Skip to content
Snippets Groups Projects
Select Git revision
  • 1bc05a1b87d0dbbe86573777d3f752f45d4797f8
  • master default protected
  • typos
  • development protected
  • ReadMe_Typos
  • example
  • feat/autocomplete-vscode
  • v3.3
  • v3.2
  • v3.1
  • v3.0
  • v2.2
  • v2.1
  • v2.0
  • old-example
  • v1.5
  • v1.4
  • v1.3
  • v1.0
  • v1.1
  • v1.2
21 results

config.tex

Blame
  • nginx.conf 5.18 KiB
    # This file is written by salt. Don't even think about it.
    upstream postgrest_{{ instance_name }} {
        server                      localhost:{{ postgrest_port }};
        keepalive                   64;
    }
    
    {% if nginx_conf.http or nginx_conf.redirect_to_https %}
    server {
        listen                      {{ nginx_conf.get('http_port', '80') }};
        server_name                 {{ nginx_conf.fqdn }};
        {% if nginx_conf.redirect_to_https %}
        return                      301 https://$server_name$request_uri;
        {% elif nginx_conf.http %}
        location / {
            default_type            application/json;
            proxy_hide_header       Content-Location;
            add_header              Content-Location /$upstream_http_content_location;
            proxy_pass              http://postgrest_{{ instance_name }};
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_http_version      1.1;
            proxy_set_header        Upgrade $http_upgrade;
            proxy_set_header        Connection "upgrade";
            proxy_set_header        Host $host;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto $scheme;
        }
        {% endif %}
    }
    {% endif %}
    
    {% if nginx_conf.https %}
    server {
        server_name                 {{ nginx_conf.fqdn }};
        listen                      {{ nginx_conf.get('https_port', '443') }};
    
        ssl_session_cache           shared:SSL:50m;
        ssl_session_timeout         5m;
    
        ssl                         on;
        ssl_certificate             /etc/hsh-certs/{{ nginx_conf.get('ssl_cert_name', instance_name) }}.pem;
        ssl_certificate_key         /etc/hsh-certs/{{ nginx_conf.get('ssl_cert_name', instance_name) }}.key;
    
        # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
        ssl_dhparam                 /etc/hsh-certs/{{ nginx_conf.get('ssl_cert_name', instance_name) }}.dhparam.pem;
        {% if nginx_conf.client_ca is defined %}
        ssl_verify_client           on;
        ssl_client_certificate      /etc/hsh-certs/{{ nginx_conf.get('ssl_cert_name'), instance_name }}
        {% endif %}
    
        ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers   on;
        ssl_ciphers                 "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    
        # don't send the nginx version number in error pages and Server header
        server_tokens               off;
        # config to don't allow the browser to render the page inside an frame or iframe
        # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
        # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
        # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
        add_header                  X-Frame-Options SAMEORIGIN;
    
        # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
        # to disable content-type sniffing on some browsers.
        # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
        # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
        # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
        # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
        add_header                  X-Content-Type-Options nosniff;
    
        # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
        # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
        # this particular website if it was disabled by the user.
        # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
        add_header                  X-XSS-Protection "1; mode=block";
    
        # be as restrictive as possible
        add_header                  Content_Security_Policy "default-src 'none'";
    
        # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
        # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
        add_header                  Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    
        location / {
            default_type            application/json;
            proxy_hide_header       Content-Location;
            add_header              Content-Location /$upstream_http_content_location;
            proxy_pass              http://postgrest_{{ instance_name }};
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_http_version      1.1;
            proxy_set_header        Upgrade $http_upgrade;
            proxy_set_header        Connection "upgrade";
            proxy_set_header        Host $host;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto $scheme;
        }
    }
    {% endif %}