github.com/solo-io/cue@v0.4.7/doc/tutorial/kubernetes/quick/services/proxy/nginx/configmap.cue

github.com/solo-io/cue@v0.4.7/doc/tutorial/kubernetes/quick/services/proxy/nginx/configmap.cue (about)

     1  package kube
     2  
     3  configMap: nginx: {
     4  	apiVersion: "v1"
     5  	kind:       "ConfigMap"
     6  	data: "nginx.conf": """
     7  		events {
     8  		    worker_connections 768;
     9  		}
    10  		http {
    11  		    sendfile on;
    12  		    tcp_nopush on;
    13  		    tcp_nodelay on;
    14  		    # needs to be high for some download jobs.
    15  		    keepalive_timeout 400;
    16  		    # proxy_connect_timeout  300;
    17  		    proxy_send_timeout       300;
    18  		    proxy_read_timeout       300;
    19  		    send_timeout             300;
    20  
    21  		    types_hash_max_size 2048;
    22  
    23  		    include /etc/nginx/mime.types;
    24  		    default_type application/octet-stream;
    25  
    26  		    access_log /dev/stdout;
    27  		    error_log  /dev/stdout;
    28  
    29  		    # Disable POST body size constraints. We often deal with large
    30  		    # files. Especially docker containers may be large.
    31  		    client_max_body_size 0;
    32  
    33  		    upstream goget {
    34  		        server localhost:7070;
    35  		    }
    36  
    37  		    # Redirect incoming Google Cloud Storage notifications:
    38  		   server {
    39  		        listen 443 ssl;
    40  		        server_name notify.example.com notify2.example.com;
    41  
    42  		        ssl_certificate /etc/ssl/server.crt;
    43  		        ssl_certificate_key /etc/ssl/server.key;
    44  
    45  		        # Security enhancements to deal with poodles and the like.
    46  		        # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    47  		        # ssl_ciphers 'AES256+EECDH:AES256+EDH';
    48  		        ssl_ciphers \"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4\";
    49  
    50  		        # We don't like poodles.
    51  		        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    52  		        ssl_session_cache shared:SSL:10m;
    53  
    54  		        # Enable Forward secrecy.
    55  		        ssl_dhparam /etc/ssl/dhparam.pem;
    56  		        ssl_prefer_server_ciphers on;
    57  
    58  		        # Enable HTST.
    59  		        add_header Strict-Transport-Security max-age=1209600;
    60  
    61  		        # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
    62  		        chunked_transfer_encoding on;
    63  
    64  		        location / {
    65  		            proxy_pass http://tasks:7080;
    66  		            proxy_connect_timeout 1;
    67  		        }
    68  		    }
    69  
    70  		    server {
    71  		        listen 80;
    72  		        listen 443 ssl;
    73  		        server_name x.example.com example.io;
    74  
    75  		        location ~ \"(/[^/]+)(/.*)?\" {
    76  		            set $myhost $host;
    77  		            if ($arg_go-get = \"1\") {
    78  		                set $myhost \"goget\";
    79  		            }
    80  		            proxy_pass http://$myhost$1;
    81  		            proxy_set_header Host $host;
    82  		            proxy_set_header X-Real-IP $remote_addr;
    83  		            proxy_set_header X-Scheme $scheme;
    84  		            proxy_connect_timeout 1;
    85  		        }
    86  
    87  		        location / {
    88  		            set $myhost $host;
    89  		            if ($arg_go-get = \"1\") {
    90  		                set $myhost \"goget\";
    91  		            }
    92  		            proxy_pass http://$myhost;
    93  		            proxy_set_header Host $host;
    94  		            proxy_set_header X-Real-IP $remote_addr;
    95  		            proxy_set_header X-Scheme $scheme;
    96  		            proxy_connect_timeout 1;
    97  		        }
    98  		    }
    99  
   100  		    server {
   101  		        listen 80;
   102  		        server_name www.example.com w.example.com;
   103  
   104  		        resolver 8.8.8.8;
   105  
   106  		        location / {
   107  		            proxy_set_header X-Forwarded-Host $host;
   108  		            proxy_set_header X-Forwarded-Server $host;
   109  		            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   110  		            proxy_set_header X-Real-IP $remote_addr;
   111  
   112  		            proxy_pass http://$host.default.example.appspot.com/$request_uri;
   113  		            proxy_redirect http://$host.default.example.appspot.com/ /;
   114  		        }
   115  		    }
   116  
   117  		    server {
   118  		        # We could add the following line and the connection would still be SSL,
   119  		        # but it doesn't appear to be necessary. Seems saver this way.
   120  		        listen 80;
   121  		        listen 443 default ssl;
   122  		        server_name ~^(?<sub>.*)\\.example\\.com$;
   123  
   124  		        ssl_certificate /etc/ssl/server.crt;
   125  		        ssl_certificate_key /etc/ssl/server.key;
   126  
   127  		        # Security enhancements to deal with poodles and the like.
   128  		        # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
   129  		        # ssl_ciphers 'AES256+EECDH:AES256+EDH';
   130  		        ssl_ciphers \"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4\";
   131  
   132  		        # We don't like poodles.
   133  		        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   134  		        ssl_session_cache shared:SSL:10m;
   135  
   136  		        # Enable Forward secrecy.
   137  		        ssl_dhparam /etc/ssl/dhparam.pem;
   138  		        ssl_prefer_server_ciphers on;
   139  
   140  		        # Enable HTST.
   141  		        add_header Strict-Transport-Security max-age=1209600;
   142  
   143  		        if ($ssl_protocol = \"\") {
   144  		            rewrite ^   https://$host$request_uri? permanent;
   145  		        }
   146  
   147  		        # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
   148  		        chunked_transfer_encoding on;
   149  
   150  		        location / {
   151  		            proxy_pass http://authproxy:4180;
   152  		            proxy_set_header Host $host;
   153  		            proxy_set_header X-Real-IP $remote_addr;
   154  		            proxy_set_header X-Scheme $scheme;
   155  		            proxy_connect_timeout 1;
   156  		        }
   157  		    }
   158  		}
   159  		"""
   160  }