blob: c94554435f98a573a345275eb1c7f57c212cf19f [file] [log] [blame]
user www-data;
worker_processes 1;
error_log stderr;
pid /run/nginx/nginx.pid;
# Nginx requires this section, even if no options
events {
}
# Note that a lot of these settings come from the OWASP Secure
# Configuration guide for nginx
# https://www.owasp.org/index.php/SCG_WS_nginx
http {
include mime.types;
# For certain locations, only allow one connection per IP
limit_conn_zone $binary_remote_addr zone=addr:10m;
# Default log format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Comment out to enable access log in /var/log/nginx/
access_log off;
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
# Do not return nginx version to clients
server_tokens off;
client_max_body_size 100k;
client_body_buffer_size 100K;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
# redirect all http traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name 127.0.0.1;
ssl on;
ssl_certificate @CERTPATH@/cert.pem;
ssl_certificate_key @CERTPATH@/cert.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
ssl_prefer_server_ciphers on;
location / {
# Use 127.0.0.1 instead of localhost since nginx will
# first use ipv6 address of ::1 which the upstream server
# is not listening on. This generates an error msg to
# the journal. Nginx then uses the 127.0.0.1 and everything
# works fine but want to avoid the error msg to the log.
proxy_pass http://127.0.0.1:8081/;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ~ (/org/openbmc/control/flash/bmc/action/update|/upload/image|/download/dump) {
# Marked as 32MB to allow for firmware image updating and dump
# downloads
client_max_body_size 32M;
# Only 1 connection at a time here from an IP
limit_conn addr 1;
proxy_pass http://127.0.0.1:8081;
}
include /etc/nginx/sites-enabled/443_*.conf;
}
}