blob: 5313f508fc875be80d16b7afd6d0b5e7a9884b44 [file] [log] [blame]
user www-data;
worker_processes 1;
error_log stderr;
pid /run/nginx/nginx.pid;
# Nginx requires this section, even if no options
events {
}
# Note that a lot of these settings come from the OWASP Secure
# Configuration guide for nginx
# https://www.owasp.org/index.php/SCG_WS_nginx
# and the mozilla security guidelines
# https://wiki.mozilla.org/Security/Server_Side_TLS
http {
include mime.types;
# For certain locations, only allow one connection per IP
limit_conn_zone $binary_remote_addr zone=addr:10m;
# Default log format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Comment out to enable access log in /var/log/nginx/
access_log off;
client_body_timeout 30;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 30;
# Do not return nginx version to clients
server_tokens off;
client_max_body_size 100k;
client_body_buffer_size 100K;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
# redirect all http traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name 127.0.0.1;
ssl on;
ssl_certificate @CERTPATH@/cert.pem;
ssl_certificate_key @CERTPATH@/cert.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
ssl_prefer_server_ciphers on;
location / {
# This location lets us serve the static pre-compressed webui
# content (rooted at /usr/share/www). Also if the URI points to
# something else (that is unmatched by other locations), we
# fallback to the rest server. This approach is based on the
# guide at https://docs.nginx.com/nginx/admin-guide/web-server/serving-static-content.
root /usr/share/www;
# For clients that support gzip encoding, serve them
# pre-compressed gzip content. For clients that don't,
# uncompress on the BMC. The module gunzip requires
# gzip_static to be set to 'always'; gzip_static is the
# module that serves compressed content for clients that
# support gzip.
gunzip on;
gzip_static always;
try_files $uri $uri/ @rest_server;
}
location @rest_server {
# Use 127.0.0.1 instead of localhost since nginx will
# first use ipv6 address of ::1 which the upstream server
# is not listening on. This generates an error msg to
# the journal. Nginx then uses the 127.0.0.1 and everything
# works fine but want to avoid the error msg to the log.
proxy_pass http://127.0.0.1:8081;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
}
location ~ (/org/openbmc/control/flash/bmc/action/update|/upload/image|/download/dump) {
# Marked as 33MB to allow for firmware image updating and dump
# downloads
client_max_body_size 33M;
# Only 1 connection at a time here from an IP
limit_conn addr 1;
proxy_pass http://127.0.0.1:8081;
}
location /redfish {
proxy_pass http://127.0.0.1:8082;
proxy_http_version 1.1;
}
include /etc/nginx/sites-enabled/443_*.conf;
}
}