causten | 13cd0ca | 2017-09-26 11:08:47 -0500 | [diff] [blame] | 1 | |
| 2 | user www-data; |
| 3 | worker_processes 1; |
| 4 | |
| 5 | error_log stderr; |
| 6 | |
| 7 | pid /run/nginx/nginx.pid; |
| 8 | |
| 9 | |
| 10 | # Nginx requires this section, even if no options |
| 11 | events { |
| 12 | } |
| 13 | |
| 14 | # Note that a lot of these settings come from the OWASP Secure |
| 15 | # Configuration guide for nginx |
| 16 | # https://www.owasp.org/index.php/SCG_WS_nginx |
Joseph Reynolds | 4028f33 | 2018-08-30 21:39:37 -0500 | [diff] [blame] | 17 | # and the OWASP Secure Headers project |
| 18 | # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project |
Andrew Geissler | ca4097f | 2018-05-31 07:02:43 -0700 | [diff] [blame] | 19 | # and the mozilla security guidelines |
| 20 | # https://wiki.mozilla.org/Security/Server_Side_TLS |
causten | 13cd0ca | 2017-09-26 11:08:47 -0500 | [diff] [blame] | 21 | |
| 22 | http { |
| 23 | include mime.types; |
| 24 | |
| 25 | # For certain locations, only allow one connection per IP |
| 26 | limit_conn_zone $binary_remote_addr zone=addr:10m; |
| 27 | |
| 28 | # Default log format |
| 29 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' |
| 30 | '$status $body_bytes_sent "$http_referer" ' |
| 31 | '"$http_user_agent" "$http_x_forwarded_for"'; |
| 32 | |
| 33 | # Comment out to enable access log in /var/log/nginx/ |
| 34 | access_log off; |
| 35 | |
Andrew Geissler | 86add11 | 2018-05-15 07:08:55 -0700 | [diff] [blame] | 36 | client_body_timeout 30; |
causten | 13cd0ca | 2017-09-26 11:08:47 -0500 | [diff] [blame] | 37 | client_header_timeout 10; |
| 38 | keepalive_timeout 5 5; |
Andrew Geissler | 86add11 | 2018-05-15 07:08:55 -0700 | [diff] [blame] | 39 | send_timeout 30; |
causten | 13cd0ca | 2017-09-26 11:08:47 -0500 | [diff] [blame] | 40 | |
| 41 | # Do not return nginx version to clients |
| 42 | server_tokens off; |
| 43 | |
| 44 | client_max_body_size 100k; |
| 45 | client_body_buffer_size 100K; |
| 46 | client_header_buffer_size 1k; |
| 47 | large_client_header_buffers 4 8k; |
| 48 | |
Chris Austen | 7584d43 | 2017-09-29 18:30:03 -0500 | [diff] [blame] | 49 | # redirect all http traffic to https |
causten | 13cd0ca | 2017-09-26 11:08:47 -0500 | [diff] [blame] | 50 | server { |
Chris Austen | 7584d43 | 2017-09-29 18:30:03 -0500 | [diff] [blame] | 51 | listen 80 default_server; |
| 52 | listen [::]:80 default_server; |
| 53 | server_name _; |
| 54 | return 301 https://$host$request_uri; |
| 55 | } |
| 56 | |
| 57 | server { |
| 58 | listen 443 ssl; |
causten | 13cd0ca | 2017-09-26 11:08:47 -0500 | [diff] [blame] | 59 | server_name 127.0.0.1; |
| 60 | |
| 61 | ssl on; |
| 62 | ssl_certificate @CERTPATH@/cert.pem; |
| 63 | ssl_certificate_key @CERTPATH@/cert.pem; |
| 64 | ssl_session_timeout 5m; |
| 65 | ssl_protocols TLSv1.2; |
Andrew Geissler | ca4097f | 2018-05-31 07:02:43 -0700 | [diff] [blame] | 66 | ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; |
causten | 13cd0ca | 2017-09-26 11:08:47 -0500 | [diff] [blame] | 67 | ssl_prefer_server_ciphers on; |
| 68 | |
Joseph Reynolds | 4028f33 | 2018-08-30 21:39:37 -0500 | [diff] [blame] | 69 | add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; |
| 70 | |
causten | 13cd0ca | 2017-09-26 11:08:47 -0500 | [diff] [blame] | 71 | location / { |
Deepak Kodihalli | ef18a48 | 2018-07-30 03:41:43 -0500 | [diff] [blame] | 72 | # This location lets us serve the static pre-compressed webui |
| 73 | # content (rooted at /usr/share/www). Also if the URI points to |
| 74 | # something else (that is unmatched by other locations), we |
| 75 | # fallback to the rest server. This approach is based on the |
| 76 | # guide at https://docs.nginx.com/nginx/admin-guide/web-server/serving-static-content. |
| 77 | root /usr/share/www; |
| 78 | # For clients that support gzip encoding, serve them |
| 79 | # pre-compressed gzip content. For clients that don't, |
| 80 | # uncompress on the BMC. The module gunzip requires |
| 81 | # gzip_static to be set to 'always'; gzip_static is the |
| 82 | # module that serves compressed content for clients that |
| 83 | # support gzip. |
| 84 | gunzip on; |
| 85 | gzip_static always; |
| 86 | try_files $uri $uri/ @rest_server; |
Joseph Reynolds | 4028f33 | 2018-08-30 21:39:37 -0500 | [diff] [blame] | 87 | |
| 88 | add_header X-Frame-Options deny; |
| 89 | add_header X-XSS-Protection "1; mode=block"; |
| 90 | add_header X-Content-Type-Options nosniff; |
| 91 | add_header Content-Security-Policy "frame-ancestors 'none'; default-src 'self' 'unsafe-eval' 'unsafe-inline'"; |
| 92 | add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; |
| 93 | add_header Cache-Control "no-store,no-cache"; |
| 94 | add_header Pragma "no-cache"; |
| 95 | add_header Expires 0; |
Deepak Kodihalli | ef18a48 | 2018-07-30 03:41:43 -0500 | [diff] [blame] | 96 | } |
| 97 | location @rest_server { |
causten | 13cd0ca | 2017-09-26 11:08:47 -0500 | [diff] [blame] | 98 | # Use 127.0.0.1 instead of localhost since nginx will |
| 99 | # first use ipv6 address of ::1 which the upstream server |
| 100 | # is not listening on. This generates an error msg to |
| 101 | # the journal. Nginx then uses the 127.0.0.1 and everything |
| 102 | # works fine but want to avoid the error msg to the log. |
Deepak Kodihalli | ef18a48 | 2018-07-30 03:41:43 -0500 | [diff] [blame] | 103 | proxy_pass http://127.0.0.1:8081; |
Andrew Geissler | d03dd4f | 2018-04-10 10:44:14 -0700 | [diff] [blame] | 104 | |
| 105 | # WebSocket support |
| 106 | proxy_http_version 1.1; |
| 107 | proxy_set_header Upgrade $http_upgrade; |
| 108 | proxy_set_header Connection "upgrade"; |
Alexander Filippov | 74246de | 2018-09-12 14:31:22 +0300 | [diff] [blame] | 109 | proxy_set_header X-Forwarded-For $remote_addr; |
causten | 13cd0ca | 2017-09-26 11:08:47 -0500 | [diff] [blame] | 110 | } |
| 111 | location ~ (/org/openbmc/control/flash/bmc/action/update|/upload/image|/download/dump) { |
Lei YU | af7cc0e | 2018-05-23 14:36:00 +0800 | [diff] [blame] | 112 | # Marked as 33MB to allow for firmware image updating and dump |
causten | 13cd0ca | 2017-09-26 11:08:47 -0500 | [diff] [blame] | 113 | # downloads |
Lei YU | af7cc0e | 2018-05-23 14:36:00 +0800 | [diff] [blame] | 114 | client_max_body_size 33M; |
causten | 13cd0ca | 2017-09-26 11:08:47 -0500 | [diff] [blame] | 115 | |
| 116 | # Only 1 connection at a time here from an IP |
| 117 | limit_conn addr 1; |
| 118 | |
Chris Austen | 7584d43 | 2017-09-29 18:30:03 -0500 | [diff] [blame] | 119 | proxy_pass http://127.0.0.1:8081; |
causten | 13cd0ca | 2017-09-26 11:08:47 -0500 | [diff] [blame] | 120 | } |
Andrew Geissler | eee186a | 2018-07-16 13:01:49 -0700 | [diff] [blame] | 121 | location /redfish { |
| 122 | proxy_pass http://127.0.0.1:8082; |
| 123 | proxy_http_version 1.1; |
| 124 | } |
causten | 13cd0ca | 2017-09-26 11:08:47 -0500 | [diff] [blame] | 125 | |
| 126 | include /etc/nginx/sites-enabled/443_*.conf; |
| 127 | } |
| 128 | } |