-
-
Notifications
You must be signed in to change notification settings - Fork 746
/
st2.conf
168 lines (136 loc) · 5.65 KB
/
st2.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
#
# nginx configuration to expose st2 webui, redirect HTTP->HTTPS,
# provide SSL termination, and reverse-proxy st2api and st2auth API endpoint.
# To enable:
# cp ${LOCATION}/st2.conf /etc/nginx/sites-available
# ln -l /etc/nginx/sites-available/st2.conf /etc/nginx/sites-enabled/st2.conf
# see https://docs.stackstorm.com/install.html for details
server {
listen *:80 default_server;
add_header Front-End-Https on;
add_header X-Content-Type-Options nosniff;
if ($ssl_protocol = "") {
return 308 https://$host$request_uri;
}
if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
return 405;
}
index index.html;
access_log /var/log/nginx/st2webui.access.log combined;
error_log /var/log/nginx/st2webui.error.log;
}
server {
listen *:443 ssl;
server_tokens off;
if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
return 405;
}
ssl_certificate /etc/ssl/st2/st2.crt;
ssl_certificate_key /etc/ssl/st2/st2.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
index index.html;
access_log /var/log/nginx/ssl-st2webui.access.log combined;
error_log /var/log/nginx/ssl-st2webui.error.log;
add_header Front-End-Https on;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY always;
add_header Strict-Transport-Security "max-age=3153600;includeSubDomains";
add_header X-XSS-Protection "0";
location @apiError {
add_header Content-Type application/json always;
return 503 '{ "faultstring": "Nginx is unable to reach st2api. Make sure service is running." }';
}
location /api/ {
error_page 502 = @apiError;
rewrite ^/api/(.*) /$1 break;
proxy_pass http://127.0.0.1:9101/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection '';
chunked_transfer_encoding off;
proxy_buffering off;
proxy_cache off;
proxy_set_header Host $host;
max_ranges 0;
# In a lot of scenarios, it may be beneficial to enable response compression (especially when
# working with large executions and StackStorm instance is accessed over public internet).
# To enable it, uncomment the lines below and adjust according to your needs.
# gzip on;
# gzip_min_length 1024;
# gzip_types text/plain application/json text/event-stream;
}
location @streamError {
add_header Content-Type text/event-stream;
return 200 "retry: 1000\n\n";
}
# For backward compatibility reasons, rewrite requests from "/api/stream"
# to "/stream/v1/stream" and "/api/v1/stream" to "/stream/v1/stream"
rewrite ^/api/stream/?$ /stream/v1/stream break;
rewrite ^/api/(v\d)/stream/?$ /stream/$1/stream break;
location /stream/ {
error_page 502 = @streamError;
rewrite ^/stream/(.*) /$1 break;
proxy_pass http://127.0.0.1:9102/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 200;
proxy_connect_timeout 200;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# Disable buffering and chunked encoding.
# In the stream case we want to receive the whole payload at once, we don't
# want multiple chunks.
proxy_set_header Connection '';
chunked_transfer_encoding off;
proxy_buffering off;
proxy_cache off;
max_ranges 0;
# In a lot of scenarios, it may be beneficial to enable response compression (especially when
# working with large executions and StackStorm instance is accessed over public internet).
# To enable it, uncomment the lines below and adjust according to your needs.
# gzip on;
# gzip_min_length 1024;
# gzip_types text/plain application/json text/event-stream;
# gzip_proxied no-cache no-store private expired auth;
}
location @authError {
add_header Content-Type application/json always;
return 503 '{ "faultstring": "Nginx is unable to reach st2auth. Make sure service is running." }';
}
location /auth/ {
error_page 502 = @authError;
rewrite ^/auth/(.*) /$1 break;
proxy_pass http://127.0.0.1:9100/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-User $remote_user;
proxy_pass_header Authorization;
proxy_set_header Connection '';
chunked_transfer_encoding off;
proxy_buffering off;
proxy_cache off;
max_ranges 0;
}
location / {
max_ranges 0;
root /opt/stackstorm/static/webui/;
index index.html;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
}
}