5d5b45e18c8873e780b744053bcd45a45b6481f9
[OpenSRF.git] / examples / nginx / osrf-ws-http-proxy
1 # File /etc/nginx/sites-available/osrf-ws-http-proxy
2 #
3 # $ ln -s /etc/nginx/sites-available/osrf-ws-http-proxy \
4 #   /etc/nginx/sites-enabled/osrf-ws-http-proxy
5 # $ sudo service nginx restart
6 #
7 # Assumes Apache is listening on HTTP=7080 and HTTPS=7443
8
9 # Example sending nginx logs to syslog
10 # error_log  syslog:server=unix:/dev/log,nohostname;
11 # access_log syslog:server=unix:/dev/log,severity=info,nohostname combined;
12
13 server { 
14     listen 80;
15
16     # For SSL-everywhere:
17     # server_name domain.example.org
18     # return 301 https://domain.example.org$request_uri;
19
20     location / {
21         proxy_pass http://localhost:7080;
22         proxy_set_header Host $host;
23         proxy_set_header X-Real-IP $remote_addr;
24         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
25         proxy_set_header X-Forwarded-Proto $scheme;
26         proxy_read_timeout 300s;
27     }
28 }
29
30 server {
31     listen 443 ssl http2;
32
33     # Use the same SSL certificate as Apache.
34     ssl_certificate /etc/apache2/ssl/server.crt;
35     ssl_certificate_key /etc/apache2/ssl/server.key;
36
37     # -----------------------------------------------------------------
38     # https://mozilla.github.io/server-side-tls/ssl-config-generator/
39     # generate with openssl dhparam -out dhparams.pem 2048
40     ssl_dhparam /etc/apache2/ssl/dhparam.pem;
41     ssl_session_timeout 1d;
42     ssl_session_cache shared:SSL:50m;
43     ssl_session_tickets off;
44     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
45     # Intermediate ciphers config / updated 2018-07-11
46     ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
47     ssl_prefer_server_ciphers on;
48     # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
49     add_header Strict-Transport-Security max-age=15768000;
50     # OCSP Stapling ---
51     # fetch OCSP records from URL in ssl_certificate and cache them
52     ssl_stapling on;
53     ssl_stapling_verify on;
54     # -----------------------------------------------------------------
55
56     location / {
57         proxy_pass https://localhost:7443;
58         proxy_set_header Host $host;
59         proxy_set_header X-Real-IP $remote_addr;
60         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
61         proxy_set_header X-Forwarded-Proto $scheme;
62         proxy_read_timeout 300s;
63     }
64
65     location /osrf-websocket-translator {
66
67         # websocketd may be run with or without SSL.  When used with
68         # NGINX, the assumption is it runs w/o SSL.  Change to taste.
69         proxy_pass http://localhost:7682;
70
71         proxy_set_header X-Real-IP $remote_addr;
72         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
73
74         # Needed for websockets proxying.
75         proxy_http_version 1.1;
76         proxy_set_header Upgrade $http_upgrade;
77         proxy_set_header Connection "upgrade";
78
79         # Disconnect the client if it takes this long to connect to
80         # websocketd.
81         proxy_connect_timeout 1m;
82
83         # websocketd connections persist indefinitely. Leverage 
84         # nginx timeouts to disconnect idle clients.  Change
85         # to taste.
86         proxy_send_timeout 3m;
87         proxy_read_timeout 3m;
88     }
89 }
90
91