Blame - recipes-httpd/nginx/files/nginx.conf - openbmc/meta-ibm

blob: c94554435f98a573a345275eb1c7f57c212cf19f [file] [log] [blame]

causten	508f7b5	2017-09-26 11:08:47 -0500	[diff] [blame]	1
				2	user www-data;
				3	worker_processes 1;
				4
				5	error_log stderr;
				6
				7	pid /run/nginx/nginx.pid;
				8
				9
				10	# Nginx requires this section, even if no options
				11	events {
				12	}
				13
				14	# Note that a lot of these settings come from the OWASP Secure
				15	# Configuration guide for nginx
				16	# https://www.owasp.org/index.php/SCG_WS_nginx
				17
				18	http {
				19	include mime.types;
				20
				21	# For certain locations, only allow one connection per IP
				22	limit_conn_zone $binary_remote_addr zone=addr:10m;
				23
				24	# Default log format
				25	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
				26	'$status $body_bytes_sent "$http_referer" '
				27	'"$http_user_agent" "$http_x_forwarded_for"';
				28
				29	# Comment out to enable access log in /var/log/nginx/
				30	access_log off;
				31
				32	client_body_timeout 10;
				33	client_header_timeout 10;
				34	keepalive_timeout 5 5;
				35	send_timeout 10;
				36
				37	# Do not return nginx version to clients
				38	server_tokens off;
				39
				40	client_max_body_size 100k;
				41	client_body_buffer_size 100K;
				42	client_header_buffer_size 1k;
				43	large_client_header_buffers 4 8k;
				44
Chris Austen	c0f03ac	2017-09-29 18:30:03 -0500	[diff] [blame]	45	# redirect all http traffic to https
causten	508f7b5	2017-09-26 11:08:47 -0500	[diff] [blame]	46	server {
Chris Austen	c0f03ac	2017-09-29 18:30:03 -0500	[diff] [blame]	47	listen 80 default_server;
				48	listen [::]:80 default_server;
				49	server_name _;
				50	return 301 https://$host$request_uri;
				51	}
				52
				53	server {
				54	listen 443 ssl;
causten	508f7b5	2017-09-26 11:08:47 -0500	[diff] [blame]	55	server_name 127.0.0.1;
				56
				57	ssl on;
				58	ssl_certificate @CERTPATH@/cert.pem;
				59	ssl_certificate_key @CERTPATH@/cert.pem;
				60	ssl_session_timeout 5m;
				61	ssl_protocols TLSv1.2;
				62	ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
				63
				64	ssl_prefer_server_ciphers on;
				65
				66	location / {
				67	# Use 127.0.0.1 instead of localhost since nginx will
				68	# first use ipv6 address of ::1 which the upstream server
				69	# is not listening on. This generates an error msg to
				70	# the journal. Nginx then uses the 127.0.0.1 and everything
				71	# works fine but want to avoid the error msg to the log.
Chris Austen	c0f03ac	2017-09-29 18:30:03 -0500	[diff] [blame]	72	proxy_pass http://127.0.0.1:8081/;
Andrew Geissler	aca0a2e	2018-04-10 10:44:14 -0700	[diff] [blame^]	73
				74	# WebSocket support
				75	proxy_http_version 1.1;
				76	proxy_set_header Upgrade $http_upgrade;
				77	proxy_set_header Connection "upgrade";
causten	508f7b5	2017-09-26 11:08:47 -0500	[diff] [blame]	78	}
				79	location ~ (/org/openbmc/control/flash/bmc/action/update\|/upload/image\|/download/dump) {
				80	# Marked as 32MB to allow for firmware image updating and dump
				81	# downloads
				82	client_max_body_size 32M;
				83
				84	# Only 1 connection at a time here from an IP
				85	limit_conn addr 1;
				86
Chris Austen	c0f03ac	2017-09-29 18:30:03 -0500	[diff] [blame]	87	proxy_pass http://127.0.0.1:8081;
causten	508f7b5	2017-09-26 11:08:47 -0500	[diff] [blame]	88	}
				89
				90	include /etc/nginx/sites-enabled/443_*.conf;
				91	}
				92	}