-
Notifications
You must be signed in to change notification settings - Fork 40
/
nginx.conf.sample
141 lines (115 loc) · 4.18 KB
/
nginx.conf.sample
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
user www-data;
worker_processes auto;
pid /run/nginx.pid;
#include /etc/nginx/modules-enabled/*.conf;
load_module modules/ngx_stream_module.so;
events {
worker_connections 768;
multi_accept on;
}
http {
##
# Basic Settings
##
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
client_max_body_size 30m; # Biometrics may there in the request.
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
#include /etc/nginx/mime.types;
#default_type application/octet-stream;
##
# SSL Settings
##
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
#ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
# Comment out these lines, otherwise the default servers and settings in these locations will also get imported
#include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;
upstream myPublicIngressUpstream {
<cluster-nodeport-public-of-all-nodes>
}
upstream myInternalIngressUpstream {
<cluster-nodeport-internal-of-all-nodes>
}
ssl_certificate <cluster-ssl-certificate>;
ssl_certificate_key <cluster-ssl-certificate-key>;
server{
listen <cluster-nginx-internal-ip>:443 ssl default;
location / {
proxy_pass http://myInternalIngressUpstream;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
}
}
# this server section is for accessing MOSIP API's publically over the internet.
# initially the same remains commented till the testing and improvement and customisation is in progress.
# once after go-live call the same section neded to be uncommented
server{
listen <cluster-nginx-public-ip>:443 ssl;
server_name <cluster-public-domain-names>;
location / {
proxy_pass http://myPublicIngressUpstream;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
}
}
}
stream {
# this section of servers is for tcp proxying
# add multiple servers one for each port, and proxy them to mosip cluster internal loadbalancer
# like postgres, activemq, etc
upstream myPostgresIngressUpstream {
<cluster-nodeport-postgres-of-all-nodes>
}
upstream myActivemqIngressUpstream {
<cluster-nodeport-activemq-of-all-nodes>
}
server{
listen <cluster-nginx-internal-ip>:5432;
proxy_pass myPostgresIngressUpstream;
}
server{
listen <cluster-nginx-internal-ip>:61616;
proxy_pass myActivemqIngressUpstream;
}
}