Pinecrypt Gateway frontend
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

169 lines
4.3 KiB

user nginx;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
upstream exporter {
server 127.0.0.1:3001;
}
upstream read-write {
server 127.0.0.1:4001;
}
upstream ocsp-responder {
server 127.0.0.1:5001;
}
upstream builder {
server 127.0.0.1:7001;
}
upstream event {
server 127.0.0.1:8001;
}
resolver 127.0.0.11;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
##
# Gzip Settings
##
gzip on;
# Basic DoS prevention measures
limit_conn addr 100;
client_body_timeout 5s;
client_header_timeout 5s;
limit_conn_zone $binary_remote_addr zone=addr:10m;
# Backend configuration
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-SSL-CERT $ssl_client_cert;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
server {
# Section for serving insecure HTTP, note that this is suitable for
# OCSP, CRL-s etc which is already covered by PKI protection mechanisms.
listen 80 default_server;
# Proxy pass Prometheus metric exporter
location /metrics {
proxy_pass http://exporter;
}
# Proxy pass OCSP responder
location /api/ocsp/ {
proxy_pass http://ocsp-responder;
}
# Event server
location /api/event/ {
proxy_buffering off;
proxy_cache off;
proxy_pass http://event;
}
# Proxy pass to backend
location /api/ {
proxy_pass http://read-write;
}
}
server {
# Section for accessing web interface over HTTPS
listen 127.0.0.1:1443 ssl http2 default_server;
# HSTS header below should make sure web interface will be accessed over HTTPS only
# once it has been configured
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
# Bind mount this directory to use Let's Encrypt keypair for frontend
ssl_certificate /frontend-secrets/fullchain.pem;
ssl_certificate_key /frontend-secrets/privkey.pem;
#proxy pass event
location /api/event/ {
proxy_buffering off;
proxy_cache off;
proxy_pass http://event;
}
#Proxy pass longpoll
location /api/longpoll/ {
proxy_buffering off;
proxy_cache off;
proxy_pass http://event;
}
# OpenWrt image builder
location /api/build/ {
proxy_pass http://builder;
}
# Proxy pass to backend
location /api/ {
proxy_pass http://read-write;
}
# This is for Let's Encrypt enroll/renewal
location /.well-known/ {
alias /var/www/html/.well-known/;
}
}
server {
# Section for certificate authenticated HTTPS clients,
# for submitting information to CA eg. leases,
# for delivering scripts to clients,
# for exchanging messages over WebSockets
server_name $hostname;
listen 8443 ssl http2;
# Enforce OCSP stapling for the server certificate
# Note that even nginx 1.14.0 doesn't immideately populate the OCSP cache
# You need to run separate cronjob to populate the OCSP response cache
ssl_stapling on;
ssl_stapling_verify on;
# Allow client authentication with certificate,
# backend must still check if certificate was used for TLS handshake
ssl_verify_client optional;
ssl_client_certificate /server-secrets/ca_cert.pem;
# Use same keypair used by IPSec, OpenVPN
ssl_certificate /server-secrets/self_cert.pem;
ssl_certificate_key /server-secrets/self_key.pem;
# Proxy pass to backend
location /api/ {
proxy_pass http://read-write;
}
}
}