path: root/meta-ibm/recipes-httpd/nginx/files/nginx.conf
diff options
Diffstat (limited to 'meta-ibm/recipes-httpd/nginx/files/nginx.conf')
1 files changed, 114 insertions, 0 deletions
diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.conf b/meta-ibm/recipes-httpd/nginx/files/nginx.conf
new file mode 100644
index 000000000..7d65183ec
--- /dev/null
+++ b/meta-ibm/recipes-httpd/nginx/files/nginx.conf
@@ -0,0 +1,114 @@
+user www-data;
+worker_processes 1;
+error_log stderr;
+pid /run/nginx/;
+# Nginx requires this section, even if no options
+events {
+# Note that a lot of these settings come from the OWASP Secure
+# Configuration guide for nginx
+# and the mozilla security guidelines
+http {
+ include mime.types;
+ # For certain locations, only allow one connection per IP
+ limit_conn_zone $binary_remote_addr zone=addr:10m;
+ # Default log format
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+ # Comment out to enable access log in /var/log/nginx/
+ access_log off;
+ client_body_timeout 30;
+ client_header_timeout 10;
+ keepalive_timeout 5 5;
+ send_timeout 30;
+ # Do not return nginx version to clients
+ server_tokens off;
+ client_max_body_size 100k;
+ client_body_buffer_size 100K;
+ client_header_buffer_size 1k;
+ large_client_header_buffers 4 8k;
+ # redirect all http traffic to https
+ server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+ server_name _;
+ return 301 https://$host$request_uri;
+ }
+ server {
+ listen 443 ssl;
+ server_name;
+ ssl on;
+ ssl_certificate @CERTPATH@/cert.pem;
+ ssl_certificate_key @CERTPATH@/cert.pem;
+ ssl_session_timeout 5m;
+ ssl_protocols TLSv1.2;
+ ssl_prefer_server_ciphers on;
+ location / {
+ # This location lets us serve the static pre-compressed webui
+ # content (rooted at /usr/share/www). Also if the URI points to
+ # something else (that is unmatched by other locations), we
+ # fallback to the rest server. This approach is based on the
+ # guide at
+ root /usr/share/www;
+ # For clients that support gzip encoding, serve them
+ # pre-compressed gzip content. For clients that don't,
+ # uncompress on the BMC. The module gunzip requires
+ # gzip_static to be set to 'always'; gzip_static is the
+ # module that serves compressed content for clients that
+ # support gzip.
+ gunzip on;
+ gzip_static always;
+ try_files $uri $uri/ @rest_server;
+ }
+ location @rest_server {
+ # Use instead of localhost since nginx will
+ # first use ipv6 address of ::1 which the upstream server
+ # is not listening on. This generates an error msg to
+ # the journal. Nginx then uses the and everything
+ # works fine but want to avoid the error msg to the log.
+ proxy_pass;
+ # WebSocket support
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ }
+ location ~ (/org/openbmc/control/flash/bmc/action/update|/upload/image|/download/dump) {
+ # Marked as 33MB to allow for firmware image updating and dump
+ # downloads
+ client_max_body_size 33M;
+ # Only 1 connection at a time here from an IP
+ limit_conn addr 1;
+ proxy_pass;
+ }
+ location /redfish {
+ proxy_pass;
+ proxy_http_version 1.1;
+ }
+ include /etc/nginx/sites-enabled/443_*.conf;
+ }