generated from ministryofjustice/template-repository
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx.conf.template
302 lines (251 loc) · 15.2 KB
/
nginx.conf.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
# https://nginx.org/en/docs/ngx_core_module.html#daemon
# Default is on
# Setting as generally passed a command line argument
daemon off;
# https://nginx.org/en/docs/ngx_core_module.html#worker_processes
# Default value, setting explicitly
worker_processes 1;
# https://nginx.org/en/docs/ngx_core_module.html#pcre_jit
# Default is off
# Setting as per OpenResty: https://github.com/openresty/docker-openresty/blob/master/nginx.conf#L23
pcre_jit on;
events {
# https://nginx.org/en/docs/ngx_core_module.html#worker_connections
# Default is 512
# Setting as per OpenResty: https://github.com/openresty/docker-openresty/blob/master/nginx.conf#L35
# TODO: This is set to 128 in Analytical Platform (https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L16) - does it need to be?
worker_connections 1024;
}
http {
# https://nginx.org/en/docs/ngx_core_module.html#include
# No default value
# Setting as per OpenResty: https://github.com/openresty/docker-openresty/blob/master/nginx.conf#L40
# TODO: Commenting out as it cannot be found when testing config
# include mime.types;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type
# Default is text/plain
# Setting as per OpenResty: https://github.com/openresty/docker-openresty/blob/master/nginx.conf#L41
default_type application/octet-stream;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
# Default is ?
# Setting as per OpenResty: https://github.com/openresty/docker-openresty/blob/master/nginx.conf#L72
client_body_temp_path /var/run/openresty/nginx-client-body;
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_temp_path
# Default is ?
# Setting as per OpenResty: https://github.com/openresty/docker-openresty/blob/master/nginx.conf#L73
proxy_temp_path /var/run/openresty/nginx-proxy;
# https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_temp_path
# Default is ?
# Setting as per OpenResty: https://github.com/openresty/docker-openresty/blob/master/nginx.conf#L74
fastcgi_temp_path /var/run/openresty/nginx-fastcgi;
# https://nginx.org/en/docs/http/ngx_http_uwsgi_module.html#uwsgi_temp_path
# Default is ?
# Setting as per OpenResty: https://github.com/openresty/docker-openresty/blob/master/nginx.conf#L75
uwsgi_temp_path /var/run/openresty/nginx-uwsgi;
# https://nginx.org/en/docs/http/ngx_http_scgi_module.html#scgi_temp_path
# Default is ?
# Setting as per OpenResty: https://github.com/openresty/docker-openresty/blob/master/nginx.conf#L76
scgi_temp_path /var/run/openresty/nginx-scgi;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile
# Default is off
# Setting as per OpenResty: https://github.com/openresty/docker-openresty/blob/master/nginx.conf#L78
sendfile on;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
# Default is 75s
# Setting as per OpenResty: https://github.com/openresty/docker-openresty/blob/master/nginx.conf#L82
keepalive_timeout 65;
#################################################
# Analytical Platform NGINX Proxy Configuration #
#################################################
# https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
# Default is on
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L42
server_tokens off;
# https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#lua_package_path
# Default is content of LUA_PATH environment variable (https://github.com/openresty/docker-openresty/blob/master/alpine/Dockerfile.fat#L62)
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L21
# TODO: Check if this is required
# lua_package_path '~/lua/?.lua;;';
# https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver
# No default value
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L23
# TODO: is this necessary?
resolver 8.8.8.8 ipv6=off;
# https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#lua_ssl_trusted_certificate
# No default value
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L25
# TODO: Check if this is required
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
# https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#lua_ssl_verify_depth
# Default is 1
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L26
# TODO: Check if this is required
lua_ssl_verify_depth 5;
# https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#lua_shared_dict
# No default value
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L29C3-L35
lua_shared_dict activity 256k; # cache for activity data for pod idler
lua_shared_dict discovery 1m; # cache for discovery metadata documents
lua_shared_dict jwks 1m; # cache for JWKs
# https://nginx.org/en/docs/http/ngx_http_map_module.html
# No default value
# https://nginx.org/en/docs/http/websocket.html
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L37-L39
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering
# Default is on
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L46
proxy_buffering on;
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
# Default is 4k|8k (depending on platform)
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L47
proxy_buffer_size 32k;
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers
# Default is 8 4k|8k (depending on platform)
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L48
proxy_buffers 4 32k;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size
# Default is 8k|16k (depending on platform)
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L49
client_body_buffer_size 32k;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size
# Default is 1k
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L50
client_header_buffer_size 8k;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
# Default is 4 8k
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L51
large_client_header_buffers 8 64k;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
# Default is 1m
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L54
client_max_body_size 50M;
# The server configuration for /userinfo has been omitted as it is only reference for the now retired Analytical Platform Apps service
# https://user-guidance.analytical-platform.service.justice.gov.uk/apps/rshiny-app.html#finding-current-users-39-user-profiles
# https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L56-L69
# IDE
server {
# https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
# Default is *:80
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L72
listen PROXY_LISTEN_ADDRESS:PROXY_LISTEN_PORT default_server;
# https://nginx.org/en/docs/ngx_core_module.html#error_log
# Default is logs/error.log error;
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L74
# TODO: surely this should be set to error? also it should stream to stdout
# error_log /var/log/nginx/error.log ERROR_LOG_LEVEL;
# EXPERIMENTAL: https://nginx.org/en/docs/http/ngx_http_core_module.html#access_log
access_log /dev/stdout combined;
error_log /dev/stdout ERROR_LOG_LEVEL;
# NGINX health check
# https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L77
location /nginx-health {
content_by_lua_file /opt/lua-scripts/nginx-health.lua;
}
# Custom 404 page
# https://nginx.org/en/docs/http/ngx_http_core_module.html#error_page
# No default value
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L95
# TODO: is this necessary?
error_page 404 /404.html;
location = /404.html {
# https://nginx.org/en/docs/http/ngx_http_core_module.html#root
# Default is html
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L97
root /srv/www;
# https://nginx.org/en/docs/http/ngx_http_core_module.html#internal
# No default value
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L98
internal;
}
# Last seen
# https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L102
location /last-seen {
content_by_lua_file /opt/lua-scripts/last-seen.lua;
}
# Root
# https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L112
location / {
set_by_lua $analytical_platform_tool 'return "ANALYTICAL_PLATFORM_TOOL"';
set_by_lua $auth0_client_id 'return "AUTH0_CLIENT_ID"';
set_by_lua $auth0_client_secret 'return "AUTH0_CLIENT_SECRET"';
set_by_lua $auth0_tenant_domain 'return "AUTH0_TENANT_DOMAIN"';
set_by_lua $logout_url 'return "LOGOUT_URL"';
set_by_lua $redirect_domain 'return "REDIRECT_DOMAIN"';
set_by_lua $username 'return "USERNAME"';
access_by_lua_file /opt/lua-scripts/auth0-login.lua;
# https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L124-L130
# TODO: maybe move individual tool configurations to snippets and use https://nginx.org/en/docs/ngx_core_module.html#include directive
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
# No default value
proxy_pass http://UPSTREAM_HOST:UPSTREAM_PORT;
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect
# Default is default
proxy_redirect http://UPSTREAM_HOST:UPSTREAM_PORT/ $scheme://$http_host/;
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version
# Default is 1.0
proxy_http_version 1.1;
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
# Default is "Host $proxy_host" and "Connection close"
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout
# Default is 60s
proxy_read_timeout 20d;
}
}
# Tunnel
server {
# https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
# Default is *:80
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L72
listen PROXY_TUNNEL_LISTEN_ADDRESS:PROXY_TUNNEL_LISTEN_PORT;
# https://nginx.org/en/docs/ngx_core_module.html#error_log
# Default is logs/error.log error;
# Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L74
# TODO: surely this should be set to error? also it should stream to stdout
# error_log /var/log/nginx/error.log ERROR_LOG_LEVEL;
# EXPERIMENTAL: https://nginx.org/en/docs/http/ngx_http_core_module.html#access_log
access_log /dev/stdout combined;
error_log /dev/stdout ERROR_LOG_LEVEL;
# Root
# https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L112
location / {
set_by_lua $analytical_platform_tool 'return "ANALYTICAL_PLATFORM_TOOL-tunnel"';
set_by_lua $auth0_client_id 'return "AUTH0_CLIENT_ID"';
set_by_lua $auth0_client_secret 'return "AUTH0_CLIENT_SECRET"';
set_by_lua $auth0_tenant_domain 'return "AUTH0_TENANT_DOMAIN"';
set_by_lua $logout_url 'return "LOGOUT_URL"';
set_by_lua $redirect_domain 'return "REDIRECT_DOMAIN"';
set_by_lua $username 'return "USERNAME"';
access_by_lua_file /opt/lua-scripts/auth0-login.lua;
# https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L124-L130
# TODO: maybe move individual tool configurations to snippets and use https://nginx.org/en/docs/ngx_core_module.html#include directive
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
# No default value
proxy_pass http://UPSTREAM_HOST:UPSTREAM_TUNNEL_PORT;
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect
# Default is default
proxy_redirect http://UPSTREAM_HOST:UPSTREAM_TUNNEL_PORT/ $scheme://$http_host/;
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version
# Default is 1.0
proxy_http_version 1.1;
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
# Default is "Host $proxy_host" and "Connection close"
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout
# Default is 60s
proxy_read_timeout 20d;
}
}
}