-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnginx.montagu.conf
158 lines (127 loc) · 5.63 KB
/
nginx.montagu.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# Main server configuration. See below for redirects.
server {
listen _PORT_ ssl;
server_name localhost montagu.vaccineimpact.org;
# Enable HTTP Strict Transport Security (HSTS)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# https://scotthelme.co.uk/content-security-policy-an-introduction/
# https://content-security-policy.com/examples/nginx/
# add_header Content-Security-Policy "default-src 'self';" always;
# However, this one does work:
add_header Content-Security-Policy "frame-ancestors 'self' *.vaccineimpact.org" always;
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
# https://geekflare.com/add-x-frame-options-nginx/
add_header X-Frame-Options "SAMEORIGIN";
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
add_header X-Content-Type-Options "nosniff" always;
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
add_header Referrer-Policy 'origin' always;
# https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
# Actual values adopted from securityheaders.com :)
add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()" always;
ssl_certificate /etc/montagu/proxy/certificate.pem;
ssl_certificate_key /etc/montagu/proxy/ssl_key.pem;
# SSL settings as recommended by https://ssl-config.mozilla.org
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/dhparam.pem;
root /usr/share/nginx/html;
error_page 404 /404.html;
# Serve up a static page for confirming the server is running
location = / {
try_files /index.html =404;
expires -1;
}
location /new-password {
try_files /resources/new-password.html =404;
expires -1;
}
location /reset-password {
try_files /resources/reset-password.html =404;
expires -1;
}
# Resources for static page
location /resources/ {
}
# Private data visualisation app - authenticated with Montagu via OrderlyWeb, redirects to the report on OW
rewrite ^/2020/(visualization|datavis)-partners/?$ /2020/visualisation-partners last;
location /2020/visualisation-partners {
return 301 /reports/report/internal-2018-interactive-plotting/version/20200727-142228-bf75fe24/artefacts/index.html?inline=true;
}
# Public (paper 1) data visualisation app, not authenticated - report data will be copied to this location
rewrite ^/2020/(visualization|datavis|dataviz)/?$ /2020/visualisation last;
rewrite ^/2020-(datavis|dataviz)/?$ /2020/visualisation last;
location /2020/visualisation/ {
}
# Paper 2 data visualisation app, not authenticated - report data will be copied to this location
rewrite ^/2021/(visualization|datavis|dataviz)/?$ /2021/visualisation last;
rewrite ^/2021-(datavis|dataviz)/?$ /2021/visualisation last;
location /2021/visualisation/ {
}
# Pass through to different containers based on url prefix.
location /api/ {
proxy_pass http://api:8080/;
proxy_redirect default;
# proxy_buffering is off, otherwise nginx downloads
# the full request before passing it on: This is bad for large files.
proxy_buffering off;
proxy_request_buffering off;
proxy_send_timeout 200s;
proxy_read_timeout 200s;
}
location /admin/ {
proxy_pass http://admin/;
}
location /contribution/ {
proxy_pass http://contrib/;
}
# resolving /reports/ dynamically because the orderly web container may not be up when the proxy starts
# for an explanation of this config see: https://tenzer.dk/nginx-with-dynamic-upstreams/
set $orderly_web http://orderly-web-web:8888;
location /reports/ {
resolver 127.0.0.11 valid=30s;
rewrite ^/reports/(.*) /$1 break;
proxy_pass $orderly_web;
proxy_redirect http://orderly-web-web:8888/ /reports/;
location "~/reports/(?<name>[^/]+)/(?<version>\d{8}-\d{6}-[0-9a-f]{8})" {
return 301 /reports/report/$name/$version;
}
}
# Ideally these github bots would be on a separate proxy server
# see https://mrc-ide.myjetbrains.com/youtrack/issue/mrc-1280
# Resolving dynamically for the same reason as above
location /pull-request/ {
resolver 127.0.0.11 valid=30s;
set $webhook http://wpia-bots.dide.ic.ac.uk:4567/pull-request/;
proxy_pass $webhook;
}
# Resolving dynamically for the same reason as above
location /naomi-bot/ {
resolver 127.0.0.11 valid=30s;
set $webhook http://wpia-bots.dide.ic.ac.uk:4568/naomi-bot/;
proxy_pass $webhook;
}
}
# Redirect all http requests to the SSL endpoint and the correct domain name
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location /basic_status {
stub_status;
allow 129.31.26.30/32;
allow 129.31.24.0/23;
allow 192.168.0.0/16;
allow 172.16.0.0/12;
deny all;
}
location /.well-known/acme-challenge/ {
root /var/www;
autoindex off;
}
location / {
return 301 https://_HOST_$request_uri;
}
}