github.com/solo-io/cue@v0.4.7/doc/tutorial/kubernetes/manual/services/proxy/nginx/configmap.cue

github.com/solo-io/cue@v0.4.7/doc/tutorial/kubernetes/manual/services/proxy/nginx/configmap.cue (about)

     1  package kube
     2  
     3  configMap: nginx: "nginx.conf": """
     4  		events {
     5  		    worker_connections 768;
     6  		}
     7  		http {
     8  		    sendfile on;
     9  		    tcp_nopush on;
    10  		    tcp_nodelay on;
    11  		    # needs to be high for some download jobs.
    12  		    keepalive_timeout 400;
    13  		    # proxy_connect_timeout  300;
    14  		    proxy_send_timeout       300;
    15  		    proxy_read_timeout       300;
    16  		    send_timeout             300;
    17  
    18  		    types_hash_max_size 2048;
    19  
    20  		    include /etc/nginx/mime.types;
    21  		    default_type application/octet-stream;
    22  
    23  		    access_log /dev/stdout;
    24  		    error_log  /dev/stdout;
    25  
    26  		    # Disable POST body size constraints. We often deal with large
    27  		    # files. Especially docker containers may be large.
    28  		    client_max_body_size 0;
    29  
    30  		    upstream goget {
    31  		        server localhost:7070;
    32  		    }
    33  
    34  		    # Redirect incoming Google Cloud Storage notifications:
    35  		   server {
    36  		        listen 443 ssl;
    37  		        server_name notify.example.com notify2.example.com;
    38  
    39  		        ssl_certificate /etc/ssl/server.crt;
    40  		        ssl_certificate_key /etc/ssl/server.key;
    41  
    42  		        # Security enhancements to deal with poodles and the like.
    43  		        # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    44  		        # ssl_ciphers 'AES256+EECDH:AES256+EDH';
    45  		        ssl_ciphers \"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4\";
    46  
    47  		        # We don't like poodles.
    48  		        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    49  		        ssl_session_cache shared:SSL:10m;
    50  
    51  		        # Enable Forward secrecy.
    52  		        ssl_dhparam /etc/ssl/dhparam.pem;
    53  		        ssl_prefer_server_ciphers on;
    54  
    55  		        # Enable HTST.
    56  		        add_header Strict-Transport-Security max-age=1209600;
    57  
    58  		        # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
    59  		        chunked_transfer_encoding on;
    60  
    61  		        location / {
    62  		            proxy_pass http://tasks:7080;
    63  		            proxy_connect_timeout 1;
    64  		        }
    65  		    }
    66  
    67  		    server {
    68  		        listen 80;
    69  		        listen 443 ssl;
    70  		        server_name x.example.com example.io;
    71  
    72  		        location ~ \"(/[^/]+)(/.*)?\" {
    73  		            set $myhost $host;
    74  		            if ($arg_go-get = \"1\") {
    75  		                set $myhost \"goget\";
    76  		            }
    77  		            proxy_pass http://$myhost$1;
    78  		            proxy_set_header Host $host;
    79  		            proxy_set_header X-Real-IP $remote_addr;
    80  		            proxy_set_header X-Scheme $scheme;
    81  		            proxy_connect_timeout 1;
    82  		        }
    83  
    84  		        location / {
    85  		            set $myhost $host;
    86  		            if ($arg_go-get = \"1\") {
    87  		                set $myhost \"goget\";
    88  		            }
    89  		            proxy_pass http://$myhost;
    90  		            proxy_set_header Host $host;
    91  		            proxy_set_header X-Real-IP $remote_addr;
    92  		            proxy_set_header X-Scheme $scheme;
    93  		            proxy_connect_timeout 1;
    94  		        }
    95  		    }
    96  
    97  		    server {
    98  		        listen 80;
    99  		        server_name www.example.com w.example.com;
   100  
   101  		        resolver 8.8.8.8;
   102  
   103  		        location / {
   104  		            proxy_set_header X-Forwarded-Host $host;
   105  		            proxy_set_header X-Forwarded-Server $host;
   106  		            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   107  		            proxy_set_header X-Real-IP $remote_addr;
   108  
   109  		            proxy_pass http://$host.default.example.appspot.com/$request_uri;
   110  		            proxy_redirect http://$host.default.example.appspot.com/ /;
   111  		        }
   112  		    }
   113  
   114  		    # Kubernetes URI space. Maps URIs paths to specific servers using the
   115  		    # proxy.
   116  		    server {
   117  		        listen 80;
   118  		        listen 443 ssl;
   119  		        server_name proxy.example.com;
   120  
   121  		        ssl_certificate /etc/ssl/server.crt;
   122  		        ssl_certificate_key /etc/ssl/server.key;
   123  
   124  		        # Security enhancements to deal with poodles and the like.
   125  		        # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
   126  		        # ssl_ciphers 'AES256+EECDH:AES256+EDH';
   127  		        ssl_ciphers \"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4\";
   128  
   129  		        # We don't like poodles.
   130  		        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   131  		        ssl_session_cache shared:SSL:10m;
   132  
   133  		        # Enable Forward secrecy.
   134  		        ssl_dhparam /etc/ssl/dhparam.pem;
   135  		        ssl_prefer_server_ciphers on;
   136  
   137  		        # Enable HTST.
   138  		        add_header Strict-Transport-Security max-age=1209600;
   139  
   140  		        if ($ssl_protocol = \"\") {
   141  		            rewrite ^   https://$host$request_uri? permanent;
   142  		        }
   143  
   144  		        # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
   145  		        chunked_transfer_encoding on;
   146  
   147  		        location / {
   148  		            proxy_pass http://kubeproxy:4180;
   149  		            proxy_set_header Host $host;
   150  		            proxy_set_header X-Real-IP $remote_addr;
   151  		            proxy_set_header X-Scheme $scheme;
   152  		            proxy_connect_timeout 1;
   153  		        }
   154  		    }
   155  
   156  		    server {
   157  		        # We could add the following line and the connection would still be SSL,
   158  		        # but it doesn't appear to be necessary. Seems saver this way.
   159  		        listen 80;
   160  		        listen 443 default ssl;
   161  		        server_name ~^(?<sub>.*)\\.example\\.com$;
   162  
   163  		        ssl_certificate /etc/ssl/server.crt;
   164  		        ssl_certificate_key /etc/ssl/server.key;
   165  
   166  		        # Security enhancements to deal with poodles and the like.
   167  		        # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
   168  		        # ssl_ciphers 'AES256+EECDH:AES256+EDH';
   169  		        ssl_ciphers \"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4\";
   170  
   171  		        # We don't like poodles.
   172  		        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   173  		        ssl_session_cache shared:SSL:10m;
   174  
   175  		        # Enable Forward secrecy.
   176  		        ssl_dhparam /etc/ssl/dhparam.pem;
   177  		        ssl_prefer_server_ciphers on;
   178  
   179  		        # Enable HTST.
   180  		        add_header Strict-Transport-Security max-age=1209600;
   181  
   182  		        if ($ssl_protocol = \"\") {
   183  		            rewrite ^   https://$host$request_uri? permanent;
   184  		        }
   185  
   186  		        # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
   187  		        chunked_transfer_encoding on;
   188  
   189  		        location / {
   190  		            proxy_pass http://authproxy:4180;
   191  		            proxy_set_header Host $host;
   192  		            proxy_set_header X-Real-IP $remote_addr;
   193  		            proxy_set_header X-Scheme $scheme;
   194  		            proxy_connect_timeout 1;
   195  		        }
   196  		    }
   197  		}
   198  		"""