-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnginx.conf
227 lines (181 loc) · 8.34 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
user www-data;
worker_processes 4;
#worker_cpu_affinity 0001 0010 0100 1000;
worker_rlimit_nofile 100000;
#daemon off;
pcre_jit on;
#thread_pool default threads=32 max_queue=65536;
pid /home/www-data/nginx_root/logs/nginx.pid;
events {
worker_connections 25000;
accept_mutex on;
multi_accept on;
use epoll;
}
http {
include /home/www-data/nginx_root/conf/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request"' '$status $body_bytes_sent "$http_referer"' '"$http_user_agent" "$http_x_forwarded_for" "$request_body"' ;
access_log /home/www-data/nginx_root/logs/access.log main;
#access_log off;
error_log /home/www-data/nginx_root/logs/error.log;
#aio threads=default;
#aio threads;
tcp_nopush on;
tcp_nodelay on;
sendfile on;
keepalive_timeout 65;
gzip on;
gzip_comp_level 9;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
brotli on;
brotli_static on;
brotli_types *;
brotli_comp_level 11;
brotli_min_length 256;
server_names_hash_bucket_size 2048;
client_max_body_size 1G;
server_tokens off;
more_clear_headers 'Server';
more_set_headers 'Server: Reverse Proxy Server';
#=======================================PHP-FPM-Backends============================================
upstream php-fpm {
#server unix:/tmp/php-cgi.socket;
server 127.0.0.1:9123;
}
#===================================================================================================
#======================================Include SSO Server==========================================
include /home/www-data/nginx_root/conf/sso-server.conf;
#==================================================================================================
#=====================================GoAccess Server CDN Config=====================================
server {
listen 0.0.0.0:80;
server_name goaccess.hackerflare.com;
return 301 https://$server_name$request_uri;
}
server {
listen 0.0.0.0:443 ssl http2 spdy;
server_name goaccess.hackerflare.com;
add_header Origin "$scheme://$server_name";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "sameorigin";
add_header X-Powered-By "Reverse Proxy Server";
add_header X-Xss-Protection "1; mode=block";
ssl_certificate /home/acme/cert_root/hackerflare.com/RSA/server.crt;
ssl_certificate_key /home/acme/cert_root/hackerflare.com/RSA/server.key;
ssl_certificate /home/acme/cert_root/hackerflare.com/ECDSA/server.crt;
ssl_certificate_key /home/acme/cert_root/hackerflare.com/ECDSA/server.key;
ssl_dhparam /home/acme/cert_root/dhparam4096.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_early_data off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers "[TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA";
ssl_prefer_server_ciphers on;
ssl_ecdh_curve X25519:P-256:P-384:P-521;
location / {
auth_request /auth_endpoint;
error_page 401 = @error401;
root /home/www-data/nginx_root/websites/goaccess.hackerflare.com;
index index.html;
if ($http_host != $server_name) {
return 404;
}
#subs_filter_types text/html;
subs_filter '{"url": "localhost/ws","port": 7890}' '{"url": "$server_name/ws","port": 443}';
}
location /ws {
auth_request /auth_endpoint;
error_page 401 = @error401;
proxy_set_header upgrade $http_upgrade;
proxy_set_header connection "upgrade";
proxy_connect_timeout 7d;
proxy_send_timeout 7d;
proxy_read_timeout 7d;
proxy_pass http://127.0.0.1:7890/;
}
include /home/www-data/nginx_root/conf/auth-request.conf;
include /home/www-data/nginx_root/conf/dynamic_error.conf;
error_page 400 401 402 403 404 405 406 408 409 410 411 412 413 414 415 416 421 429 494 495 496 497 500 501 502 503 504 505 507 /error.html;
include /home/www-data/nginx_root/conf/dynamic_error_test.conf;
}
#====================================================================================================
#=====================================Kibana Dashboard Config=======================================
server {
listen 0.0.0.0:80;
server_name kibana.hackerflare.com;
return 301 https://$server_name$request_uri;
}
server {
listen 0.0.0.0:443 ssl http2 spdy;
server_name kibana.hackerflare.com;
add_header Origin "$scheme://$server_name";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "sameorigin";
add_header X-Powered-By "Reverse Proxy Server";
add_header X-Xss-Protection "1; mode=block";
ssl_certificate /home/acme/cert_root/hackerflare.com/RSA/server.crt;
ssl_certificate_key /home/acme/cert_root/hackerflare.com/RSA/server.key;
ssl_certificate /home/acme/cert_root/hackerflare.com/ECDSA/server.crt;
ssl_certificate_key /home/acme/cert_root/hackerflare.com/ECDSA/server.key;
ssl_dhparam /home/acme/cert_root/dhparam4096.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_early_data off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers "[TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA";
ssl_prefer_server_ciphers on;
ssl_ecdh_curve X25519:P-256:P-384:P-521;
location / {
auth_request /auth_endpoint;
error_page 401 = @error401;
proxy_set_header x-real-IP $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header x-forwarded-proto $scheme;
proxy_set_header host $http_host;
proxy_set_header upgrade $http_upgrade;
proxy_set_header connection "upgrade";
proxy_hide_header x-powered-by;
proxy_pass http://127.0.0.1:5601;
if ($http_host != $server_name) {
return 404;
}
}
include /home/www-data/nginx_root/conf/auth-request.conf;
include /home/www-data/nginx_root/conf/dynamic_error.conf;
error_page 400 401 402 403 404 405 406 408 409 410 411 412 413 414 415 416 421 429 494 495 496 497 500 501 502 503 504 505 507 /error.html;
include /home/www-data/nginx_root/conf/dynamic_error_test.conf;
}
#===================================================================================================
}