generated from 18F/open-source-policy
-
Notifications
You must be signed in to change notification settings - Fork 2
/
nginx.conf
88 lines (76 loc) · 2.74 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
worker_processes 1;
daemon off;
error_log stderr;
events { worker_connections 1024; }
http {
charset utf-8;
log_format cloudfoundry 'NginxLog "$request" $status $body_bytes_sent';
access_log /dev/stdout cloudfoundry;
default_type application/octet-stream;
tcp_nopush on;
keepalive_timeout 30;
port_in_redirect off; # Ensure that redirects don't include the internal container PORT
# Require basic auth.
auth_basic access_required;
auth_basic_user_file /home/vcap/app/http_creds;
# Additionally, require requests to be coming from within the cloud.gov network.
# First, re-set the $remote_addr from the X-Forwarded-For header.
set_real_ip_from 127.0.0.1/32;
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from 52.222.122.97/32;
set_real_ip_from 52.222.123.172/32;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
# Based on that $remote_addr, set a variable we can check in the server block.
# (allow/deny directives should work, but for some reason I could not get them to work at any level --akf)
geo $ip_ok {
default 0;
# cloud.gov IPs and localhost (localhost for troubleshooting)
# https://cloud.gov/docs/management/static-egress/#cloudgov-egress-ranges
127.0.0.1/32 1;
52.222.122.97/32 1;
52.222.123.172/32 1;
}
server {
listen {{port}};
# IP address restriction (see http block)
if ( $ip_ok = 0 ) {
return 403;
}
location / {
# client_body_buffer_size and client_max_body_size should match, to
# ensure the $request_body will have data.
#
# We started with 8K, which is the default buffer size, and learned that
# some POSTs were 9-10K. To check whether the size is too small for your
# application, look for log messages from your log-shipper app with the
# text "client intended to send too large body"
client_body_buffer_size 16K;
client_max_body_size 16K;
lua_need_request_body on;
if ($request_method = POST) {
content_by_lua_block {
local sock = ngx.socket.tcp()
local ok, err = sock:connect("127.0.0.1", 8888)
if not ok then
ngx.log(ngx.ERR, err)
return ngx.exit(ngx.HTTP_BAD_GATEWAY)
end
local bytes, err = sock:send(ngx.var.request_body)
sock:close()
if err then
ngx.log(ngx.ERR, err)
return ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end
return ngx.exit(ngx.HTTP_CREATED)
}
}
if ($request_method != POST) {
# We don't want anything but POSTs.
return 400;
}
}
}
}