github.com/solo-io/cue@v0.4.7/doc/tutorial/kubernetes/original/services/proxy/nginx/configmap.yaml

github.com/solo-io/cue@v0.4.7/doc/tutorial/kubernetes/original/services/proxy/nginx/configmap.yaml (about)

     1  apiVersion: v1
     2  kind: ConfigMap
     3  metadata:
     4    name: nginx
     5  data:
     6    nginx.conf: |-
     7      events {
     8          worker_connections 768;
     9      }
    10      http {
    11          sendfile on;
    12          tcp_nopush on;
    13          tcp_nodelay on;
    14          # needs to be high for some download jobs.
    15          keepalive_timeout 400;
    16          # proxy_connect_timeout  300;
    17          proxy_send_timeout       300;
    18          proxy_read_timeout       300;
    19          send_timeout             300;
    20  
    21          types_hash_max_size 2048;
    22  
    23          include /etc/nginx/mime.types;
    24          default_type application/octet-stream;
    25  
    26          access_log /dev/stdout;
    27          error_log  /dev/stdout;
    28  
    29          # Disable POST body size constraints. We often deal with large
    30          # files. Especially docker containers may be large.
    31          client_max_body_size 0;
    32  
    33          upstream goget {
    34              server localhost:7070;
    35          }
    36  
    37          # Redirect incoming Google Cloud Storage notifications:
    38         server {
    39              listen 443 ssl;
    40              server_name notify.example.com notify2.example.com;
    41  
    42              ssl_certificate /etc/ssl/server.crt;
    43              ssl_certificate_key /etc/ssl/server.key;
    44  
    45              # Security enhancements to deal with poodles and the like.
    46              # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    47              # ssl_ciphers 'AES256+EECDH:AES256+EDH';
    48              ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    49  
    50              # We don't like poodles.
    51              ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    52              ssl_session_cache shared:SSL:10m;
    53  
    54              # Enable Forward secrecy.
    55              ssl_dhparam /etc/ssl/dhparam.pem;
    56              ssl_prefer_server_ciphers on;
    57  
    58              # Enable HTST.
    59              add_header Strict-Transport-Security max-age=1209600;
    60  
    61              # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
    62              chunked_transfer_encoding on;
    63  
    64              location / {
    65                  proxy_pass http://tasks:7080;
    66                  proxy_connect_timeout 1;
    67              }
    68          }
    69  
    70          server {
    71              listen 80;
    72              listen 443 ssl;
    73              server_name x.example.com example.io;
    74  
    75              location ~ "(/[^/]+)(/.*)?" {
    76                  set $myhost $host;
    77                  if ($arg_go-get = "1") {
    78                      set $myhost "goget";
    79                  }
    80                  proxy_pass http://$myhost$1;
    81                  proxy_set_header Host $host;
    82                  proxy_set_header X-Real-IP $remote_addr;
    83                  proxy_set_header X-Scheme $scheme;
    84                  proxy_connect_timeout 1;
    85              }
    86  
    87              location / {
    88                  set $myhost $host;
    89                  if ($arg_go-get = "1") {
    90                      set $myhost "goget";
    91                  }
    92                  proxy_pass http://$myhost;
    93                  proxy_set_header Host $host;
    94                  proxy_set_header X-Real-IP $remote_addr;
    95                  proxy_set_header X-Scheme $scheme;
    96                  proxy_connect_timeout 1;
    97              }
    98          }
    99  
   100          server {
   101              listen 80;
   102              server_name www.example.com w.example.com;
   103  
   104              resolver 8.8.8.8;
   105  
   106              location / {
   107                  proxy_set_header X-Forwarded-Host $host;
   108                  proxy_set_header X-Forwarded-Server $host;
   109                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   110                  proxy_set_header X-Real-IP $remote_addr;
   111  
   112                  proxy_pass http://$host.default.example.appspot.com/$request_uri;
   113                  proxy_redirect http://$host.default.example.appspot.com/ /;
   114              }
   115          }
   116  
   117          server {
   118              # We could add the following line and the connection would still be SSL,
   119              # but it doesn't appear to be necessary. Seems saver this way.
   120              listen 80;
   121              listen 443 default ssl;
   122              server_name ~^(?<sub>.*)\.example\.com$;
   123  
   124              ssl_certificate /etc/ssl/server.crt;
   125              ssl_certificate_key /etc/ssl/server.key;
   126  
   127              # Security enhancements to deal with poodles and the like.
   128              # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
   129              # ssl_ciphers 'AES256+EECDH:AES256+EDH';
   130              ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
   131  
   132              # We don't like poodles.
   133              ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   134              ssl_session_cache shared:SSL:10m;
   135  
   136              # Enable Forward secrecy.
   137              ssl_dhparam /etc/ssl/dhparam.pem;
   138              ssl_prefer_server_ciphers on;
   139  
   140              # Enable HTST.
   141              add_header Strict-Transport-Security max-age=1209600;
   142  
   143              if ($ssl_protocol = "") {
   144                  rewrite ^   https://$host$request_uri? permanent;
   145              }
   146  
   147              # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
   148              chunked_transfer_encoding on;
   149  
   150              location / {
   151                  proxy_pass http://authproxy:4180;
   152                  proxy_set_header Host $host;
   153                  proxy_set_header X-Real-IP $remote_addr;
   154                  proxy_set_header X-Scheme $scheme;
   155                  proxy_connect_timeout 1;
   156              }
   157          }
   158      }