Skip to content

Instantly share code, notes, and snippets.

@itsnikolayy
Created August 5, 2023 07:21
Show Gist options
  • Save itsnikolayy/9e78784ea70683bc3e03998a5e55c62a to your computer and use it in GitHub Desktop.
Save itsnikolayy/9e78784ea70683bc3e03998a5e55c62a to your computer and use it in GitHub Desktop.
user nobody nogroup;
worker_processes 2;
pid /var/run/nginx.pid;
http {
types {
application/javascript js;
application/json json;
application/pdf pdf;
application/xml xml;
image/gif gif;
image/jpeg jpeg jpg jpe;
image/png png;
image/svg+xml svg svgz;
text/css css;
text/html html htm;
text/plain txt text;
text/csv csv;
application/x-ns-proxy-autoconfig dat;
application/x-ns-proxy-autoconfig pac;
application/x-font-ttf ttf;
}
log_format main '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" directive $directive';
access_log /mail/log/apache/access_log main;
# this map block is used to find HTTPS request type where $scheme is nginx param having values (http or https )
map $scheme $https_on {
default '';
https on;
}
# DOS protection using HttpLimitReqModule
limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;
# Adding a separate rate limit for REST API requests
limit_req_zone $binary_remote_addr zone=apilimit:10m rate=10r/s;
# Include per product global/server conf files
include /home/product/code/config/nginx.http*.conf;
server_tokens off;
server {
ssl_certificate /home/product/code/config/ssl_default_cert.pem;
ssl_certificate_key /home/product/code/config/ssl_default_cert.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /home/product/code/firmware/current/etc/dh_2048.pem;
error_page 505 /500.html;
if ($http_user_agent = "Barracuda Load Balancer Server Monitor") {
return 200 "barracuda";
}
if ($server_protocol ~* "HTTP/1.0") {
return 505;
}
# dk: reorder
ssl_ciphers AESGCM:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
index index.html;
root /home/product/code/firmware/current/web/;
# Include per product ui conf files
include /home/product/code/config/nginx.server*.conf;
rewrite /support-tunnel /cgi-mod/support-tunnel.cgi;
if ($server_protocol ~* "1.0") {
return 444;
}
# BNF-501 - Errors due to cookie size
fastcgi_buffer_size 32k;
fastcgi_buffers 16 32k;
large_client_header_buffers 16 32k;
location ~ /cgi-mod/support-tunnel.cgi {
set $directive "streamer";
proxy_pass http://127.0.0.1:18081/cgi-mod/support-tunnel.cgi?$query_string;
proxy_set_header X-Real-IP $remote_addr;
# the key!
proxy_buffering off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
}
location ~ /cgi-mod/postinstall_status_stream.cgi {
set $directive "streamer";
proxy_pass http://127.0.0.1:18081/cgi-mod/postinstall_status_stream.cgi?$query_string;
proxy_set_header X-Real-IP $remote_addr;
# the key!
proxy_buffering off;
proxy_read_timeout 1h;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
}
location ~ /cgi-mod/stream.cgi {
set $directive "streamer";
proxy_pass http://127.0.0.1:18081/cgi-mod/stream.cgi?$query_string;
proxy_set_header X-Real-IP $remote_addr;
# the key!
proxy_buffering off;
proxy_read_timeout 1h;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
}
location ~ ^/cgi-mod/ {
set $directive "Upload filter";
upload_store /data/tmp/nginx_uploads 1;
upload_set_form_field $upload_field_name.name "$upload_file_name";
upload_set_form_field $upload_field_name.content_type "$upload_content_type";
upload_set_form_field $upload_field_name.path "$upload_tmp_path";
upload_set_form_field $upload_field_name.nginx_upload 1;
upload_pass_form_field ".*";
upload_pass_args on;
upload_store_access user:rw group:rw all:rw;
upload_max_output_body_len 0;
upload_buffer_size 16m;
upload_max_file_size 1000m;
client_max_body_size 1000m;
upload_pass @cgi;
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 = @cgi;
upload_cleanup 400-599;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
}
location @cgi {
limit_req zone=one burst=10;
set $directive "cgi directive";
if ($http_x_requested_with = XMLHttpRequest) {
set $directive "ajax directive";
}
# It turns out to be fundamentally a bad idea to combine
# compression and encryption, because it enables things like the
# CRIME attack, and potentially other things in the
# future. Thus, turn off compression here, even though it would
# improve our performance.
# Note this only applies to DYNAMIC content; static content may
# still be freely compressed.
gzip off;
fastcgi_pass unix:/var/run/fcgi_socket;
fastcgi_read_timeout 2400;
fastcgi_index index.cgi;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param HTTP_PROXY "";
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_intercept_errors on;
fastcgi_param HTTPS $https_on; #setting $ENV{HTTPS}
add_header Cache-Control private;
add_header Cache-Control max-age=0;
add_header Pragma no-cache;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
}
location /cgi-bin/ {
set $directive "cgi-bin";
rewrite ^/cgi-bin/(.*) /cgi-mod/$1 last;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
}
location ~ .(ico|jpe?g|png|gif|js|css|txt|html|less|dat|pac|ttf)$ {
set $directive "Static images etc";
root /home/product/code/firmware/current/web/;
expires max;
# per comment above, CRIME-attack concerns do not apply to
# static content
gzip on;
add_header Cache-Control public;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
}
location ~ ^/$ {
set $directive "catchall";
root /home/product/code/firmware/current/web/;
expires off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
}
location / {
return 404;
}
#500 page handling, have fallback when fcgi_not running
#TODO consolidate some of this fastcgi stuff
recursive_error_pages on;
error_page 404 /404.html;
error_page 500 501 502 503 504 505 506 507 509 510 511 598 599 /500.html;
#logo fallback for when fcgi is not running
location = /cgi-mod/header_logo.cgi {
set $directive "header logo directive";
fastcgi_pass unix:/var/run/fcgi_socket;
fastcgi_read_timeout 2400;
fastcgi_index header_logo.cgi;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param HTTP_PROXY "";
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https_on; #setting $ENV{HTTPS}
fastcgi_intercept_errors on;
error_page 404 500 501 502 503 504 505 506 507 509 510 511 598 599 /images/header_logo;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
}
#end 500 page handling
}
}
events {
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment