examples/nginx/osrf-ws-http-proxy

   1 # File /etc/nginx/sites-available/osrf-ws-http-proxy
   2 #
   3 # $ ln -s /etc/nginx/sites-available/osrf-ws-http-proxy \
   4 #   /etc/nginx/sites-enabled/osrf-ws-http-proxy
   5 # $ sudo service nginx restart
   6 #
   7 # Assumes Apache is listening on HTTP=7080 and HTTPS=7443
   8
   9 # Example sending nginx logs to syslog
  10 # error_log  syslog:server=unix:/dev/log,nohostname;
  11 # access_log syslog:server=unix:/dev/log,severity=info,nohostname combined;
  12
  13 server {
  14     listen 80;
  15
  16     # For SSL-everywhere:
  17     # server_name domain.example.org
  18     # return 301 https://domain.example.org$request_uri;
  19
  20     location / {
  21         proxy_pass http://localhost:7080;
  22         proxy_set_header Host $host;
  23         proxy_set_header X-Real-IP $remote_addr;
  24         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  25         proxy_set_header X-Forwarded-Proto $scheme;
  26         proxy_read_timeout 300s;
  27     }
  28 }
  29
  30 server {
  31     listen 443 ssl http2;
  32
  33     # Use the same SSL certificate as Apache.
  34     ssl_certificate /etc/apache2/ssl/server.crt;
  35     ssl_certificate_key /etc/apache2/ssl/server.key;
  36
  37     # -----------------------------------------------------------------
  38     # https://mozilla.github.io/server-side-tls/ssl-config-generator/
  39     # generate with openssl dhparam -out dhparams.pem 2048
  40     ssl_dhparam /etc/apache2/ssl/dhparam.pem;
  41     ssl_session_timeout 1d;
  42     ssl_session_cache shared:SSL:50m;
  43     ssl_session_tickets off;
  44     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  45     # Intermediate ciphers config / updated 2018-07-11
  46     ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
  47     ssl_prefer_server_ciphers on;
  48     # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
  49     add_header Strict-Transport-Security max-age=15768000;
  50     # OCSP Stapling ---
  51     # fetch OCSP records from URL in ssl_certificate and cache them
  52     ssl_stapling on;
  53     ssl_stapling_verify on;
  54     # -----------------------------------------------------------------
  55
  56     location / {
  57         proxy_pass https://localhost:7443;
  58         proxy_set_header Host $host;
  59         proxy_set_header X-Real-IP $remote_addr;
  60         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  61         proxy_set_header X-Forwarded-Proto $scheme;
  62         proxy_read_timeout 300s;
  63     }
  64
  65     location /osrf-websocket-translator {
  66
  67         # apache2-websockets:
  68         # Defaults to HTTPS with or without a proxy.
  69         proxy_pass https://localhost:7682;
  70
  71         # websocketd:
  72         # websocketd may be run with or without SSL.  When used with
  73         # NGINX, the assumption is it runs w/o SSL.  Change to taste.
  74         #proxy_pass http://localhost:7682;
  75
  76         proxy_set_header X-Real-IP $remote_addr;
  77         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  78
  79         # Needed for websockets proxying.
  80         proxy_http_version 1.1;
  81         proxy_set_header Upgrade $http_upgrade;
  82         proxy_set_header Connection "upgrade";
  83
  84         proxy_connect_timeout 5m;
  85
  86         # apache2-websockets:
  87         # Raise the default nginx proxy timeout settings to
  88         # an arbitrarily high value so that we can leverage
  89         # osrf-websocket-translator's native timeout settings.
  90         proxy_send_timeout 1h;
  91         proxy_read_timeout 1h;
  92
  93         # websocketd:
  94         # websocketd connections persist indefinitely. Leverage nginx
  95         # timeouts to periodically disconnect long-idle clients.
  96         #proxy_send_timeout 5m;
  97         #proxy_read_timeout 5m;
  98     }
  99 }
 100
 101