Last active
May 4, 2017 14:18
-
-
Save snoby/1da36de63972587b54dd7f77a6ae532b to your computer and use it in GitHub Desktop.
snippet of generated nginx.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| daemon off; | |
| worker_processes 4; | |
| pid /run/nginx.pid; | |
| worker_rlimit_nofile 261120; | |
| events { | |
| multi_accept on; | |
| worker_connections 16384; | |
| use epoll; | |
| } | |
| http { | |
| set_real_ip_from 0.0.0.0/0; | |
| real_ip_header proxy_protocol; | |
| real_ip_recursive on; | |
| geoip_country /etc/nginx/GeoIP.dat; | |
| geoip_city /etc/nginx/GeoLiteCity.dat; | |
| geoip_proxy_recursive on; | |
| vhost_traffic_status_zone shared:vhost_traffic_status:10m; | |
| vhost_traffic_status_filter_by_set_key $geoip_country_code country::*; | |
| # lua section to return proper error codes when custom pages are used | |
| lua_package_path '.?.lua;/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;'; | |
| init_by_lua_block { | |
| require("error_page") | |
| } | |
| sendfile on; | |
| aio threads; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| log_subrequest on; | |
| reset_timedout_connection on; | |
| keepalive_timeout 75s; | |
| client_header_buffer_size 1k; | |
| large_client_header_buffers 4 8k; | |
| http2_max_field_size 4k; | |
| http2_max_header_size 16k; | |
| types_hash_max_size 2048; | |
| server_names_hash_max_size 2; | |
| server_names_hash_bucket_size 64; | |
| map_hash_bucket_size 64; | |
| underscores_in_headers on; | |
| ignore_invalid_headers off; | |
| include /etc/nginx/mime.types; | |
| default_type text/html; | |
| gzip on; | |
| gzip_comp_level 5; | |
| gzip_http_version 1.1; | |
| gzip_min_length 256; | |
| gzip_types application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component; | |
| gzip_proxied any; | |
| server_tokens on; | |
| log_format upstreaminfo '$proxy_protocol_addr - [$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status'; | |
| map $request_uri $loggable { | |
| default 1; | |
| } | |
| access_log /var/log/nginx/access.log upstreaminfo if=$loggable; | |
| error_log /var/log/nginx/error.log notice; | |
| resolver 100.64.0.10 valid=30s; | |
| # Retain the default nginx handling of requests without a "Connection" header | |
| map $http_upgrade $connection_upgrade { | |
| default upgrade; | |
| '' close; | |
| } | |
| # trust http_x_forwarded_proto headers correctly indicate ssl offloading | |
| map $http_x_forwarded_proto $pass_access_scheme { | |
| default $http_x_forwarded_proto; | |
| '' $scheme; | |
| } | |
| map $http_x_forwarded_port $pass_server_port { | |
| default $http_x_forwarded_port; | |
| '' $server_port; | |
| } | |
| # map port 442 to 443 for header X-Forwarded-Port | |
| map $pass_server_port $pass_port { | |
| 442 443; | |
| default $pass_server_port; | |
| } | |
| # Map a response error watching the header Content-Type | |
| map $http_accept $httpAccept { | |
| default html; | |
| application/json json; | |
| application/xml xml; | |
| text/plain text; | |
| } | |
| map $httpAccept $httpReturnType { | |
| default text/html; | |
| json application/json; | |
| xml application/xml; | |
| text text/plain; | |
| } | |
| server { | |
| server_name integration.foo.com; | |
| listen 80 proxy_protocol; | |
| listen [::]:80 proxy_protocol; | |
| listen 442 ssl http2; | |
| listen [::]:442 ssl http2; | |
| # PEM sha: d13a6f29ec1530a518416a1be975e38be5663e89 | |
| ssl_certificate /ingress-controller/ssl/prod-integration-foo-com.pem; | |
| ssl_certificate_key /ingress-controller/ssl/prod-integration-foo-com.pem; | |
| more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; "; | |
| vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; | |
| # enforce ssl on server side | |
| if ($pass_access_scheme = http) { | |
| return 301 https://$best_http_host$request_uri; | |
| } | |
| location / { | |
| set $proxy_upstream_name "prod-echomap-80"; | |
| port_in_redirect off; | |
| client_max_body_size "1m"; | |
| proxy_set_header Host $best_http_host; | |
| # Pass the extracted client certificate to the backend | |
| # Pass Real IP | |
| proxy_set_header X-Real-IP $remote_addr; | |
| # Allow websocket connections | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection $connection_upgrade; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Host $best_http_host; | |
| proxy_set_header X-Forwarded-Port $pass_port; | |
| proxy_set_header X-Forwarded-Proto $pass_access_scheme; | |
| proxy_set_header X-Original-URI $request_uri; | |
| proxy_set_header X-Scheme $pass_access_scheme; | |
| # mitigate HTTPoxy Vulnerability | |
| # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ | |
| proxy_set_header Proxy ""; | |
| # Custom headers | |
| proxy_connect_timeout 5s; | |
| proxy_send_timeout 60s; | |
| proxy_read_timeout 60s; | |
| proxy_redirect off; | |
| proxy_buffering off; | |
| proxy_buffer_size "4k"; | |
| proxy_buffers 4 "4k"; | |
| proxy_http_version 1.1; | |
| proxy_cookie_domain off; | |
| proxy_cookie_path off; | |
| proxy_pass http://prod-echomap-80; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment