Instantly share code, notes, and snippets.

Embed
What would you like to do?
this is a reverse-proxy connector that connects nginx to Railo. the files in this example assume that they are located in the same folder as the nginx executable file (i.e. nginx.exe on Windows).the main conf file is nginx-railo.conf which should be passed to nginx as the config file, e.g. nginx -c nginx-railo.confit includes other config files …
#### this is the main config file for nginx, to specify it from the command line, use the -c switch, e.g
#### nginx.exe -c nginx-railo.conf
##** if connecting to Tomcat, use Tomcat's RemoteIpValve to resolve CGI.REMOTE_ADDR, CGI.SERVER_NAME, and CGI.SERVER_PORT_SECURE
##** <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" remoteIpHeader="X-Forwarded-For" protocolHeaderHttpsValue="https" />
#user nobody;
#pid logs/nginx.pid;
error_log logs/error.log;
worker_processes 1; ## set to number of CPU cores
events { worker_connections 1024; }
http {
include conf/mime.types;
default_type application/octet-stream;
sendfile on;
gzip on;
gzip_types application/javascript text/css; ## gzip js, css (html is enabled by default)
#tcp_nopush on;
keepalive_timeout 65;
index index.htm index.cfm index.html; ## default welcome documents
error_page 404 /404.cfm?uri=$request_uri; ## direct errors to Railo and pass original uri
error_page 403 /404.cfm?uri=$request_uri; ## show forbidden as innocent 404
error_page 500 /500.cfm?uri=$request_uri;
error_page 503 /503.cfm?uri=$request_uri;
server_names_hash_bucket_size 64; ## allow more than a couple of server names, with long names
server_tokens off; ## do not send nginx version
add_header X-Frame-Options SAMEORIGIN; ## security headers, see https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
upstream railo_servers {
ip_hash; ## http://nginx.org/en/docs/http/ngx_http_upstream_module.html#ip_hash
server 127.0.0.1:8080;
#server 127.0.0.1:8081; ## add more application servers below for load balancing
keepalive 32; ## number of upstream connections to keep alive
}
proxy_connect_timeout 30; ## connection timeout for proxy servers in seconds - max 75
## add website-specific configurations below
include nginx-site-site1.conf;
#include nginx-site-site2.conf; ## add more sites as needed
## default http server to handle request to unmapped hosts
server {
listen 80;
}
## log settings
log_format standard_log_format '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
log_format upstream_log_format '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$upstream_addr $upstream_status $upstream_response_time"';
access_log logs/$host-access.log standard_log_format; ## use upstream_log_format when clustering to see which application server the request was routed to
}
#### this file should be included in the server section of each site that should proxy to Railo #####
### Security begin
location ~ /META-INF/ { return 404; }
location ~ /WEB-INF/ { return 404; }
location ~ \.config$ { return 404; }
location ~ /\. { return 404; } ## e.g. .htaccess, .gitignore etc.
location ~ ~$ { return 404; }
location ~ \.aspx?$ { return 404; } ## most likely hackers testing the site
location ~ \.php$ { return 404; }
## Railo admin
location ~* /railo-context/(admin|doc)/ {
## IP security - add allow entries as needed
#allow 123.123.123.123; ## set your ip here and remove comment mark
#deny 192.168.0.1; ## deny gateway
#allow 192.168.0.0/24; ## allow local network
allow ::1; ## allow local IPs and deny all others
allow 127.0.0.1;
deny all;
#gzip off;
proxy_pass http://railo_servers;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
expires epoch;
}
### Security end
### Proxy .cfm etc to Railo Servers
location ~ \.(cfm|cfc|cfs|jsp|htm)$ {
#gzip off;
proxy_pass http://railo_servers;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## CGI.REMOTE_ADDR
proxy_set_header X-Forwarded-Proto $scheme; ## CGI.SERVER_PORT_SECURE
proxy_set_header X-Real-IP $remote_addr;
expires epoch;
}
#### create a file like this one for each website and include it in nginx-railo.conf
server {
include nginx-railo-proxy.conf; ## include the proxy config file
root C:/inetpub/wwwroot/site1;
listen 80;
#listen 127.0.0.1:80; ## use this instead if you want to listen on specific ip
#server_name localhost.site1 www.site1.com; ## enable to serve only specific hosts
location / {
try_files $uri $uri/ @rewrite-rules;
}
location @rewrite-rules {
## add rewrite rules as needed
#rewrite ^/index/(.*)/(.*)/? /index.cfm?p1=$1&p2=$2 last;
}
### add expires headers for static files
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires 30d;
access_log off;
}
## to restrict access to a specific directory use the example below
#location ~* /restricted-access/ {
#
#allow 123.123.123.123; ## set your ip here and remove comment mark
#
#deny 192.168.0.1; ## deny gateway
#allow 192.168.0.0/24; ## allow local network
#
#allow ::1; ## allow local IPs and deny all others
#allow 127.0.0.1;
#
#deny all;
#}
## to define a virtual folder use the example below
#location ~ ^/shared/(.*)$ {
#
# alias C:/inetpub/wwwroot/shared/;
#}
### ssl settings begin -- enable for sites that should use ssl
#listen 443 ssl;
#ssl_certificate sslcert.pem; ## this must point to a valid .crt or .pem file
#ssl_certificate_key sslcert.pem; ## the key may be stored in the .pem file
## ssl_session_cache shared:SSL:1m; ## The cache and other modules which require shared memory support do not work on Windows Vista and later versions due to address space layout randomization being enabled in these Windows versions.
#ssl_session_timeout 5m;
#ssl_prefer_server_ciphers on;
### ssl settings end
}
## redirect non-www to www
#server {
# listen site1.com:80;
# server_name site1.com;
# return 301 $scheme://www.site1.com$request_uri;
#}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment