Installation

Requirements

Systemd Service

[Unit]
Description=Kulini
After=syslog.target
After=network.target

[Service]
Type=simple
User=[Benutzername]
Group=[Gruppe]
WorkingDirectory=/[Pfad zu Kulini]/kulini-backend/
ExecStart=/[Pfad zu Kulini]/kulini-backend/./kulini-backend
Restart=always

[Install]
WantedBy=multi-user.target

Webserver Configuration

nginx

server {
    server_name [Domain];
    listen 80;
    listen [::]:80;
    return 301 https://$host$request_uri;
}

server {
    server_name [Domain];
    root /[path to Ofenschlupfer]/client/dist;
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    add_header Content-Security-Policy "default-src 'none'; style-src 'self'; img-src 'self'; script-src 'self'; connect-src 'self'; frame-ancestors 'none'; form-action 'none'; base-uri 'none';";
    add_header Strict-Transport-Security "max-age=63072000; preload;";
    add_header X-Content-Type-Options "nosniff";
    add_header X-Frame-Options "none";
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "no-referrer";

    ssl_certificate     /[pfad to certificate]/fullchain.pem;
    ssl_certificate_key /[pfad to certificate]/privkey.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers off;

    # Client
    location / {
        try_files $uri $uri/ /index.html;
    }

    # Server
    location /api/ {
        proxy_pass http://localhost:[server port]/;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Apache httpd

Warning

This configuration has not been tested.

<VirtualHost *:80>
    ServerName [Domain]
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    ServerName [domain]
    Protocols h2 http/1.1

    SSLEngine on
    SSLCertificateFile      /[Pfad zum Zertifikat]/fullchain.pem
    SSLCertificateKeyFile   /[Pfad zum Zertifikat]/privkey.pem

    Header always set Strict-Transport-Security "max-age=63072000"
    Header set Content-Security-Policy "default-src 'none'; style-src 'self'; img-src 'self'; script-src 'self'; connect-src 'self'; frame-ancestors 'none'; form-action 'none'; base-uri 'none';"
    Header set X-Content-Type-Options "nosniff";
    Header set X-Frame-Options "none";
    Header set X-XSS-Protection "1; mode=block";
    Header set Referrer-Policy "no-referrer";

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.html$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.html [L]

    ProxyPass /api/ http://localhost:[Backend-Port]/
</VirtualHost>

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder     off
SSLSessionTickets       off