djraw/midtier-local.nginx

## midtier-local.nginx
# nginx BMC Remedy Mid Tier server configuration
server {
    # Redirect 2 HTTPS
    listen         80;
    server_name    _;
    access_log     off;
    return         301 https://$host/arsys;
}

# Upstream of tomcat
upstream tomcat {
    server 127.0.0.1:8080;
}

server {
    ### SSL listener config - start ###
    listen 443 ssl http2;
    server_name _;
    error_log /var/log/nginx/midtier-proxy.error.log warn;
    access_log /var/log/nginx/midtier-proxy_pass.access.log;
    #access_log off;
    server_tokens off;

    # Cert needs to bundle server and CA certs, check with 'sudo nano' and add any LF if needed
    # Use command: cat <server>.crt <CA>.crt >> <server>-bundle.crt or similar for pem if needed
    ssl_certificate    /etc/nginx/certs/ca-chain.pem;
    ssl_certificate_key    /etc/nginx/certs/star-itconcepts-net.pem;

    #ssl_protocols    TLSv1.2 TLSv1.1 TLSv1;
    ssl_protocols TLSv1.2;
    ssl_session_timeout    60m;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!AES128";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 213.133.100.100 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; # disallow search robots
    ### SSL listener config - end ###

    # additional settings for optimizations
    client_max_body_size 2m;
    underscores_in_headers on;

    ### location blocks ###

    # Redirect root to arsys context
	location / {
        return 301 https://$host/arsys;
	}

    # Disallow search engines etc.
    location = /robots.txt {
        add_header Content-Type text/plain;
        return 200 "User-agent: *\nDisallow: /\n";
    }

    ## Proxy ARSystem MidTier
    location /arsys {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://tomcat/arsys;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout  3600s;
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        send_timeout  3600s;

        ## location for some static resources - only images, html and swf can be served by nginx
        ## Other images, JS, JSP and most CSS are dynamically used by MidTier depending on version
        # Serving static MidTier resources directly
        location /arsys/resources/html {
          alias /opt/apache/tomcat/webapps/arsys/resources/standard/html;
        }
        location /arsys/resources/images {
          alias /opt/apache/tomcat/webapps/arsys/resources/standard/images;
        }
        location /arsys/resources/swf {
          alias /opt/apache/tomcat/webapps/arsys/resources/standard/swf;
        }
        location /arsys/shared/images {
          alias /opt/apache/tomcat/webapps/arsys/shared/images;
        }
    }
    ## Proxy TC manager
    location /manager {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://tomcat/manager;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout  3600s;
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        send_timeout  3600s;
    }
    ## Proxy TC PSI-Probe
    location /probe {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://tomcat/probe;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout  3600s;
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        send_timeout  3600s;
    }
}
	# nginx BMC Remedy Mid Tier server configuration
	server {
	# Redirect 2 HTTPS
	listen 80;
	server_name _;
	access_log off;
	return 301 https://$host/arsys;
	}

	# Upstream of tomcat
	upstream tomcat {
	server 127.0.0.1:8080;
	}

	server {
	### SSL listener config - start ###
	listen 443 ssl http2;
	server_name _;
	error_log /var/log/nginx/midtier-proxy.error.log warn;
	access_log /var/log/nginx/midtier-proxy_pass.access.log;
	#access_log off;
	server_tokens off;

	# Cert needs to bundle server and CA certs, check with 'sudo nano' and add any LF if needed
	# Use command: cat <server>.crt <CA>.crt >> <server>-bundle.crt or similar for pem if needed
	ssl_certificate /etc/nginx/certs/ca-chain.pem;
	ssl_certificate_key /etc/nginx/certs/star-itconcepts-net.pem;

	#ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
	ssl_protocols TLSv1.2;
	ssl_session_timeout 60m;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!AES128";
	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 213.133.100.100 valid=300s;
	resolver_timeout 5s;
	add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; # disallow search robots
	### SSL listener config - end ###

	# additional settings for optimizations
	client_max_body_size 2m;
	underscores_in_headers on;

	### location blocks ###

	# Redirect root to arsys context
	location / {
	return 301 https://$host/arsys;
	}

	# Disallow search engines etc.
	location = /robots.txt {
	add_header Content-Type text/plain;
	return 200 "User-agent: *\nDisallow: /\n";
	}

	## Proxy ARSystem MidTier
	location /arsys {
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_pass http://tomcat/arsys;
	proxy_buffering off;
	client_max_body_size 0;
	proxy_connect_timeout 3600s;
	proxy_read_timeout 3600s;
	proxy_send_timeout 3600s;
	send_timeout 3600s;

	## location for some static resources - only images, html and swf can be served by nginx
	## Other images, JS, JSP and most CSS are dynamically used by MidTier depending on version
	# Serving static MidTier resources directly
	location /arsys/resources/html {
	alias /opt/apache/tomcat/webapps/arsys/resources/standard/html;
	}
	location /arsys/resources/images {
	alias /opt/apache/tomcat/webapps/arsys/resources/standard/images;
	}
	location /arsys/resources/swf {
	alias /opt/apache/tomcat/webapps/arsys/resources/standard/swf;
	}
	location /arsys/shared/images {
	alias /opt/apache/tomcat/webapps/arsys/shared/images;
	}
	}
	## Proxy TC manager
	location /manager {
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_pass http://tomcat/manager;
	proxy_buffering off;
	client_max_body_size 0;
	proxy_connect_timeout 3600s;
	proxy_read_timeout 3600s;
	proxy_send_timeout 3600s;
	send_timeout 3600s;
	}
	## Proxy TC PSI-Probe
	location /probe {
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_pass http://tomcat/probe;
	proxy_buffering off;
	client_max_body_size 0;
	proxy_connect_timeout 3600s;
	proxy_read_timeout 3600s;
	proxy_send_timeout 3600s;
	send_timeout 3600s;
	}
	}