157 lines
3.9 KiB
Nginx Configuration File
157 lines
3.9 KiB
Nginx Configuration File
user nginx;
|
|
worker_processes auto;
|
|
pid /run/nginx.pid;
|
|
include /etc/nginx/modules-enabled/*.conf;
|
|
|
|
events {
|
|
worker_connections 768;
|
|
}
|
|
|
|
http {
|
|
upstream read-write {
|
|
server 127.0.0.1:4001;
|
|
}
|
|
|
|
upstream ocsp-responder {
|
|
server 127.0.0.1:5001;
|
|
}
|
|
|
|
upstream builder {
|
|
server 127.0.0.1:7001;
|
|
}
|
|
|
|
upstream event {
|
|
server 127.0.0.1:8001;
|
|
}
|
|
|
|
resolver 127.0.0.11;
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
keepalive_timeout 65;
|
|
types_hash_max_size 2048;
|
|
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
##
|
|
# SSL Settings
|
|
##
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
##
|
|
# Gzip Settings
|
|
##
|
|
gzip on;
|
|
|
|
# Basic DoS prevention measures
|
|
limit_conn addr 100;
|
|
client_body_timeout 5s;
|
|
client_header_timeout 5s;
|
|
limit_conn_zone $binary_remote_addr zone=addr:10m;
|
|
|
|
# Backend configuration
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-SSL-CERT $ssl_client_cert;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_connect_timeout 600;
|
|
proxy_send_timeout 600;
|
|
proxy_read_timeout 600;
|
|
send_timeout 600;
|
|
|
|
# To use CA-s own certificate for frontend and mutually authenticated connections
|
|
ssl_certificate /server-secrets/self_cert.pem;
|
|
ssl_certificate_key /server-secrets/self_key.pem;
|
|
|
|
server {
|
|
# Section for serving insecure HTTP, note that this is suitable for
|
|
# OCSP, CRL-s etc which is already covered by PKI protection mechanisms.
|
|
|
|
listen 80 default_server;
|
|
|
|
# Proxy pass OCSP responder
|
|
location /api/ocsp/ {
|
|
proxy_pass http://ocsp-responder;
|
|
}
|
|
|
|
# Event server
|
|
location /api/event/ {
|
|
proxy_buffering off;
|
|
proxy_cache off;
|
|
proxy_pass http://event;
|
|
}
|
|
|
|
# Proxy pass to backend
|
|
location /api/ {
|
|
proxy_pass http://read-write;
|
|
}
|
|
}
|
|
|
|
server {
|
|
# Section for accessing web interface over HTTPS
|
|
listen 127.0.0.1:1443 ssl http2 default_server;
|
|
|
|
# HSTS header below should make sure web interface will be accessed over HTTPS only
|
|
# once it has been configured
|
|
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
|
|
|
#proxy pass event
|
|
location /api/event/ {
|
|
proxy_buffering off;
|
|
proxy_cache off;
|
|
proxy_pass http://event;
|
|
}
|
|
|
|
#Proxy pass longpoll
|
|
location /api/longpoll/ {
|
|
proxy_buffering off;
|
|
proxy_cache off;
|
|
proxy_pass http://event;
|
|
}
|
|
|
|
# OpenWrt image builder
|
|
location /api/build/ {
|
|
proxy_pass http://builder;
|
|
}
|
|
|
|
# Proxy pass to backend
|
|
location /api/ {
|
|
proxy_pass http://read-write;
|
|
}
|
|
|
|
# This is for Let's Encrypt enroll/renewal
|
|
location /.well-known/ {
|
|
alias /var/www/html/.well-known/;
|
|
}
|
|
}
|
|
|
|
|
|
server {
|
|
# Section for certificate authenticated HTTPS clients,
|
|
# for submitting information to CA eg. leases,
|
|
# for delivering scripts to clients,
|
|
# for exchanging messages over WebSockets
|
|
server_name $hostname;
|
|
listen 8443 ssl http2;
|
|
|
|
# Enforce OCSP stapling for the server certificate
|
|
# Note that even nginx 1.14.0 doesn't immideately populate the OCSP cache
|
|
# You need to run separate cronjob to populate the OCSP response cache
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
|
|
# Allow client authentication with certificate,
|
|
# backend must still check if certificate was used for TLS handshake
|
|
ssl_verify_client optional;
|
|
ssl_client_certificate /server-secrets/ca_cert.pem;
|
|
|
|
# Proxy pass to backend
|
|
location /api/ {
|
|
proxy_pass http://read-write;
|
|
}
|
|
}
|
|
}
|
|
|