# File /etc/nginx/sites-available/osrf-ws-http-proxy # # $ ln -s /etc/nginx/sites-available/osrf-ws-http-proxy \ # /etc/nginx/sites-enabled/osrf-ws-http-proxy # $ sudo service nginx restart # # Assumes Apache is listening on HTTP=7080 and HTTPS=7443 # Example sending nginx logs to syslog # error_log syslog:server=unix:/dev/log,nohostname; # access_log syslog:server=unix:/dev/log,severity=info,nohostname combined; server { listen 80; # For SSL-everywhere: # server_name domain.example.org # return 301 https://domain.example.org$request_uri; location / { proxy_pass http://localhost:7080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 300s; } } server { listen 443 ssl http2; # Use the same SSL certificate as Apache. ssl_certificate /etc/apache2/ssl/server.crt; ssl_certificate_key /etc/apache2/ssl/server.key; # ----------------------------------------------------------------- # https://mozilla.github.io/server-side-tls/ssl-config-generator/ # generate with openssl dhparam -out dhparams.pem 2048 ssl_dhparam /etc/apache2/ssl/dhparam.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Intermediate ciphers config / updated 2018-07-11 ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; # ----------------------------------------------------------------- location / { proxy_pass https://localhost:7443; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 300s; } location /osrf-websocket-translator { # websocketd may be run with or without SSL. When used with # NGINX, the assumption is it runs w/o SSL. Change to taste. proxy_pass http://localhost:7682; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Needed for websockets proxying. proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # Disconnect the client if it takes this long to connect to # websocketd. proxy_connect_timeout 1m; # websocketd connections persist indefinitely. Leverage # nginx timeouts to disconnect idle clients. Change # to taste. proxy_send_timeout 3m; proxy_read_timeout 3m; } }