-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnginx.conf.template
150 lines (108 loc) · 5.27 KB
/
nginx.conf.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# Copyright 2021 Proyectos y Sistemas de Mantenimiento SL (eProsima).
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Reverse-Proxy for Orchestrator redirection
# Also provides https <-> http translation
load_module modules/ngx_http_accounting_module.so;
events {
worker_connections 1024;
}
http {
# SSL config-----------------------------------------------------------------------------------------------------------
ssl_prefer_server_ciphers on;
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
# The available suites that match the format can be queried doing:
# $ openssl ciphers -v 'RC4:HIGH:!aNULL:!MD%:@STRENGTH'
# special values:
# - all ciphers: ALL:eNULL
# - include all except NULL and anonymous DH: ALL:!ADH:@STRENGTH
# - include all high security suites: HIGH
# ... https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
# the value RC4:HIGH:!aNULL:!MD%:@STRENGTH; means:
# - all RC4 ciphers are included
# - all high encryption ciphers are included
# - none MD5 suites are included
# - the list is ordered from higher key strengh to lower
ssl_ciphers RC4:HIGH:!aNULL:!MD%:@STRENGTH;
ssl_session_cache shared:WEB:10m;
ssl_certificate $eProsima{certificates_root}/NodeRED_chain.pem;
ssl_certificate_key $eProsima{certificates_root}/NodeRED_privkey.pem;
# We notify all upstream servers that we are using https on the client-proxy side
proxy_set_header X-FORWARDED-PROTO https;
# Websocket forwarding-------------------------------------------------------------------------------------------------
#Defines the HTTP protocol version for proxying
#by default it it set to 1.0.
#For Websockets and keepalive connections you need to use the version 1.1
proxy_http_version 1.1;
#Sets conditions under which the response will not be taken from a cache.
proxy_cache_bypass $http_upgrade;
#These header fields are required if your application is using Websockets
proxy_set_header Upgrade $http_upgrade;
#These header fields are required if your application is using Websockets
proxy_set_header Connection "upgrade";
#The $host variable in the following order of precedence contains:
#hostname from the request line, or hostname from the Host request header field
#or the server name matching a request.
proxy_set_header Host $host;
#Forwards the real visitor remote IP address to the proxied server
proxy_set_header X-Real-IP $remote_addr;
#A list containing the IP addresses of every server the client has been proxied through
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#When used inside an HTTPS server block, each HTTP response from the proxied server is rewritten to HTTPS.
proxy_set_header X-Forwarded-Proto $scheme;
#Defines the original host requested by the client.
proxy_set_header X-Forwarded-Host $host;
#Defines the original port requested by the client.
proxy_set_header X-Forwarded-Port $server_port;
# accounting-----------------------------------------------------------------------------------------------------------
# turn on accounting function
accounting on;
accounting_log $eProsima{traffic_log_root}/traffic.log;
accounting_interval 300;
server {
listen 6339;
# Oauth2.0 token retrieval step goes through the proxy
location /oauth/token {
# redirect to the authorization server
proxy_pass $eProsima{authorization_server_url};
}
# Oauth2.0 resource server API goes through the proxy
location /api/userinfo {
# redirect to the authorization server
proxy_pass $eProsima{authorization_server_url};
}
}
server {
listen 6338 default_server ssl;
# the orchestrator that checks and routes
location / {
proxy_pass $eProsima{orchestrator_url};
}
# generic regex to redirect the servers to ports
location ~ /node_red_server/(\d+) {
accounting_id $request_uri; # per port accounting
# redirect to put a backshlash
rewrite /node_red_server/(\d+)$ /node_red_server/$1/ redirect;
# remove the /node_red_server/port/ from url
rewrite /node_red_server/(\d+)(/.*) $2 break;
# redirect to the specific port
proxy_pass http://127.0.0.1:$1;
}
# any traffic to node_red_server not captured in the most
# specific filters
location ~ /node_red_server.* {
return 401 "A port identifier is required";
}
}
}