This repository has been archived by the owner on Nov 20, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnginx.conf
120 lines (91 loc) · 4.14 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
# this is required to proxy Grafana Live WebSocket connections.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
# this sets the maximum size information to be unlimited; it might
# be better to set this to apply only to authenticated endpoints
# (once people are authenticated I think we can allow them to send
# things of unlimited size).
client_max_body_size 0;
# Main server configuration. See below for redirects.
server {
listen ${HTTPS_PORT} ssl;
server_name localhost ${HTTP_HOST};
# Enable HTTP Strict Transport Security (HSTS)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# https://scotthelme.co.uk/content-security-policy-an-introduction/
# https://content-security-policy.com/examples/nginx/
# add_header Content-Security-Policy "default-src 'self';" always;
# However, this one does work:
add_header Content-Security-Policy "frame-ancestors 'self' *.imperial.ac.uk *.ic.ac.uk" always;
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
# https://geekflare.com/add-x-frame-options-nginx/
add_header X-Frame-Options "SAMEORIGIN";
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
add_header X-Content-Type-Options "nosniff" always;
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
add_header Referrer-Policy 'origin' always;
# https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
# Actual values adopted from securityheaders.com :)
add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()" always;
# Certificate
ssl_certificate /run/proxy/certificate.pem;
ssl_certificate_key /run/proxy/key.pem;
# SSL settings as recommended by this generator
# https://ssl-config.mozilla.org/
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /run/proxy/dhparam.pem;
root /usr/share/nginx/html;
location / {
return 301 /prometheus/;
}
location /prometheus/ {
proxy_pass http://${PROMETHEUS_SERVICE};
}
location /alertmanager/ {
proxy_pass http://${ALERTMANAGER_SERVICE};
}
location /grafana/ {
proxy_set_header Host $http_host;
proxy_pass http://${GRAFANA_SERVICE};
}
# Proxy Grafana Live WebSocket connections
location /grafana/api/live/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $http_host;
proxy_pass http://${GRAFANA_SERVICE};
}
}
# Redirect all http requests to the SSL endpoint and the correct domain name
server {
listen ${HTTP_PORT} default_server;
listen [::]:${HTTP_PORT} default_server;
server_name _;
location / {
return 301 https://${HTTP_HOST}:${HTTPS_PORT}$request_uri;
}
}
}