-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathnginx.conf
More file actions
169 lines (136 loc) · 4.29 KB
/
Copy pathnginx.conf
File metadata and controls
169 lines (136 loc) · 4.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
user nginx;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
upstream exporter {
server 127.0.0.1:3001;
}
upstream read-write {
server 127.0.0.1:4001;
}
upstream ocsp-responder {
server 127.0.0.1:5001;
}
upstream builder {
server 127.0.0.1:7001;
}
upstream event {
server 127.0.0.1:8001;
}
resolver 127.0.0.11;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
##
# Gzip Settings
##
gzip on;
# Basic DoS prevention measures
limit_conn addr 100;
client_body_timeout 5s;
client_header_timeout 5s;
limit_conn_zone $binary_remote_addr zone=addr:10m;
# Backend configuration
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-SSL-CERT $ssl_client_cert;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
server {
# Section for serving insecure HTTP, note that this is suitable for
# OCSP, CRL-s etc which is already covered by PKI protection mechanisms.
listen 80 default_server;
# Proxy pass Prometheus metric exporter
location /metrics {
proxy_pass http://exporter;
}
# Proxy pass OCSP responder
location /api/ocsp/ {
proxy_pass http://ocsp-responder;
}
# Event server
location /api/event/ {
proxy_buffering off;
proxy_cache off;
proxy_pass http://event;
}
# Proxy pass to backend
location /api/ {
proxy_pass http://read-write;
}
}
server {
# Section for accessing web interface over HTTPS
listen 127.0.0.1:1443 ssl http2 default_server;
# HSTS header below should make sure web interface will be accessed over HTTPS only
# once it has been configured
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
# Bind mount this directory to use Let's Encrypt keypair for frontend
ssl_certificate /frontend-secrets/fullchain.pem;
ssl_certificate_key /frontend-secrets/privkey.pem;
#proxy pass event
location /api/event/ {
proxy_buffering off;
proxy_cache off;
proxy_pass http://event;
}
#Proxy pass longpoll
location /api/longpoll/ {
proxy_buffering off;
proxy_cache off;
proxy_pass http://event;
}
# OpenWrt image builder
location /api/build/ {
proxy_pass http://builder;
}
# Proxy pass to backend
location /api/ {
proxy_pass http://read-write;
}
# This is for Let's Encrypt enroll/renewal
location /.well-known/ {
alias /var/www/html/.well-known/;
}
}
server {
# Section for certificate authenticated HTTPS clients,
# for submitting information to CA eg. leases,
# for delivering scripts to clients,
# for exchanging messages over WebSockets
server_name $hostname;
listen 8443 ssl http2;
# Enforce OCSP stapling for the server certificate
# Note that even nginx 1.14.0 doesn't immideately populate the OCSP cache
# You need to run separate cronjob to populate the OCSP response cache
ssl_stapling on;
ssl_stapling_verify on;
# Allow client authentication with certificate,
# backend must still check if certificate was used for TLS handshake
ssl_verify_client optional;
ssl_client_certificate /server-secrets/ca_cert.pem;
# Use same keypair used by IPSec, OpenVPN
ssl_certificate /server-secrets/self_cert.pem;
ssl_certificate_key /server-secrets/self_key.pem;
# Proxy pass to backend
location /api/ {
proxy_pass http://read-write;
}
}
}