-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathproxy_config.jinja
157 lines (111 loc) · 4.97 KB
/
proxy_config.jinja
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
limit_req_zone $bin_slash24_limit zone=req_zone_pure_main_1:10m rate=100r/m;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream upstream_pure_main {
server {{ upstream_address }} max_fails=0;
server {{ upstream_address }} max_fails=0;
server {{ upstream_address }} max_fails=0;
# We recommend setting the parameter to twice the number of servers listed in the upstream{} block.
# https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes/#no-keepalives
keepalive 6;
}
upstream upstream_pure_main2 {
server {{ upstream_address }} max_fails=0;
server {{ upstream_address }} max_fails=0;
server {{ upstream_address }} max_fails=0;
# We recommend setting the parameter to twice the number of servers listed in the upstream{} block.
# https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes/#no-keepalives
keepalive 6;
}
server {
listen 80 ;
listen [::]:80 ;
# We don't use http2 here due to n0tes service. In the other situation you may want to add "http2" option.
listen 443 ssl ;
listen [::]:443 ssl ;
server_name pure.*;
access_log /var/log/nginx/pure_main_access.log;
error_log /var/log/nginx/pure_main_error.log warn;
ssl_certificate /etc/ssl/wildcard.ctf.hitb.org/fullchain.pem;
ssl_certificate_key /etc/ssl/wildcard.ctf.hitb.org/privkey.pem;
# Enable server-side protection against BEAST attacks
# See https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf for inspiration
ssl_session_cache shared:SSL_pure_main:50m;
# See https://trac.nginx.org/nginx/ticket/621 also
ssl_session_timeout 30m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
# RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ecdh_curve secp521r1:secp384r1;
### Aditional Security Headers
### ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
### ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# add_header X-Frame-Options DENY always;
### ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
# add_header X-Content-Type-Options nosniff always;
### Enable OCSP stapling
### ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
resolver_timeout 5s;
ssl_client_certificate /etc/ssl/pure_ca/fullchain.pem;
ssl_verify_client optional_no_ca;
client_max_body_size 100M;
error_page 503 =429 /---ctf-proxy-too-many-requests---.html;
error_page 429 /---ctf-proxy-too-many-requests---.html;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header User-Agent CTF;
proxy_set_header Host $host;
proxy_set_header Accept "*/*";
proxy_set_header Accept-Language "";
proxy_set_header Accept-Encoding "gzip, deflate, br";
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "";
proxy_connect_timeout 5;
proxy_send_timeout 10;
proxy_read_timeout 60;
proxy_next_upstream error timeout;
# https://nginx.org/ru/docs/http/ngx_http_proxy_module.html#proxy_ignore_headers
proxy_ignore_headers X-Accel-Expires X-Accel-Redirect X-Accel-Limit-Rate X-Accel-Buffering X-Accel-Charset Vary Cache-Control Expires;
proxy_pass_header Date;
proxy_pass_header Server;
location / {
limit_req zone=req_zone_pure_main_1 burst=50 nodelay;
limit_req_status 429;
proxy_pass https://upstream_pure_main;
}
location /private/ {
if ($ssl_client_verify != SUCCESS) {
return 403;
}
proxy_ssl_certificate /etc/ssl/pure_client/fullchain.pem;
proxy_ssl_certificate_key /etc/ssl/pure_client/privkey.pem;
proxy_ssl_server_name on;
proxy_ssl_name pure.*;
proxy_pass https://upstream_pure_main2/;
proxy_redirect / /private/;
}
location = /---ctf-proxy-too-many-requests---.html {
root /var/www/html;
try_files /too_many_requests.html =404;
internal;
}
location /---nginx-status--- {
stub_status;
access_log off;
allow {{ proxy_host }};
deny all;
}
# Redirect non-https traffic to https
if ($scheme != "https") {
return 307 https://$host$request_uri;
}
}