Announcing NGINX Plus R18

dynamic_certs.conf

server {
    listen 443 ssl;

    ssl_certificate      /etc/ssl/$ssl_server_name.crt; # Lazy load from SNI    
    ssl_certificate_key  /etc/ssl/$ssl_server_name.key; # ditto                     
    ssl_protocols        TLSv1.3 TLSv1.2 TLSv1.1;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_set_header Host $host;
        proxy_pass http://my_backend;
    }
}

# vim: syntax=nginx

dynamic_certs_keyval.conf

keyval_zone zone=ssl_crt:10m; # Key-value store for certificate data
keyval_zone zone=ssl_key:10m; # Key-value store for private key data

keyval $ssl_server_name $crt_pem zone=ssl_crt; # Use SNI as key to obtain cert
keyval $ssl_server_name $key_pem zone=ssl_key;

server {
    listen 443 ssl;

    ssl_certificate      data:$crt_pem; # Certificate from key-value store      
    ssl_certificate_key  data:$key_pem; # Private key from key-value store                                       
    ssl_protocols        TLSv1.3 TLSv1.2 TLSv1.1;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_set_header Host $host;
        proxy_pass http://my_backend;
    }
}

# vim: syntax=nginx

ftp_proxy.stream_conf

server {
    listen 21;          # FTP control port
    listen 40000-45000; # Data port range

    proxy_pass <FTP-server-address>:$server_port;
}

# vim: syntax=nginx

health_check.conf

map $upstream_http_cache_control $has_cache_control {
    "" 0;
    default 1;
}

map $upstream_http_expires $is_cacheable {
    "" $has_cache_control; # When absent determine cacheable from Cache-Control
    default $upstream_http_expires; # Use Expires value to determine cacheable
}

match cacheable {
    require $is_cacheable; # Has Cache-Control header OR non-zero Expires header
    status 200;
}

server {
    listen 80;
    location / {
        health_check uri=/ match=cacheable;
        proxy_pass http://my_backend;
    }
}

# vim: syntax=nginx

keyval.conf

keyval_zone zone=recents:10m timeout=2m;    # Maintain recent client info for 2m
keyval $remote_addr $last_uri zone=recents; # Key=client IP, Value=URI

server {
    listen 80;
    location / {
        set $last_uri $uri;                                                     
        proxy_pass http://my_backend;
    }
}

server {
    listen 8080;
    allow 127.0.0.1;
    deny all;
    location /api/ {
        api;
    }
}

# vim: syntax=nginx

main.js

import masker from 'mask_ip_module.js';

function maskRemoteAddress(r) {
    return(masker.maskIp(r.remoteAddress));
}

export default { maskRemoteAddress }

mask_ip.conf

js_import main.js;
js_path   /etc/nginx/njs_modules;
js_set    $remote_addr_masked main.maskRemoteAddress;

log_format masked '$remote_addr_masked - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" "$http_user_agent"';

server {
    listen 80;
    location / {
        proxy_pass http://my_backend;
        access_log /var/log/nginx/access_masked.log masked;
    }
}

# vim: syntax=nginx

mask_ip_module.js

function maskIp(addr) {  // Public (exported) function
  return i2ipv4(fnv32a(addr));
}

// Private functions below //

function fnv32a(str) { // Creates hash as 32-bit integer
  var hval = 2166136261;
  for (var i = 0; i < str.length; ++i ) {
    hval ^= str.charCodeAt(i);
    hval += (hval <<1) + (hval << 4) + (hval << 7) + (hval << 8) + (hval << 24);
  }
  return hval >>> 0;
}

function i2ipv4(i) { // Converts 32-bit integer to IPv4 "dotted-quad" format
  var ipv4 = [];
  for (var o = 24; o >= 0; o-=8) {
      ipv4.push((i >> o) & 255);
  }
  return ipv4.join('.');
}

export default {maskIp} // This module only exposes the maskIp() function

For a discussion of these files, see Announcing NGINX Plus R18