Skip to content

Instantly share code, notes, and snippets.

@lazd
Created October 12, 2023 15:55
Show Gist options
  • Save lazd/b7fa1ac0a4f274a77f451c77514f94c0 to your computer and use it in GitHub Desktop.
Save lazd/b7fa1ac0a4f274a77f451c77514f94c0 to your computer and use it in GitHub Desktop.
nginx.conf for reverse proxy
#user nobody;
worker_processes 1;
# error_log /usr/local/var/log/nginx/error.log;
# error_log /usr/local/var/log/nginx/error.log notice;
error_log /usr/local/var/log/nginx/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
map $upstream_http_location $m_replaceHTTPS {
"" "";
"~^https://(.*)$" "http://$1";
"~.*" "";
}
map $upstream_http_set_cookie $m_replaceCookie {
"" "";
"~secure;?$" "";
"~.*" "";
}
server {
listen 8080 default_server;
location / {
resolver 8.8.8.8;
proxy_pass https://$host;
# Ensure all content goes to http
sub_filter_once off;
sub_filter_types application/xhtml+xml application/xml text/xml application/rss+xml application/atom+xml text/plain text/javascript text/css application/json;
sub_filter 'https://' 'http://';
# Ensure redirects go to http
proxy_hide_header location;
add_header location $m_replaceHTTPS always;
# Make the first cookie insecure
proxy_hide_header set-cookie;
add_header set-cookie $m_replaceCookie always;
# don't allow gzip so sub_filter works
proxy_set_header Accept-Encoding "";
# spoof UA
proxy_set_header User-Agent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A";
# run down redirects to avoid confusing the browser
proxy_intercept_errors on;
error_page 301 302 307 = @handle_redirect;
}
location @handle_redirect {
resolver 8.8.8.8;
set $saved_redirect_location '$upstream_http_location';
proxy_pass $saved_redirect_location;
sub_filter_once off;
sub_filter_types application/xhtml+xml application/xml text/xml text/plain text/javascript text/css application/json;
sub_filter 'https://' 'http://';
# don't allow gzip so sub_filter works
proxy_set_header Accept-Encoding "";
proxy_hide_header location;
add_header location $m_replaceHTTPS always;
}
}
server {
listen 4343 ssl;
ssl_certificate nginx-selfsigned.crt;
ssl_certificate_key nginx-selfsigned.key;
ssl_dhparam dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
# server {
# listen 4343 ssl;
#
# ssl_certificate nginx-selfsigned.crt;
# ssl_certificate_key nginx-selfsigned.key;
# ssl_dhparam dhparam.pem;
#
# ssl_session_timeout 1d;
# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
# ssl_session_tickets off;
#
# ssl_verify_client off;
# proxy_ssl_session_reuse off;
# old configuration
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
# ssl_prefer_server_ciphers off;
#
# add_header Strict-Transport-Security "max-age=63072000" always;
# ssl_prefer_server_ciphers off;
# ssl_protocols SSLv3 TLSv1;
# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
# ssl_ecdh_curve secp384r1;
# ssl_session_cache shared:SSL:10m;
# ssl_session_tickets off;
# ssl_stapling on;
# ssl_stapling_verify on;
# location / {
# resolver 8.8.8.8;
# proxy_pass https://$host;
# }
# }
include servers/*;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment