Skip to content

Instantly share code, notes, and snippets.

@djraw

djraw/midtier-remote.nginx

Created March 2, 2018 18:02
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save djraw/e175da3c2172cdde8e59db190dfb3370 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save djraw/e175da3c2172cdde8e59db190dfb3370 to your computer and use it in GitHub Desktop.
Download ZIP
NginX reversy proxy config for remote Tomcat serving an BMC ARSystem MidTier
Raw
midtier-remote.nginx
# nginx BMC Remedy Mid Tier server configuration
server {
# Redirect 2 HTTPS
listen 80;
server_name _;
access_log off;
return 301 https://$host/arsys;
}
# Upstream of tomcat - needs IP and Port of tomcat
upstream tomcat {
server 192.168.0.200:80;
}
server {
### SSL listener config - start ###
listen 443 ssl http2;
server_name _;
error_log /var/log/nginx/midtier.error.log warn;
access_log /var/log/nginx/midtier.access.log;
#access_log off;
server_tokens off;
# Cert needs to bundle server and CA certs, check with 'sudo nano' and add any LF if needed
# Use command: cat <server>.crt <CA>.crt >> <server>-bundle.crt or similar for pem if needed
ssl_certificate /etc/nginx/certs/ca-chain.pem;
ssl_certificate_key /etc/nginx/certs/sever-key.pem;
#ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_protocols TLSv1.2;
ssl_session_timeout 60m;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!AES128";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 213.133.100.100 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; # disallow search robots
### SSL listener config - end ###
# additional settings for optimizations
client_max_body_size 2m;
underscores_in_headers on;
### location blocks ###
# Disallow search engines etc.
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
location / {
return 301 http://$host/arsys;
}
## Proxy ARSystem MidTier
location /arsys {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://tomcat/arsys;
proxy_buffering off;
client_max_body_size 0;
proxy_connect_timeout 3600s;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
send_timeout 3600s;
}
## Proxy TC manager
location /manager {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://tomcat/manager/;
proxy_buffering off;
client_max_body_size 0;
proxy_connect_timeout 3600s;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
send_timeout 3600s;
}
## Proxy TC PSI-Probe
location /probe {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://tomcat/probe/;
proxy_buffering off;
client_max_body_size 0;
proxy_connect_timeout 3600s;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
send_timeout 3600s;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment