Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / d03dd4f0e1724d7bd250c56f909e35bf11dd9b0c / . / meta-openbmc-machines / meta-openpower / meta-ibm / recipes-httpd / nginx / files / nginx.conf
blob: c94554435f98a573a345275eb1c7f57c212cf19f [file] [log] [blame]
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]1
2user www-data;
3worker_processes 1;
4
5error_log stderr;
6
7pid /run/nginx/nginx.pid;
8
9
10# Nginx requires this section, even if no options
11events {
12}
13
14# Note that a lot of these settings come from the OWASP Secure
15# Configuration guide for nginx
16# https://www.owasp.org/index.php/SCG_WS_nginx
17
18http {
19 include mime.types;
20
21 # For certain locations, only allow one connection per IP
22 limit_conn_zone $binary_remote_addr zone=addr:10m;
23
24 # Default log format
25 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
26 '$status $body_bytes_sent "$http_referer" '
27 '"$http_user_agent" "$http_x_forwarded_for"';
28
29 # Comment out to enable access log in /var/log/nginx/
30 access_log off;
31
32 client_body_timeout 10;
33 client_header_timeout 10;
34 keepalive_timeout 5 5;
35 send_timeout 10;
36
37 # Do not return nginx version to clients
38 server_tokens off;
39
40 client_max_body_size 100k;
41 client_body_buffer_size 100K;
42 client_header_buffer_size 1k;
43 large_client_header_buffers 4 8k;
44
Chris Austen7584d432017-09-29 18:30:03 -0500[diff] [blame]45 # redirect all http traffic to https
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]46 server {
Chris Austen7584d432017-09-29 18:30:03 -0500[diff] [blame]47 listen 80 default_server;
48 listen [::]:80 default_server;
49 server_name _;
50 return 301 https://$host$request_uri;
51 }
52
53 server {
54 listen 443 ssl;
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]55 server_name 127.0.0.1;
56
57 ssl on;
58 ssl_certificate @CERTPATH@/cert.pem;
59 ssl_certificate_key @CERTPATH@/cert.pem;
60 ssl_session_timeout 5m;
61 ssl_protocols TLSv1.2;
62 ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
63
64 ssl_prefer_server_ciphers on;
65
66 location / {
67 # Use 127.0.0.1 instead of localhost since nginx will
68 # first use ipv6 address of ::1 which the upstream server
69 # is not listening on. This generates an error msg to
70 # the journal. Nginx then uses the 127.0.0.1 and everything
71 # works fine but want to avoid the error msg to the log.
Chris Austen7584d432017-09-29 18:30:03 -0500[diff] [blame]72 proxy_pass http://127.0.0.1:8081/;
Andrew Geisslerd03dd4f2018-04-10 10:44:14 -0700[diff] [blame^]73
74 # WebSocket support
75 proxy_http_version 1.1;
76 proxy_set_header Upgrade $http_upgrade;
77 proxy_set_header Connection "upgrade";
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]78 }
79 location ~ (/org/openbmc/control/flash/bmc/action/update|/upload/image|/download/dump) {
80 # Marked as 32MB to allow for firmware image updating and dump
81 # downloads
82 client_max_body_size 32M;
83
84 # Only 1 connection at a time here from an IP
85 limit_conn addr 1;
86
Chris Austen7584d432017-09-29 18:30:03 -0500[diff] [blame]87 proxy_pass http://127.0.0.1:8081;
causten13cd0ca2017-09-26 11:08:47 -0500[diff] [blame]88 }
89
90 include /etc/nginx/sites-enabled/443_*.conf;
91 }
92}