causten | 508f7b5 | 2017-09-26 11:08:47 -0500 | [diff] [blame^] | 1 | |
| 2 | user www-data; |
| 3 | worker_processes 1; |
| 4 | |
| 5 | error_log stderr; |
| 6 | |
| 7 | pid /run/nginx/nginx.pid; |
| 8 | |
| 9 | |
| 10 | # Nginx requires this section, even if no options |
| 11 | events { |
| 12 | } |
| 13 | |
| 14 | # Note that a lot of these settings come from the OWASP Secure |
| 15 | # Configuration guide for nginx |
| 16 | # https://www.owasp.org/index.php/SCG_WS_nginx |
| 17 | |
| 18 | http { |
| 19 | include mime.types; |
| 20 | |
| 21 | # For certain locations, only allow one connection per IP |
| 22 | limit_conn_zone $binary_remote_addr zone=addr:10m; |
| 23 | |
| 24 | # Default log format |
| 25 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' |
| 26 | '$status $body_bytes_sent "$http_referer" ' |
| 27 | '"$http_user_agent" "$http_x_forwarded_for"'; |
| 28 | |
| 29 | # Comment out to enable access log in /var/log/nginx/ |
| 30 | access_log off; |
| 31 | |
| 32 | client_body_timeout 10; |
| 33 | client_header_timeout 10; |
| 34 | keepalive_timeout 5 5; |
| 35 | send_timeout 10; |
| 36 | |
| 37 | # Do not return nginx version to clients |
| 38 | server_tokens off; |
| 39 | |
| 40 | client_max_body_size 100k; |
| 41 | client_body_buffer_size 100K; |
| 42 | client_header_buffer_size 1k; |
| 43 | large_client_header_buffers 4 8k; |
| 44 | |
| 45 | server { |
| 46 | listen 8081 ssl; |
| 47 | server_name 127.0.0.1; |
| 48 | |
| 49 | ssl on; |
| 50 | ssl_certificate @CERTPATH@/cert.pem; |
| 51 | ssl_certificate_key @CERTPATH@/cert.pem; |
| 52 | ssl_session_timeout 5m; |
| 53 | ssl_protocols TLSv1.2; |
| 54 | ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH"; |
| 55 | |
| 56 | ssl_prefer_server_ciphers on; |
| 57 | |
| 58 | location / { |
| 59 | # Use 127.0.0.1 instead of localhost since nginx will |
| 60 | # first use ipv6 address of ::1 which the upstream server |
| 61 | # is not listening on. This generates an error msg to |
| 62 | # the journal. Nginx then uses the 127.0.0.1 and everything |
| 63 | # works fine but want to avoid the error msg to the log. |
| 64 | proxy_pass https://127.0.0.1:443/; |
| 65 | } |
| 66 | location ~ (/org/openbmc/control/flash/bmc/action/update|/upload/image|/download/dump) { |
| 67 | # Marked as 32MB to allow for firmware image updating and dump |
| 68 | # downloads |
| 69 | client_max_body_size 32M; |
| 70 | |
| 71 | # Only 1 connection at a time here from an IP |
| 72 | limit_conn addr 1; |
| 73 | |
| 74 | proxy_pass https://127.0.0.1:443; |
| 75 | } |
| 76 | |
| 77 | include /etc/nginx/sites-enabled/443_*.conf; |
| 78 | } |
| 79 | } |