lmajano/1 nginx-railo.conf

## 1 nginx-railo.conf
#### this is the main config file for nginx, to specify it from the command line, use the -c switch, e.g
####    nginx.exe -c nginx-railo.conf

##** if connecting to Tomcat, use Tomcat's RemoteIpValve to resolve CGI.REMOTE_ADDR, CGI.SERVER_NAME, and CGI.SERVER_PORT_SECURE
##**    <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" remoteIpHeader="X-Forwarded-For" protocolHeaderHttpsValue="https" />


#user               nobody;
#pid                logs/nginx.pid;

error_log           logs/error.log;

worker_processes    1;                                  ## set to number of CPU cores
events {            worker_connections  1024;   }


http {

    include         conf/mime.types;
    default_type    application/octet-stream;

    sendfile        on;
    gzip            on;
    gzip_types      application/javascript text/css;    ## gzip js, css (html is enabled by default)
    #tcp_nopush     on;

    keepalive_timeout  65;


    index           index.htm index.cfm index.html;     ## default welcome documents

    error_page      404     /404.cfm?uri=$request_uri;  ## direct errors to Railo and pass original uri
    error_page      403     /404.cfm?uri=$request_uri;  ## show forbidden as innocent 404
    error_page      500     /500.cfm?uri=$request_uri;
    error_page      503     /503.cfm?uri=$request_uri;

    server_names_hash_bucket_size   64;                 ## allow more than a couple of server names, with long names
    server_tokens   off;                                ## do not send nginx version
    add_header      X-Frame-Options SAMEORIGIN;         ## security headers, see https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    add_header      X-Content-Type-Options nosniff;
    add_header      X-XSS-Protection "1; mode=block";


    upstream    railo_servers {

        ip_hash;                                        ## http://nginx.org/en/docs/http/ngx_http_upstream_module.html#ip_hash

        server      127.0.0.1:8080;
        #server      127.0.0.1:8081;                    ## add more application servers below for load balancing

        keepalive   32;                                 ## number of upstream connections to keep alive
    }

    proxy_connect_timeout   30;                         ## connection timeout for proxy servers in seconds - max 75


    ## add website-specific configurations below

    include     nginx-site-site1.conf;
    #include     nginx-site-site2.conf;                 ## add more sites as needed


    ## default http server to handle request to unmapped hosts
    server {

        listen  80;
    }

    ## log settings
    log_format      standard_log_format '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

    log_format      upstream_log_format '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$upstream_addr $upstream_status $upstream_response_time"';

    access_log      logs/$host-access.log standard_log_format;      ## use upstream_log_format when clustering to see which application server the request was routed to


}

## 2 nginx-railo-proxy.conf
#### this file should be included in the server section of each site that should proxy to Railo #####


### Security begin

location ~ /META-INF/   { return 404; }
location ~ /WEB-INF/    { return 404; }
location ~ \.config$    { return 404; }
location ~ /\.          { return 404; }       ## e.g. .htaccess, .gitignore etc.
location ~ ~$           { return 404; }
location ~ \.aspx?$     { return 404; }       ## most likely hackers testing the site
location ~ \.php$       { return 404; }

## Railo admin
location ~* /railo-context/(admin|doc)/ {

    ## IP security - add allow entries as needed
    #allow   123.123.123.123;                ## set your ip here and remove comment mark

    #deny    192.168.0.1;                    ## deny gateway
    #allow   192.168.0.0/24;                 ## allow local network

    allow   ::1;                             ## allow local IPs and deny all others
    allow   127.0.0.1;

    deny    all;

    #gzip off;

    proxy_pass          http://railo_servers;
    proxy_redirect      off;

    proxy_http_version  1.1;
    proxy_set_header    Connection "";

    proxy_set_header    Host                $host;
    proxy_set_header    X-Forwarded-Host    $host;
    proxy_set_header    X-Forwarded-Server  $host;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    X-Real-IP           $remote_addr;

    expires             epoch;
}

### Security end


### Proxy .cfm etc to Railo Servers

location ~ \.(cfm|cfc|cfs|jsp|htm)$ {

    #gzip off;

    proxy_pass          http://railo_servers;
    proxy_redirect      off;

    proxy_http_version  1.1;
    proxy_set_header    Connection "";

    proxy_set_header    Host                $host;
    proxy_set_header    X-Forwarded-Host    $host;
    proxy_set_header    X-Forwarded-Server  $host;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;     ## CGI.REMOTE_ADDR
    proxy_set_header    X-Forwarded-Proto   $scheme;                        ## CGI.SERVER_PORT_SECURE
    proxy_set_header    X-Real-IP           $remote_addr;

    expires             epoch;
}


## 3 nginx-site-site1.conf
#### create a file like this one for each website and include it in nginx-railo.conf

server {

    include      nginx-railo-proxy.conf;                     ## include the proxy config file


    root         C:/inetpub/wwwroot/site1;

    listen       80;
    #listen      127.0.0.1:80;                              ## use this instead if you want to listen on specific ip

    #server_name localhost.site1 www.site1.com;   ## enable to serve only specific hosts


    location    / {

        try_files $uri $uri/ @rewrite-rules;
    }

    location    @rewrite-rules {
        ## add rewrite rules as needed

        #rewrite ^/index/(.*)/(.*)/? /index.cfm?p1=$1&p2=$2 last;
    }


    ### add expires headers for static files
    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {

        expires     30d;
        access_log  off;
    }


    ## to restrict access to a specific directory use the example below
    #location ~* /restricted-access/ {
    #
    #allow   123.123.123.123;                ## set your ip here and remove comment mark
    #
    #deny    192.168.0.1;                    ## deny gateway
    #allow   192.168.0.0/24;                 ## allow local network
    #
    #allow   ::1;                            ## allow local IPs and deny all others
    #allow   127.0.0.1;
    #
    #deny    all;
    #}


    ## to define a virtual folder use the example below
    #location        ~ ^/shared/(.*)$ {
    #
    #    alias       C:/inetpub/wwwroot/shared/;
    #}


    ### ssl settings begin -- enable for sites that should use ssl
    #listen              443  ssl;

    #ssl_certificate     sslcert.pem;     ## this must point to a valid .crt or .pem file
    #ssl_certificate_key sslcert.pem;     ## the key may be stored in the .pem file

    ## ssl_session_cache   shared:SSL:1m;           ## The cache and other modules which require shared memory support do not work on Windows Vista and later versions due to address space layout randomization being enabled in these Windows versions.
    #ssl_session_timeout 5m;

    #ssl_prefer_server_ciphers  on;

    ### ssl settings end

}


## redirect non-www to www
#server {

#    listen                      site1.com:80;
#    server_name                 site1.com;
#    return                      301 $scheme://www.site1.com$request_uri;
#}
	#### this is the main config file for nginx, to specify it from the command line, use the -c switch, e.g
	#### nginx.exe -c nginx-railo.conf

	##** if connecting to Tomcat, use Tomcat's RemoteIpValve to resolve CGI.REMOTE_ADDR, CGI.SERVER_NAME, and CGI.SERVER_PORT_SECURE
	##** <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" remoteIpHeader="X-Forwarded-For" protocolHeaderHttpsValue="https" />


	#user nobody;
	#pid logs/nginx.pid;

	error_log logs/error.log;

	worker_processes 1; ## set to number of CPU cores
	events { worker_connections 1024; }


	http {

	include conf/mime.types;
	default_type application/octet-stream;

	sendfile on;
	gzip on;
	gzip_types application/javascript text/css; ## gzip js, css (html is enabled by default)
	#tcp_nopush on;

	keepalive_timeout 65;


	index index.htm index.cfm index.html; ## default welcome documents

	error_page 404 /404.cfm?uri=$request_uri; ## direct errors to Railo and pass original uri
	error_page 403 /404.cfm?uri=$request_uri; ## show forbidden as innocent 404
	error_page 500 /500.cfm?uri=$request_uri;
	error_page 503 /503.cfm?uri=$request_uri;

	server_names_hash_bucket_size 64; ## allow more than a couple of server names, with long names
	server_tokens off; ## do not send nginx version
	add_header X-Frame-Options SAMEORIGIN; ## security headers, see https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";


	upstream railo_servers {

	ip_hash; ## http://nginx.org/en/docs/http/ngx_http_upstream_module.html#ip_hash

	server 127.0.0.1:8080;
	#server 127.0.0.1:8081; ## add more application servers below for load balancing

	keepalive 32; ## number of upstream connections to keep alive
	}

	proxy_connect_timeout 30; ## connection timeout for proxy servers in seconds - max 75


	## add website-specific configurations below

	include nginx-site-site1.conf;
	#include nginx-site-site2.conf; ## add more sites as needed


	## default http server to handle request to unmapped hosts
	server {

	listen 80;
	}

	## log settings
	log_format standard_log_format '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

	log_format upstream_log_format '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$upstream_addr $upstream_status $upstream_response_time"';

	access_log logs/$host-access.log standard_log_format; ## use upstream_log_format when clustering to see which application server the request was routed to


	}
	#### this file should be included in the server section of each site that should proxy to Railo #####


	### Security begin

	location ~ /META-INF/ { return 404; }
	location ~ /WEB-INF/ { return 404; }
	location ~ \.config$ { return 404; }
	location ~ /\. { return 404; } ## e.g. .htaccess, .gitignore etc.
	location ~ ~$ { return 404; }
	location ~ \.aspx?$ { return 404; } ## most likely hackers testing the site
	location ~ \.php$ { return 404; }

	## Railo admin
	location ~* /railo-context/(admin\|doc)/ {

	## IP security - add allow entries as needed
	#allow 123.123.123.123; ## set your ip here and remove comment mark

	#deny 192.168.0.1; ## deny gateway
	#allow 192.168.0.0/24; ## allow local network

	allow ::1; ## allow local IPs and deny all others
	allow 127.0.0.1;

	deny all;

	#gzip off;

	proxy_pass http://railo_servers;
	proxy_redirect off;

	proxy_http_version 1.1;
	proxy_set_header Connection "";

	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Server $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Real-IP $remote_addr;

	expires epoch;
	}

	### Security end


	### Proxy .cfm etc to Railo Servers

	location ~ \.(cfm\|cfc\|cfs\|jsp\|htm)$ {

	#gzip off;

	proxy_pass http://railo_servers;
	proxy_redirect off;

	proxy_http_version 1.1;
	proxy_set_header Connection "";

	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Server $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## CGI.REMOTE_ADDR
	proxy_set_header X-Forwarded-Proto $scheme; ## CGI.SERVER_PORT_SECURE
	proxy_set_header X-Real-IP $remote_addr;

	expires epoch;
	}
	#### create a file like this one for each website and include it in nginx-railo.conf

	server {

	include nginx-railo-proxy.conf; ## include the proxy config file


	root C:/inetpub/wwwroot/site1;

	listen 80;
	#listen 127.0.0.1:80; ## use this instead if you want to listen on specific ip

	#server_name localhost.site1 www.site1.com; ## enable to serve only specific hosts


	location / {

	try_files $uri $uri/ @rewrite-rules;
	}

	location @rewrite-rules {
	## add rewrite rules as needed

	#rewrite ^/index/(.)/(.)/? /index.cfm?p1=$1&p2=$2 last;
	}


	### add expires headers for static files
	location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|ico)$ {

	expires 30d;
	access_log off;
	}


	## to restrict access to a specific directory use the example below
	#location ~* /restricted-access/ {
	#
	#allow 123.123.123.123; ## set your ip here and remove comment mark
	#
	#deny 192.168.0.1; ## deny gateway
	#allow 192.168.0.0/24; ## allow local network
	#
	#allow ::1; ## allow local IPs and deny all others
	#allow 127.0.0.1;
	#
	#deny all;
	#}


	## to define a virtual folder use the example below
	#location ~ ^/shared/(.*)$ {
	#
	# alias C:/inetpub/wwwroot/shared/;
	#}


	### ssl settings begin -- enable for sites that should use ssl
	#listen 443 ssl;

	#ssl_certificate sslcert.pem; ## this must point to a valid .crt or .pem file
	#ssl_certificate_key sslcert.pem; ## the key may be stored in the .pem file

	## ssl_session_cache shared:SSL:1m; ## The cache and other modules which require shared memory support do not work on Windows Vista and later versions due to address space layout randomization being enabled in these Windows versions.
	#ssl_session_timeout 5m;

	#ssl_prefer_server_ciphers on;

	### ssl settings end

	}


	## redirect non-www to www
	#server {

	# listen site1.com:80;
	# server_name site1.com;
	# return 301 $scheme://www.site1.com$request_uri;
	#}