This repository has been archived by the owner on Mar 31, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
nginx.conf
128 lines (105 loc) · 4.92 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
user www-data;
worker_processes 1;
error_log stderr;
pid /run/nginx/nginx.pid;
# Nginx requires this section, even if no options
events {
}
# Note that a lot of these settings come from the OWASP Secure
# Configuration guide for nginx
# https://www.owasp.org/index.php/SCG_WS_nginx
# and the OWASP Secure Headers project
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
# and the mozilla security guidelines
# https://wiki.mozilla.org/Security/Server_Side_TLS
http {
include mime.types;
# For certain locations, only allow one connection per IP
limit_conn_zone $binary_remote_addr zone=addr:10m;
# Default log format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Comment out to enable access log in /var/log/nginx/
access_log off;
client_body_timeout 30;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 30;
# Do not return nginx version to clients
server_tokens off;
client_max_body_size 100k;
client_body_buffer_size 100K;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
# redirect all http traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name 127.0.0.1;
ssl on;
ssl_certificate @CERTPATH@/cert.pem;
ssl_certificate_key @CERTPATH@/cert.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
location / {
# This location lets us serve the static pre-compressed webui
# content (rooted at /usr/share/www). Also if the URI points to
# something else (that is unmatched by other locations), we
# fallback to the rest server. This approach is based on the
# guide at https://docs.nginx.com/nginx/admin-guide/web-server/serving-static-content.
root /usr/share/www;
# For clients that support gzip encoding, serve them
# pre-compressed gzip content. For clients that don't,
# uncompress on the BMC. The module gunzip requires
# gzip_static to be set to 'always'; gzip_static is the
# module that serves compressed content for clients that
# support gzip.
gunzip on;
gzip_static always;
try_files $uri $uri/ @rest_server;
add_header X-Frame-Options deny;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "frame-ancestors 'none'; default-src 'self' wss: 'unsafe-eval' 'unsafe-inline'";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Cache-Control "no-store,no-cache";
add_header Pragma "no-cache";
add_header Expires 0;
}
location @rest_server {
# Use 127.0.0.1 instead of localhost since nginx will
# first use ipv6 address of ::1 which the upstream server
# is not listening on. This generates an error msg to
# the journal. Nginx then uses the 127.0.0.1 and everything
# works fine but want to avoid the error msg to the log.
proxy_pass http://127.0.0.1:8081;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
}
location ~ (/org/openbmc/control/flash/bmc/action/update|/upload/image|/download/dump) {
# Marked as 33MB to allow for firmware image updating and dump
# downloads
client_max_body_size 33M;
# Only 1 connection at a time here from an IP
limit_conn addr 1;
proxy_pass http://127.0.0.1:8081;
}
location /redfish {
proxy_pass http://127.0.0.1:8082;
proxy_http_version 1.1;
}
include /etc/nginx/sites-enabled/443_*.conf;
}
}