user nginx; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; } http { upstream exporter { server 127.0.0.1:3001; } upstream read-write { server 127.0.0.1:4001; } upstream ocsp-responder { server 127.0.0.1:5001; } upstream builder { server 127.0.0.1:7001; } upstream event { server 127.0.0.1:8001; } resolver 127.0.0.11; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ## # Gzip Settings ## gzip on; # Basic DoS prevention measures limit_conn addr 100; client_body_timeout 5s; client_header_timeout 5s; limit_conn_zone $binary_remote_addr zone=addr:10m; # Backend configuration proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-SSL-CERT $ssl_client_cert; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; server { # Section for serving insecure HTTP, note that this is suitable for # OCSP, CRL-s etc which is already covered by PKI protection mechanisms. listen 80 default_server; # Proxy pass Prometheus metric exporter location /metrics { proxy_pass http://exporter; } # Proxy pass OCSP responder location /api/ocsp/ { proxy_pass http://ocsp-responder; } # Event server location /api/event/ { proxy_buffering off; proxy_cache off; proxy_pass http://event; } # Proxy pass to backend location /api/ { proxy_pass http://read-write; } } server { # Section for accessing web interface over HTTPS listen 127.0.0.1:1443 ssl http2 default_server; # HSTS header below should make sure web interface will be accessed over HTTPS only # once it has been configured add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; # Bind mount this directory to use Let's Encrypt keypair for frontend ssl_certificate /frontend-secrets/fullchain.pem; ssl_certificate_key /frontend-secrets/privkey.pem; #proxy pass event location /api/event/ { proxy_buffering off; proxy_cache off; proxy_pass http://event; } #Proxy pass longpoll location /api/longpoll/ { proxy_buffering off; proxy_cache off; proxy_pass http://event; } # OpenWrt image builder location /api/build/ { proxy_pass http://builder; } # Proxy pass to backend location /api/ { proxy_pass http://read-write; } # This is for Let's Encrypt enroll/renewal location /.well-known/ { alias /var/www/html/.well-known/; } } server { # Section for certificate authenticated HTTPS clients, # for submitting information to CA eg. leases, # for delivering scripts to clients, # for exchanging messages over WebSockets server_name $hostname; listen 8443 ssl http2; # Enforce OCSP stapling for the server certificate # Note that even nginx 1.14.0 doesn't immideately populate the OCSP cache # You need to run separate cronjob to populate the OCSP response cache ssl_stapling on; ssl_stapling_verify on; # Allow client authentication with certificate, # backend must still check if certificate was used for TLS handshake ssl_verify_client optional; ssl_client_certificate /server-secrets/ca_cert.pem; # Use same keypair used by IPSec, OpenVPN ssl_certificate /server-secrets/self_cert.pem; ssl_certificate_key /server-secrets/self_key.pem; # Proxy pass to backend location /api/ { proxy_pass http://read-write; } } }