Last active
March 4, 2018 19:19
-
-
Save djraw/f0bccf3acd261f6fdb73a548eaad7953 to your computer and use it in GitHub Desktop.
NginX reversy proxy config for local Tomcat serving an BMC ARSystem MidTier
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# nginx BMC Remedy Mid Tier server configuration | |
server { | |
# Redirect 2 HTTPS | |
listen 80; | |
server_name _; | |
access_log off; | |
return 301 https://$host/arsys; | |
} | |
# Upstream of tomcat | |
upstream tomcat { | |
server 127.0.0.1:8080; | |
} | |
server { | |
### SSL listener config - start ### | |
listen 443 ssl http2; | |
server_name _; | |
error_log /var/log/nginx/midtier-proxy.error.log warn; | |
access_log /var/log/nginx/midtier-proxy_pass.access.log; | |
#access_log off; | |
server_tokens off; | |
# Cert needs to bundle server and CA certs, check with 'sudo nano' and add any LF if needed | |
# Use command: cat <server>.crt <CA>.crt >> <server>-bundle.crt or similar for pem if needed | |
ssl_certificate /etc/nginx/certs/ca-chain.pem; | |
ssl_certificate_key /etc/nginx/certs/star-itconcepts-net.pem; | |
#ssl_protocols TLSv1.2 TLSv1.1 TLSv1; | |
ssl_protocols TLSv1.2; | |
ssl_session_timeout 60m; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!AES128"; | |
ssl_ecdh_curve secp384r1; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_tickets off; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 213.133.100.100 valid=300s; | |
resolver_timeout 5s; | |
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains"; | |
add_header X-Frame-Options DENY; | |
add_header X-Content-Type-Options nosniff; | |
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; # disallow search robots | |
### SSL listener config - end ### | |
# additional settings for optimizations | |
client_max_body_size 2m; | |
underscores_in_headers on; | |
### location blocks ### | |
# Redirect root to arsys context | |
location / { | |
return 301 https://$host/arsys; | |
} | |
# Disallow search engines etc. | |
location = /robots.txt { | |
add_header Content-Type text/plain; | |
return 200 "User-agent: *\nDisallow: /\n"; | |
} | |
## Proxy ARSystem MidTier | |
location /arsys { | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
proxy_set_header Host $host; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_pass http://tomcat/arsys; | |
proxy_buffering off; | |
client_max_body_size 0; | |
proxy_connect_timeout 3600s; | |
proxy_read_timeout 3600s; | |
proxy_send_timeout 3600s; | |
send_timeout 3600s; | |
## location for some static resources - only images, html and swf can be served by nginx | |
## Other images, JS, JSP and most CSS are dynamically used by MidTier depending on version | |
# Serving static MidTier resources directly | |
location /arsys/resources/html { | |
alias /opt/apache/tomcat/webapps/arsys/resources/standard/html; | |
} | |
location /arsys/resources/images { | |
alias /opt/apache/tomcat/webapps/arsys/resources/standard/images; | |
} | |
location /arsys/resources/swf { | |
alias /opt/apache/tomcat/webapps/arsys/resources/standard/swf; | |
} | |
location /arsys/shared/images { | |
alias /opt/apache/tomcat/webapps/arsys/shared/images; | |
} | |
} | |
## Proxy TC manager | |
location /manager { | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
proxy_set_header Host $host; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_pass http://tomcat/manager; | |
proxy_buffering off; | |
client_max_body_size 0; | |
proxy_connect_timeout 3600s; | |
proxy_read_timeout 3600s; | |
proxy_send_timeout 3600s; | |
send_timeout 3600s; | |
} | |
## Proxy TC PSI-Probe | |
location /probe { | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
proxy_set_header Host $host; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_pass http://tomcat/probe; | |
proxy_buffering off; | |
client_max_body_size 0; | |
proxy_connect_timeout 3600s; | |
proxy_read_timeout 3600s; | |
proxy_send_timeout 3600s; | |
send_timeout 3600s; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment