diff options
Diffstat (limited to 'meta-ibm/recipes-httpd/nginx/files/nginx.conf')
-rw-r--r-- | meta-ibm/recipes-httpd/nginx/files/nginx.conf | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.conf b/meta-ibm/recipes-httpd/nginx/files/nginx.conf new file mode 100644 index 000000000..7d65183ec --- /dev/null +++ b/meta-ibm/recipes-httpd/nginx/files/nginx.conf @@ -0,0 +1,114 @@ + +user www-data; +worker_processes 1; + +error_log stderr; + +pid /run/nginx/nginx.pid; + + +# Nginx requires this section, even if no options +events { +} + +# Note that a lot of these settings come from the OWASP Secure +# Configuration guide for nginx +# https://www.owasp.org/index.php/SCG_WS_nginx +# and the mozilla security guidelines +# https://wiki.mozilla.org/Security/Server_Side_TLS + +http { + include mime.types; + + # For certain locations, only allow one connection per IP + limit_conn_zone $binary_remote_addr zone=addr:10m; + + # Default log format + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # Comment out to enable access log in /var/log/nginx/ + access_log off; + + client_body_timeout 30; + client_header_timeout 10; + keepalive_timeout 5 5; + send_timeout 30; + + # Do not return nginx version to clients + server_tokens off; + + client_max_body_size 100k; + client_body_buffer_size 100K; + client_header_buffer_size 1k; + large_client_header_buffers 4 8k; + + # redirect all http traffic to https + server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + return 301 https://$host$request_uri; + } + + server { + listen 443 ssl; + server_name 127.0.0.1; + + ssl on; + ssl_certificate @CERTPATH@/cert.pem; + ssl_certificate_key @CERTPATH@/cert.pem; + ssl_session_timeout 5m; + ssl_protocols TLSv1.2; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; + ssl_prefer_server_ciphers on; + + location / { + # This location lets us serve the static pre-compressed webui + # content (rooted at /usr/share/www). Also if the URI points to + # something else (that is unmatched by other locations), we + # fallback to the rest server. This approach is based on the + # guide at https://docs.nginx.com/nginx/admin-guide/web-server/serving-static-content. + root /usr/share/www; + # For clients that support gzip encoding, serve them + # pre-compressed gzip content. For clients that don't, + # uncompress on the BMC. The module gunzip requires + # gzip_static to be set to 'always'; gzip_static is the + # module that serves compressed content for clients that + # support gzip. + gunzip on; + gzip_static always; + try_files $uri $uri/ @rest_server; + } + location @rest_server { + # Use 127.0.0.1 instead of localhost since nginx will + # first use ipv6 address of ::1 which the upstream server + # is not listening on. This generates an error msg to + # the journal. Nginx then uses the 127.0.0.1 and everything + # works fine but want to avoid the error msg to the log. + proxy_pass http://127.0.0.1:8081; + + # WebSocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + location ~ (/org/openbmc/control/flash/bmc/action/update|/upload/image|/download/dump) { + # Marked as 33MB to allow for firmware image updating and dump + # downloads + client_max_body_size 33M; + + # Only 1 connection at a time here from an IP + limit_conn addr 1; + + proxy_pass http://127.0.0.1:8081; + } + location /redfish { + proxy_pass http://127.0.0.1:8082; + proxy_http_version 1.1; + } + + include /etc/nginx/sites-enabled/443_*.conf; + } +} |