-
Notifications
You must be signed in to change notification settings - Fork 14
/
nginx.template.conf
123 lines (99 loc) · 4.15 KB
/
nginx.template.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
user nobody nogroup;
# DO NOT EVER change the number of worker processes!
worker_processes 1;
error_log syslog:server=unix:/dev/log,facility=daemon,nohostname warn;
events {
worker_connections 256;
}
http {
access_log off;
server_tokens off;
include mime.types;
lua_package_path ';;${prefix}lib/lua/?.lua;/www/lua/?.lua';
lua_package_cpath '${prefix}lib/lua/?.so';
keepalive_timeout 65;
add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "default-src 'self';script-src 'self' 'unsafe-eval' 'unsafe-inline';style-src 'self' 'unsafe-inline'";
init_worker_by_lua '
local sessioncontrol = require("web.sessioncontrol")
sessioncontrol.setManagerForPort("default", "443")
';
# Workaround for nginx / lua not being able to redirect correctly
# Calls to `ngx.redirect('/foo')` redirect to the IP/port pair
# irrespective of server_name, Host header or server_name_in_redirect on
# I conclude it's broken and hereby work around the issue.
# PR are welcome with fixes..
header_filter_by_lua '
if (ngx.header.location and ngx.header.location:find("^http")) then
ngx.header.location = ngx.header.location:gsub(
"https://10.0.0.138:443",
"https://mygateway.gateway",
1)
end
';
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
# Can't use `return` here because Nginx was compiled without the rewrite module.
location / {
content_by_lua '
return ngx.redirect("https://" .. ngx.req.get_headers()["Host"] .. "/gateway.lp", 301)
';
}
}
server {
# No http2 because nginx was compiled without ngx_http_v2_module
listen 443 ssl;
listen [::]:443 ssl;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
root /www/docroot;
client_body_buffer_size 1024k;
# platform/custo specific values
include ui_server.conf;
location = / {
index home.lp;
}
location ^~ /css/ {
#do nothing
}
location ^~ /img/ {
#do nothing
}
location ^~ /font/ {
#do nothing
}
location ^~ /js/ {
#do nothing
}
location ^~ /help/ {
#do nothing
}
location ^~ / {
access_by_lua '
require("web.assistance").enable()
local mgr = require("web.sessioncontrol").getmgr()
mgr:checkrequest()
mgr:handleAuth()
';
content_by_lua '
require("cards").setpath("/www/cards")
require("web.lp").setpath("/www/cards/")
require("web.web").process()
';
}
# additional/custom configuration
include main_*.conf;
}
}