forked from DefectDojo/django-DefectDojo
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx_TLS.conf
138 lines (124 loc) · 5.05 KB
/
nginx_TLS.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/defectdojo/nginx.pid;
events {
worker_connections 32;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
client_max_body_size 800m;
sendfile on;
keepalive_timeout 65;
upstream uwsgi_server {
include /run/defectdojo/uwsgi_server;
}
server {
listen 8080;
location / {
return 301 https://$host$request_uri:8443;
}
}
# Disable metrics auth for localhost (for nginx prometheus exporter)
geo $metrics_auth_bypass {
127.0.0.1/32 "off";
default "Metrics";
}
server {
server_tokens off;
listen 8443 ssl;
server_name your.servername.com;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_cache builtin:1000 shared:SSL:10m;
# ciphers from https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.4
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers off;
location = /50x.html {
root /usr/share/nginx/html;
}
location /static/ {
alias /usr/share/nginx/html/static/;
}
location /media/ {
add_header Content-Disposition attachment;
alias /usr/share/nginx/html/media/;
}
location / {
include /run/defectdojo/uwsgi_pass;
include /etc/nginx/wsgi_params;
uwsgi_read_timeout 1800;
# an HTTP header important enough to have its own Wikipedia entry:
# http://en.wikipedia.org/wiki/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# enable this if and only if you use HTTPS, this helps to
# set the proper protocol for doing redirects:
proxy_set_header X-Forwarded-Proto $scheme;
# pass the Host: header from the client right along so redirects
# can be set properly within the Rack application
proxy_set_header Host $host;
# we don't want nginx trying to do something clever with
# redirects, we set the Host: header above already.
proxy_redirect off;
}
location /django_metrics {
# do no edit the following lines, instead set the environment
# variables METRICS_HTTP_AUTH_USER and METRICS_HTTP_AUTH_PASSWORD
#auth_basic $metrics_auth_bypass;
#auth_basic_user_file /etc/nginx/.htpasswd;
include /run/defectdojo/uwsgi_pass;
include /etc/nginx/wsgi_params;
uwsgi_read_timeout 1800;
# an HTTP header important enough to have its own Wikipedia entry:
# http://en.wikipedia.org/wiki/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# enable this if and only if you use HTTPS, this helps to
# set the proper protocol for doing redirects:
proxy_set_header X-Forwarded-Proto $scheme;
# pass the Host: header from the client right along so redirects
# can be set properly within the Rack application
proxy_set_header Host $host;
# we don't want nginx trying to do something clever with
# redirects, we set the Host: header above already.
proxy_redirect off;
}
location /nginx_status {
# do no edit the following lines, instead set the environment
# variables METRICS_HTTP_AUTH_USER and METRICS_HTTP_AUTH_PASSWORD
#auth_basic $metrics_auth_bypass;
#auth_basic_user_file /etc/nginx/.htpasswd;
#stub_status on;
access_log off;
# an HTTP header important enough to have its own Wikipedia entry:
# http://en.wikipedia.org/wiki/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# enable this if and only if you use HTTPS, this helps to
# set the proper protocol for doing redirects:
proxy_set_header X-Forwarded-Proto $scheme;
# pass the Host: header from the client right along so redirects
# can be set properly within the Rack application
proxy_set_header Host $host;
# we don't want nginx trying to do something clever with
# redirects, we set the Host: header above already.
proxy_redirect off;
}
# Used by Kubernetes liveness and readiness checks
location = /nginx_health {
return 200 "Born to be alive!\n";
access_log off;
}
location = /uwsgi_health {
limit_except GET { deny all; }
rewrite /.+ /login?force_login_form&next=/ break;
include /run/defectdojo/uwsgi_pass;
include /etc/nginx/wsgi_params;
access_log off;
}
error_page 500 502 503 504 /50x.html;
}
}