wildw1ng.com;
    return 404; # managed by Certbot
}

Create symlink to enable the site

ln -s /etc/nginx/sites-available/cozy.wildw1ng.com.conf /etc/nginx/sites-enabled/cozy.wildw1ng.com.conf

Check nginx configuration file syntax

nginx -t

Restart service

systemctl restart nginx.service

Unlink the active symlink to disable the site

unlink /etc/nginx/sites-enabled/cozy.wildw1ng.com.conf