pinecrypt-gateway-frontend/nginx.conf

user nginx;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
}

http {
    upstream exporter {
        server 127.0.0.1:3001;
    }

    upstream read-write {
        server 127.0.0.1:4001;
    }

    upstream ocsp-responder {
        server 127.0.0.1:5001;
    }

    upstream builder {
        server 127.0.0.1:7001;
    }
    
    upstream event {
        server 127.0.0.1:8001;
    }

    resolver 127.0.0.11;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    ##
    # Gzip Settings
    ##
    gzip on;

    # Basic DoS prevention measures
    limit_conn addr 100;
    client_body_timeout 5s;
    client_header_timeout 5s;
    limit_conn_zone $binary_remote_addr zone=addr:10m;

    # Backend configuration
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-SSL-CERT $ssl_client_cert;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_connect_timeout 600;
    proxy_send_timeout 600;
    proxy_read_timeout 600;
    send_timeout 600;

    server {
        # Section for serving insecure HTTP, note that this is suitable for
        # OCSP, CRL-s etc which is already covered by PKI protection mechanisms.

        listen 80 default_server;

        # Proxy pass Prometheus metric exporter
        location /metrics {
            proxy_pass http://exporter;
        }

        # Proxy pass OCSP responder
        location /api/ocsp/ {
            proxy_pass http://ocsp-responder;
        }

        # Event server
        location /api/event/ {
            proxy_buffering off;
            proxy_cache off;
            proxy_pass http://event;
        }

        # Proxy pass to backend
        location /api/ {
            proxy_pass http://read-write;
        }
    }

    server {
        # Section for accessing web interface over HTTPS
        listen 127.0.0.1:1443 ssl http2 default_server;

        # HSTS header below should make sure web interface will be accessed over HTTPS only
        # once it has been configured
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

        # Bind mount this directory to use Let's Encrypt keypair for frontend
        ssl_certificate /frontend-secrets/fullchain.pem;
        ssl_certificate_key /frontend-secrets/privkey.pem;

        #proxy pass event
        location /api/event/ {
            proxy_buffering off;
            proxy_cache off;
            proxy_pass http://event;
        }

        #Proxy pass longpoll
        location /api/longpoll/ {
            proxy_buffering off;
            proxy_cache off;
            proxy_pass http://event;
        }

        # OpenWrt image builder
        location /api/build/ {
            proxy_pass http://builder;
        }

        # Proxy pass to backend
        location /api/ {
            proxy_pass http://read-write;
        }

        # This is for Let's Encrypt enroll/renewal
        location /.well-known/ {
            alias /var/www/html/.well-known/;
        }
    }


    server {
        # Section for certificate authenticated HTTPS clients,
        # for submitting information to CA eg. leases,
        # for delivering scripts to clients,
        # for exchanging messages over WebSockets
        server_name $hostname;
        listen 8443 ssl http2;

        # Enforce OCSP stapling for the server certificate
        # Note that even nginx 1.14.0 doesn't immideately populate the OCSP cache
        # You need to run separate cronjob to populate the OCSP response cache
        ssl_stapling on;
        ssl_stapling_verify on;

        # Allow client authentication with certificate,
        # backend must still check if certificate was used for TLS handshake
        ssl_verify_client optional;
        ssl_client_certificate /server-secrets/ca_cert.pem;

        # Use same keypair used by IPSec, OpenVPN
        ssl_certificate /server-secrets/self_cert.pem;
        ssl_certificate_key /server-secrets/self_key.pem;

        # Proxy pass to backend
        location /api/ {
            proxy_pass http://read-write;
        }
    }
}
Initial commit 2021-05-27 10:15:46 +00:00			`user nginx;`
			`worker_processes auto;`
			`pid /run/nginx.pid;`
			`include /etc/nginx/modules-enabled/*.conf;`

			`events {`
			`worker_connections 768;`
			`}`

			`http {`
Expose metric exporter 2021-06-09 20:18:41 +00:00			`upstream exporter {`
			`server 127.0.0.1:3001;`
			`}`

Initial commit 2021-05-27 10:15:46 +00:00			`upstream read-write {`
			`server 127.0.0.1:4001;`
			`}`

			`upstream ocsp-responder {`
			`server 127.0.0.1:5001;`
			`}`

			`upstream builder {`
			`server 127.0.0.1:7001;`
			`}`

			`upstream event {`
			`server 127.0.0.1:8001;`
			`}`

			`resolver 127.0.0.11;`
			`sendfile on;`
			`tcp_nopush on;`
			`tcp_nodelay on;`
			`keepalive_timeout 65;`
			`types_hash_max_size 2048;`

			`include /etc/nginx/mime.types;`
			`default_type application/octet-stream;`

			`##`
			`# SSL Settings`
			`##`
			`ssl_protocols TLSv1.2 TLSv1.3;`
			`ssl_prefer_server_ciphers on;`

			`##`
			`# Gzip Settings`
			`##`
			`gzip on;`

			`# Basic DoS prevention measures`
			`limit_conn addr 100;`
			`client_body_timeout 5s;`
			`client_header_timeout 5s;`
			`limit_conn_zone $binary_remote_addr zone=addr:10m;`

			`# Backend configuration`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-SSL-CERT $ssl_client_cert;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_connect_timeout 600;`
			`proxy_send_timeout 600;`
			`proxy_read_timeout 600;`
			`send_timeout 600;`

			`server {`
			`# Section for serving insecure HTTP, note that this is suitable for`
			`# OCSP, CRL-s etc which is already covered by PKI protection mechanisms.`

			`listen 80 default_server;`

Expose metric exporter 2021-06-09 20:18:41 +00:00			`# Proxy pass Prometheus metric exporter`
			`location /metrics {`
			`proxy_pass http://exporter;`
			`}`

Initial commit 2021-05-27 10:15:46 +00:00			`# Proxy pass OCSP responder`
			`location /api/ocsp/ {`
			`proxy_pass http://ocsp-responder;`
			`}`

			`# Event server`
			`location /api/event/ {`
			`proxy_buffering off;`
			`proxy_cache off;`
			`proxy_pass http://event;`
			`}`

			`# Proxy pass to backend`
			`location /api/ {`
			`proxy_pass http://read-write;`
			`}`
			`}`

			`server {`
			`# Section for accessing web interface over HTTPS`
			`listen 127.0.0.1:1443 ssl http2 default_server;`

			`# HSTS header below should make sure web interface will be accessed over HTTPS only`
			`# once it has been configured`
			`add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";`

Facilitate easy use of Let's Encrypt certificates 2021-06-04 06:25:25 +00:00			`# Bind mount this directory to use Let's Encrypt keypair for frontend`
Use Let's Encrypt keypair filenames for easier bind mounting 2021-06-04 08:37:45 +00:00			`ssl_certificate /frontend-secrets/fullchain.pem;`
			`ssl_certificate_key /frontend-secrets/privkey.pem;`
Facilitate easy use of Let's Encrypt certificates 2021-06-04 06:25:25 +00:00
Initial commit 2021-05-27 10:15:46 +00:00			`#proxy pass event`
			`location /api/event/ {`
			`proxy_buffering off;`
			`proxy_cache off;`
			`proxy_pass http://event;`
			`}`

			`#Proxy pass longpoll`
			`location /api/longpoll/ {`
			`proxy_buffering off;`
			`proxy_cache off;`
			`proxy_pass http://event;`
			`}`

			`# OpenWrt image builder`
			`location /api/build/ {`
			`proxy_pass http://builder;`
			`}`

			`# Proxy pass to backend`
			`location /api/ {`
			`proxy_pass http://read-write;`
			`}`

			`# This is for Let's Encrypt enroll/renewal`
			`location /.well-known/ {`
			`alias /var/www/html/.well-known/;`
			`}`
			`}`


			`server {`
			`# Section for certificate authenticated HTTPS clients,`
			`# for submitting information to CA eg. leases,`
			`# for delivering scripts to clients,`
			`# for exchanging messages over WebSockets`
			`server_name $hostname;`
			`listen 8443 ssl http2;`

			`# Enforce OCSP stapling for the server certificate`
			`# Note that even nginx 1.14.0 doesn't immideately populate the OCSP cache`
			`# You need to run separate cronjob to populate the OCSP response cache`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`

			`# Allow client authentication with certificate,`
			`# backend must still check if certificate was used for TLS handshake`
			`ssl_verify_client optional;`
Remove /var/lib/certidude prefix for paths 2021-06-02 12:38:23 +00:00			`ssl_client_certificate /server-secrets/ca_cert.pem;`
Initial commit 2021-05-27 10:15:46 +00:00
Facilitate easy use of Let's Encrypt certificates 2021-06-04 06:25:25 +00:00			`# Use same keypair used by IPSec, OpenVPN`
			`ssl_certificate /server-secrets/self_cert.pem;`
			`ssl_certificate_key /server-secrets/self_key.pem;`

Initial commit 2021-05-27 10:15:46 +00:00			`# Proxy pass to backend`
			`location /api/ {`
			`proxy_pass http://read-write;`
			`}`
			`}`
			`}`