In case anyone is interested this is an nginx "sites-available" reverse-proxy file that uses self-signed certs, diverts port 80 to 443, adds a bit of hardening and also logging. It does work with 2.0.6-beta.
{
listen 80;
server_name joplin.example.lol;
return 301 https://joplin.example.lol$request_uri;
}
server {
listen 443 ssl http2;
server_name joplin.example.lol;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
client_max_body_size 50m;
# Proxy headers
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters
ssl_certificate /path/to/certs/joplin.example.lol-cert.pem;
ssl_certificate_key /path/to/certs/joplin.example.lol-key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
# log files
access_log /var/log/nginx/joplin.example.lol.access.log;
error_log /var/log/nginx/joplin.example.lol.error.log;
# Handle / requests and redirect to a specific port on localhost
location / {
proxy_redirect off;
proxy_pass http://127.0.0.1:22300;
}
}
Replace joplin.example.lol with your domain and /path/to/certs/example.lol-cert.pem and /path/to/certs/example.lol-key.pem with the real thing.
Then, with the real thing, sudo ln -s /etc/nginx/sites-available/joplin.example.lol.conf /etc/nginx/sites-enabled/joplin.example.lol.conf
I got to this by butchering other examples, I am not an nginx expert.