1 # File /etc/nginx/sites-available/osrf-ws-http-proxy
3 # $ ln -s /etc/nginx/sites-available/osrf-ws-http-proxy \
4 # /etc/nginx/sites-enabled/osrf-ws-http-proxy
5 # $ sudo service nginx restart
7 # Assumes Apache is listening on HTTP=7080 and HTTPS=7443
9 # Example sending nginx logs to syslog
10 # error_log syslog:server=unix:/dev/log,nohostname;
11 # access_log syslog:server=unix:/dev/log,severity=info,nohostname combined;
17 # server_name domain.example.org
18 # return 301 https://domain.example.org$request_uri;
21 proxy_pass http://localhost:7080;
22 proxy_set_header Host $host;
23 proxy_set_header X-Real-IP $remote_addr;
24 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
25 proxy_set_header X-Forwarded-Proto $scheme;
26 proxy_read_timeout 300s;
33 # Use the same SSL certificate as Apache.
34 ssl_certificate /etc/apache2/ssl/server.crt;
35 ssl_certificate_key /etc/apache2/ssl/server.key;
37 # -----------------------------------------------------------------
38 # https://mozilla.github.io/server-side-tls/ssl-config-generator/
39 # generate with openssl dhparam -out dhparams.pem 2048
40 ssl_dhparam /etc/apache2/ssl/dhparam.pem;
41 ssl_session_timeout 1d;
42 ssl_session_cache shared:SSL:50m;
43 ssl_session_tickets off;
44 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
45 # Intermediate ciphers config / updated 2018-07-11
46 ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
47 ssl_prefer_server_ciphers on;
48 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
49 add_header Strict-Transport-Security max-age=15768000;
51 # fetch OCSP records from URL in ssl_certificate and cache them
53 ssl_stapling_verify on;
54 # -----------------------------------------------------------------
57 proxy_pass https://localhost:7443;
58 proxy_set_header Host $host;
59 proxy_set_header X-Real-IP $remote_addr;
60 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
61 proxy_set_header X-Forwarded-Proto $scheme;
62 proxy_read_timeout 300s;
65 location /osrf-websocket-translator {
68 # Defaults to HTTPS with or without a proxy.
69 proxy_pass https://localhost:7682;
72 # websocketd may be run with or without SSL. When used with
73 # NGINX, the assumption is it runs w/o SSL. Change to taste.
74 #proxy_pass http://localhost:7682;
76 proxy_set_header X-Real-IP $remote_addr;
77 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
79 # Needed for websockets proxying.
80 proxy_http_version 1.1;
81 proxy_set_header Upgrade $http_upgrade;
82 proxy_set_header Connection "upgrade";
84 proxy_connect_timeout 5m;
87 # Raise the default nginx proxy timeout settings to
88 # an arbitrarily high value so that we can leverage
89 # osrf-websocket-translator's native timeout settings.
90 proxy_send_timeout 1h;
91 proxy_read_timeout 1h;
94 # websocketd connections persist indefinitely. Leverage nginx
95 # timeouts to periodically disconnect long-idle clients.
96 #proxy_send_timeout 5m;
97 #proxy_read_timeout 5m;