Last active
October 28, 2016 14:25
-
-
Save igal-getrailo/6981111 to your computer and use it in GitHub Desktop.
this is a reverse-proxy connector that connects nginx to Railo. the files in this example assume that they are located in the same folder as the nginx executable file (i.e. nginx.exe on Windows).the main conf file is nginx-railo.conf which should be passed to nginx as the config file, e.g. nginx -c nginx-railo.confit includes other config files …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#### this is the main config file for nginx, to specify it from the command line, use the -c switch, e.g | |
#### nginx.exe -c nginx-railo.conf | |
##** if connecting to Tomcat, use Tomcat's RemoteIpValve to resolve CGI.REMOTE_ADDR, CGI.SERVER_NAME, and CGI.SERVER_PORT_SECURE | |
##** <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" remoteIpHeader="X-Forwarded-For" protocolHeaderHttpsValue="https" /> | |
#user nobody; | |
#pid logs/nginx.pid; | |
error_log logs/error.log; | |
worker_processes 1; ## set to number of CPU cores | |
events { worker_connections 1024; } | |
http { | |
include conf/mime.types; | |
default_type application/octet-stream; | |
sendfile on; | |
gzip on; | |
gzip_types application/javascript text/css; ## gzip js, css (html is enabled by default) | |
#tcp_nopush on; | |
keepalive_timeout 65; | |
index index.htm index.cfm index.html; ## default welcome documents | |
error_page 404 /404.cfm?uri=$request_uri; ## direct errors to Railo and pass original uri | |
error_page 403 /404.cfm?uri=$request_uri; ## show forbidden as innocent 404 | |
error_page 500 /500.cfm?uri=$request_uri; | |
error_page 503 /503.cfm?uri=$request_uri; | |
server_names_hash_bucket_size 64; ## allow more than a couple of server names, with long names | |
server_tokens off; ## do not send nginx version | |
add_header X-Frame-Options SAMEORIGIN; ## security headers, see https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
add_header X-Content-Type-Options nosniff; | |
add_header X-XSS-Protection "1; mode=block"; | |
upstream railo_servers { | |
ip_hash; ## http://nginx.org/en/docs/http/ngx_http_upstream_module.html#ip_hash | |
server 127.0.0.1:8080; | |
#server 127.0.0.1:8081; ## add more application servers below for load balancing | |
keepalive 32; ## number of upstream connections to keep alive | |
} | |
proxy_connect_timeout 30; ## connection timeout for proxy servers in seconds - max 75 | |
## add website-specific configurations below | |
include nginx-site-site1.conf; | |
#include nginx-site-site2.conf; ## add more sites as needed | |
## default http server to handle request to unmapped hosts | |
server { | |
listen 80; | |
} | |
## log settings | |
log_format standard_log_format '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'; | |
log_format upstream_log_format '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$upstream_addr $upstream_status $upstream_response_time"'; | |
access_log logs/$host-access.log standard_log_format; ## use upstream_log_format when clustering to see which application server the request was routed to | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#### this file should be included in the server section of each site that should proxy to Railo ##### | |
### Security begin | |
location ~ /META-INF/ { return 404; } | |
location ~ /WEB-INF/ { return 404; } | |
location ~ \.config$ { return 404; } | |
location ~ /\. { return 404; } ## e.g. .htaccess, .gitignore etc. | |
location ~ ~$ { return 404; } | |
location ~ \.aspx?$ { return 404; } ## most likely hackers testing the site | |
location ~ \.php$ { return 404; } | |
## Railo admin | |
location ~* /railo-context/(admin|doc)/ { | |
## IP security - add allow entries as needed | |
#allow 123.123.123.123; ## set your ip here and remove comment mark | |
#deny 192.168.0.1; ## deny gateway | |
#allow 192.168.0.0/24; ## allow local network | |
allow ::1; ## allow local IPs and deny all others | |
allow 127.0.0.1; | |
deny all; | |
#gzip off; | |
proxy_pass http://railo_servers; | |
proxy_redirect off; | |
proxy_http_version 1.1; | |
proxy_set_header Connection ""; | |
proxy_set_header Host $host; | |
proxy_set_header X-Forwarded-Host $host; | |
proxy_set_header X-Forwarded-Server $host; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-Real-IP $remote_addr; | |
expires epoch; | |
} | |
### Security end | |
### Proxy .cfm etc to Railo Servers | |
location ~ \.(cfm|cfc|cfs|jsp|htm)$ { | |
#gzip off; | |
proxy_pass http://railo_servers; | |
proxy_redirect off; | |
proxy_http_version 1.1; | |
proxy_set_header Connection ""; | |
proxy_set_header Host $host; | |
proxy_set_header X-Forwarded-Host $host; | |
proxy_set_header X-Forwarded-Server $host; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## CGI.REMOTE_ADDR | |
proxy_set_header X-Forwarded-Proto $scheme; ## CGI.SERVER_PORT_SECURE | |
proxy_set_header X-Real-IP $remote_addr; | |
expires epoch; | |
} | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#### create a file like this one for each website and include it in nginx-railo.conf | |
server { | |
include nginx-railo-proxy.conf; ## include the proxy config file | |
root C:/inetpub/wwwroot/site1; | |
listen 80; | |
#listen 127.0.0.1:80; ## use this instead if you want to listen on specific ip | |
#server_name localhost.site1 www.site1.com; ## enable to serve only specific hosts | |
location / { | |
try_files $uri $uri/ @rewrite-rules; | |
} | |
location @rewrite-rules { | |
## add rewrite rules as needed | |
#rewrite ^/index/(.*)/(.*)/? /index.cfm?p1=$1&p2=$2 last; | |
} | |
### add expires headers for static files | |
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { | |
expires 30d; | |
access_log off; | |
} | |
## to restrict access to a specific directory use the example below | |
#location ~* /restricted-access/ { | |
# | |
#allow 123.123.123.123; ## set your ip here and remove comment mark | |
# | |
#deny 192.168.0.1; ## deny gateway | |
#allow 192.168.0.0/24; ## allow local network | |
# | |
#allow ::1; ## allow local IPs and deny all others | |
#allow 127.0.0.1; | |
# | |
#deny all; | |
#} | |
## to define a virtual folder use the example below | |
#location ~ ^/shared/(.*)$ { | |
# | |
# alias C:/inetpub/wwwroot/shared/; | |
#} | |
### ssl settings begin -- enable for sites that should use ssl | |
#listen 443 ssl; | |
#ssl_certificate sslcert.pem; ## this must point to a valid .crt or .pem file | |
#ssl_certificate_key sslcert.pem; ## the key may be stored in the .pem file | |
## ssl_session_cache shared:SSL:1m; ## The cache and other modules which require shared memory support do not work on Windows Vista and later versions due to address space layout randomization being enabled in these Windows versions. | |
#ssl_session_timeout 5m; | |
#ssl_prefer_server_ciphers on; | |
### ssl settings end | |
} | |
## redirect non-www to www | |
#server { | |
# listen site1.com:80; | |
# server_name site1.com; | |
# return 301 $scheme://www.site1.com$request_uri; | |
#} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment