Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 42ed80522120acd4337f0ae7f33e9fe62e71ff02 / . / meta-ibm / recipes-httpd / nginx / files / nginx.conf
blob: 5313f508fc875be80d16b7afd6d0b5e7a9884b44 [file] [log] [blame]
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]1
2user www-data;
3worker_processes 1;
4
5error_log stderr;
6
7pid /run/nginx/nginx.pid;
8
9
10# Nginx requires this section, even if no options
11events {
12}
13
14# Note that a lot of these settings come from the OWASP Secure
15# Configuration guide for nginx
16# https://www.owasp.org/index.php/SCG_WS_nginx
Andrew Geisslerca4097f2018-05-31 07:02:43 -0700[diff] [blame]17# and the mozilla security guidelines
18# https://wiki.mozilla.org/Security/Server_Side_TLS
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]19
20http {
21 include mime.types;
22
23 # For certain locations, only allow one connection per IP
24 limit_conn_zone $binary_remote_addr zone=addr:10m;
25
26 # Default log format
27 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
28 '$status $body_bytes_sent "$http_referer" '
29 '"$http_user_agent" "$http_x_forwarded_for"';
30
31 # Comment out to enable access log in /var/log/nginx/
32 access_log off;
33
Andrew Geissler86add112018-05-15 07:08:55 -0700[diff] [blame]34 client_body_timeout 30;
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]35 client_header_timeout 10;
36 keepalive_timeout 5 5;
Andrew Geissler86add112018-05-15 07:08:55 -0700[diff] [blame]37 send_timeout 30;
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]38
39 # Do not return nginx version to clients
40 server_tokens off;
41
42 client_max_body_size 100k;
43 client_body_buffer_size 100K;
44 client_header_buffer_size 1k;
45 large_client_header_buffers 4 8k;
46
Chris Austen7584d432017-09-29 18:30:03 -0500[diff] [blame]47 # redirect all http traffic to https
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]48 server {
Chris Austen7584d432017-09-29 18:30:03 -0500[diff] [blame]49 listen 80 default_server;
50 listen [::]:80 default_server;
51 server_name _;
52 return 301 https://$host$request_uri;
53 }
54
55 server {
56 listen 443 ssl;
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]57 server_name 127.0.0.1;
58
59 ssl on;
60 ssl_certificate @CERTPATH@/cert.pem;
61 ssl_certificate_key @CERTPATH@/cert.pem;
62 ssl_session_timeout 5m;
63 ssl_protocols TLSv1.2;
Andrew Geisslerca4097f2018-05-31 07:02:43 -0700[diff] [blame]64 ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]65 ssl_prefer_server_ciphers on;
66
67 location / {
Deepak Kodihallief18a482018-07-30 03:41:43 -0500[diff] [blame]68 # This location lets us serve the static pre-compressed webui
69 # content (rooted at /usr/share/www). Also if the URI points to
70 # something else (that is unmatched by other locations), we
71 # fallback to the rest server. This approach is based on the
72 # guide at https://docs.nginx.com/nginx/admin-guide/web-server/serving-static-content.
73 root /usr/share/www;
74 # For clients that support gzip encoding, serve them
75 # pre-compressed gzip content. For clients that don't,
76 # uncompress on the BMC. The module gunzip requires
77 # gzip_static to be set to 'always'; gzip_static is the
78 # module that serves compressed content for clients that
79 # support gzip.
80 gunzip on;
81 gzip_static always;
82 try_files $uri $uri/ @rest_server;
83 }
84 location @rest_server {
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]85 # Use 127.0.0.1 instead of localhost since nginx will
86 # first use ipv6 address of ::1 which the upstream server
87 # is not listening on. This generates an error msg to
88 # the journal. Nginx then uses the 127.0.0.1 and everything
89 # works fine but want to avoid the error msg to the log.
Deepak Kodihallief18a482018-07-30 03:41:43 -0500[diff] [blame]90 proxy_pass http://127.0.0.1:8081;
Andrew Geisslerd03dd4f2018-04-10 10:44:14 -0700[diff] [blame]91
92 # WebSocket support
93 proxy_http_version 1.1;
94 proxy_set_header Upgrade $http_upgrade;
95 proxy_set_header Connection "upgrade";
Alexander Filippov74246de2018-09-12 14:31:22 +0300[diff] [blame]96 proxy_set_header X-Forwarded-For $remote_addr;
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]97 }
98 location ~ (/org/openbmc/control/flash/bmc/action/update|/upload/image|/download/dump) {
Lei YUaf7cc0e2018-05-23 14:36:00 +0800[diff] [blame]99 # Marked as 33MB to allow for firmware image updating and dump
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]100 # downloads
Lei YUaf7cc0e2018-05-23 14:36:00 +0800[diff] [blame]101 client_max_body_size 33M;
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]102
103 # Only 1 connection at a time here from an IP
104 limit_conn addr 1;
105
Chris Austen7584d432017-09-29 18:30:03 -0500[diff] [blame]106 proxy_pass http://127.0.0.1:8081;
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]107 }
Andrew Geisslereee186a2018-07-16 13:01:49 -0700[diff] [blame]108 location /redfish {
109 proxy_pass http://127.0.0.1:8082;
110 proxy_http_version 1.1;
111 }
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]112
113 include /etc/nginx/sites-enabled/443_*.conf;
114 }
115}