blob: be7faf92f09e29c30b97cf3bd7d9cadd3ed6e9a2 [file] [log] [blame]
causten508f7b52017-09-26 11:08:47 -05001
2user www-data;
3worker_processes 1;
4
5error_log stderr;
6
7pid /run/nginx/nginx.pid;
8
9
10# Nginx requires this section, even if no options
11events {
12}
13
14# Note that a lot of these settings come from the OWASP Secure
15# Configuration guide for nginx
16# https://www.owasp.org/index.php/SCG_WS_nginx
Joseph Reynolds8202b262018-08-30 21:39:37 -050017# and the OWASP Secure Headers project
18# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
Andrew Geisslerf3fee442018-05-31 07:02:43 -070019# and the mozilla security guidelines
20# https://wiki.mozilla.org/Security/Server_Side_TLS
causten508f7b52017-09-26 11:08:47 -050021
22http {
23 include mime.types;
24
25 # For certain locations, only allow one connection per IP
26 limit_conn_zone $binary_remote_addr zone=addr:10m;
27
28 # Default log format
29 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
30 '$status $body_bytes_sent "$http_referer" '
31 '"$http_user_agent" "$http_x_forwarded_for"';
32
33 # Comment out to enable access log in /var/log/nginx/
34 access_log off;
35
Andrew Geissler00786372018-05-15 07:08:55 -070036 client_body_timeout 30;
causten508f7b52017-09-26 11:08:47 -050037 client_header_timeout 10;
38 keepalive_timeout 5 5;
Andrew Geissler00786372018-05-15 07:08:55 -070039 send_timeout 30;
causten508f7b52017-09-26 11:08:47 -050040
41 # Do not return nginx version to clients
42 server_tokens off;
43
44 client_max_body_size 100k;
45 client_body_buffer_size 100K;
46 client_header_buffer_size 1k;
47 large_client_header_buffers 4 8k;
48
Chris Austenc0f03ac2017-09-29 18:30:03 -050049 # redirect all http traffic to https
causten508f7b52017-09-26 11:08:47 -050050 server {
Chris Austenc0f03ac2017-09-29 18:30:03 -050051 listen 80 default_server;
52 listen [::]:80 default_server;
53 server_name _;
54 return 301 https://$host$request_uri;
55 }
56
57 server {
58 listen 443 ssl;
causten508f7b52017-09-26 11:08:47 -050059 server_name 127.0.0.1;
60
61 ssl on;
62 ssl_certificate @CERTPATH@/cert.pem;
63 ssl_certificate_key @CERTPATH@/cert.pem;
64 ssl_session_timeout 5m;
65 ssl_protocols TLSv1.2;
Andrew Geisslerf3fee442018-05-31 07:02:43 -070066 ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
causten508f7b52017-09-26 11:08:47 -050067 ssl_prefer_server_ciphers on;
68
Joseph Reynolds8202b262018-08-30 21:39:37 -050069 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
70
causten508f7b52017-09-26 11:08:47 -050071 location / {
Deepak Kodihalli723539f2018-07-30 03:41:43 -050072 # This location lets us serve the static pre-compressed webui
73 # content (rooted at /usr/share/www). Also if the URI points to
74 # something else (that is unmatched by other locations), we
75 # fallback to the rest server. This approach is based on the
76 # guide at https://docs.nginx.com/nginx/admin-guide/web-server/serving-static-content.
77 root /usr/share/www;
78 # For clients that support gzip encoding, serve them
79 # pre-compressed gzip content. For clients that don't,
80 # uncompress on the BMC. The module gunzip requires
81 # gzip_static to be set to 'always'; gzip_static is the
82 # module that serves compressed content for clients that
83 # support gzip.
84 gunzip on;
85 gzip_static always;
86 try_files $uri $uri/ @rest_server;
Joseph Reynolds8202b262018-08-30 21:39:37 -050087
88 add_header X-Frame-Options deny;
89 add_header X-XSS-Protection "1; mode=block";
90 add_header X-Content-Type-Options nosniff;
91 add_header Content-Security-Policy "frame-ancestors 'none'; default-src 'self' 'unsafe-eval' 'unsafe-inline'";
92 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
93 add_header Cache-Control "no-store,no-cache";
94 add_header Pragma "no-cache";
95 add_header Expires 0;
Deepak Kodihalli723539f2018-07-30 03:41:43 -050096 }
97 location @rest_server {
causten508f7b52017-09-26 11:08:47 -050098 # Use 127.0.0.1 instead of localhost since nginx will
99 # first use ipv6 address of ::1 which the upstream server
100 # is not listening on. This generates an error msg to
101 # the journal. Nginx then uses the 127.0.0.1 and everything
102 # works fine but want to avoid the error msg to the log.
Deepak Kodihalli723539f2018-07-30 03:41:43 -0500103 proxy_pass http://127.0.0.1:8081;
Andrew Geissleraca0a2e2018-04-10 10:44:14 -0700104
105 # WebSocket support
106 proxy_http_version 1.1;
107 proxy_set_header Upgrade $http_upgrade;
108 proxy_set_header Connection "upgrade";
Alexander Filippov77722e52018-09-12 14:31:22 +0300109 proxy_set_header X-Forwarded-For $remote_addr;
causten508f7b52017-09-26 11:08:47 -0500110 }
111 location ~ (/org/openbmc/control/flash/bmc/action/update|/upload/image|/download/dump) {
Lei YU8344b232018-05-23 14:36:00 +0800112 # Marked as 33MB to allow for firmware image updating and dump
causten508f7b52017-09-26 11:08:47 -0500113 # downloads
Lei YU8344b232018-05-23 14:36:00 +0800114 client_max_body_size 33M;
causten508f7b52017-09-26 11:08:47 -0500115
116 # Only 1 connection at a time here from an IP
117 limit_conn addr 1;
118
Chris Austenc0f03ac2017-09-29 18:30:03 -0500119 proxy_pass http://127.0.0.1:8081;
causten508f7b52017-09-26 11:08:47 -0500120 }
Andrew Geisslerb86af8b2018-07-16 13:01:49 -0700121 location /redfish {
122 proxy_pass http://127.0.0.1:8082;
123 proxy_http_version 1.1;
124 }
causten508f7b52017-09-26 11:08:47 -0500125
126 include /etc/nginx/sites-enabled/443_*.conf;
127 }
128}