181 lines
5.0 KiB
Plaintext
181 lines
5.0 KiB
Plaintext
##
|
|
# Basic Settings
|
|
##
|
|
#tcp_nopush on;
|
|
#tcp_nodelay on;
|
|
#keepalive_timeout 65;
|
|
#types_hash_max_size 2048;
|
|
# server_tokens off;
|
|
|
|
# server_names_hash_bucket_size 64;
|
|
# server_name_in_redirect off;
|
|
|
|
#include /etc/nginx/mime.types;
|
|
#default_type application/octet-stream;
|
|
|
|
##
|
|
# SSL Settings
|
|
##
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
##
|
|
# Logging Settings
|
|
##
|
|
# access_log /var/log/nginx/access.log;
|
|
error_log /var/log/nginx/error.log;
|
|
|
|
upstream k8s-users {
|
|
server users:8180;
|
|
}
|
|
|
|
upstream k8s-clients {
|
|
server clients:8182;
|
|
}
|
|
|
|
upstream k8s-http {
|
|
server http-adapter:8185;
|
|
}
|
|
|
|
##
|
|
# Virtual Host Configs
|
|
##
|
|
|
|
# HTTP
|
|
server {
|
|
listen 80 default_server;
|
|
listen [::]:80 default_server;
|
|
server_name mainflux-iot.ha.rs;
|
|
access_log off;
|
|
error_log off;
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
|
|
# HTTPS
|
|
server {
|
|
# SSL configuration
|
|
listen 443 ssl http2 default_server;
|
|
listen [::]:443 ssl http2 default_server;
|
|
|
|
#
|
|
# Note: You should disable gzip for SSL traffic.
|
|
# See: https://bugs.debian.org/773332
|
|
#
|
|
# Read up on ssl_ciphers to ensure a secure configuration.
|
|
# See: https://bugs.debian.org/765782
|
|
#
|
|
# Self signed certs generated by the ssl-cert package
|
|
# Don't use them in a production server!
|
|
|
|
# Certificates
|
|
ssl_certificate /etc/nginx/ssl/tls.crt;
|
|
ssl_certificate_key /etc/nginx/ssl/tls.key;
|
|
|
|
# from https://cipherli.st/
|
|
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
|
ssl_ecdh_curve secp384r1;
|
|
ssl_session_tickets off;
|
|
ssl_stapling off;
|
|
ssl_stapling_verify on;
|
|
resolver 8.8.8.8 8.8.4.4 valid=300s;
|
|
resolver_timeout 5s;
|
|
|
|
# Disable preloading HSTS for now. You can use the commented out header line that includes
|
|
# the "preload" directive if you understand the implications.
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
|
|
add_header X-Frame-Options DENY;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header Access-Control-Allow-Origin '*';
|
|
add_header Access-Control-Allow-Methods '*';
|
|
add_header Access-Control-Allow-Headers "*";
|
|
|
|
server_name mainflux-iot.ha.rs;
|
|
|
|
# Proxy pass to users service
|
|
location ~ ^/api/(users|tokens)/(.*)$ {
|
|
proxy_redirect off;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_pass http://users:8180/$1/$2;
|
|
|
|
# Allow OPTIONS method CORS
|
|
if ($request_method = OPTIONS ) {
|
|
add_header Content-Length 0;
|
|
add_header Content-Type text/plain;
|
|
return 200;
|
|
}
|
|
}
|
|
|
|
# Proxy pass to clients service
|
|
location ~ ^/api/(clients|channels)/(.*)$ {
|
|
proxy_redirect off;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_pass http://clients:8182/$1/$2;
|
|
|
|
# Allow OPTIONS method CORS
|
|
if ($request_method = OPTIONS ) {
|
|
add_header Content-Length 0;
|
|
add_header Content-Type text/plain;
|
|
return 200;
|
|
}
|
|
}
|
|
|
|
# Proxy pass to api endpoint in users service
|
|
location /api/ {
|
|
proxy_redirect off;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_pass http://users:8180/;
|
|
|
|
# Allow OPTIONS method CORS
|
|
if ($request_method = OPTIONS ) {
|
|
add_header Content-Length 0;
|
|
add_header Content-Type text/plain;
|
|
return 200;
|
|
}
|
|
}
|
|
|
|
# Proxy pass to mainflux-http-adapter
|
|
location /http/ {
|
|
proxy_redirect off;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_pass http://http-adapter:8185/;
|
|
|
|
# Allow OPTIONS method CORS
|
|
if ($request_method = OPTIONS ) {
|
|
add_header Content-Length 0;
|
|
add_header Content-Type text/plain;
|
|
return 200;
|
|
}
|
|
}
|
|
|
|
location / {
|
|
proxy_redirect off;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_pass http://dashflux/;
|
|
|
|
# Allow OPTIONS method CORS
|
|
if ($request_method = OPTIONS ) {
|
|
add_header Content-Length 0;
|
|
add_header Content-Type text/plain;
|
|
return 200;
|
|
}
|
|
}
|
|
} |