nook24/openitcockpit-v4-nginx

## openitcockpit-v4-nginx
# openITCOCKPIT nginx default config for Ubuntu Xenial
# By Daniel Ziegler <daniel.ziegler@it-novum.com>
# Created: 11 Jan. 2017
#
# Changelog
# + Added phpMyAdmin part
# + Added WebSocket Proxy
# - Removed unnecessary config parts
# + Added HTTP to HTTPS redirect
# + Modify for Bionic
# + Add reverse proxy for /query_log
# + Add reverse proxy for /push_notifications
# + Add reverse proxy for Grafana
# + Add add_header X-Frame-Options "SAMEORIGIN";
# - Remove pnp4nagios config
# + Add OITC_DEBUG env
# Enable HTTP2


#redirect from http to https
server {
    listen         80;
    server_tokens off;
    add_header X-Frame-Options "SAMEORIGIN";
    return 301 https://$host$request_uri;
}

server {
    client_max_body_size        16M;
    listen 443 ssl http2;
    server_tokens off;
    ssl_certificate     /etc/ssl/certs/oitc.crt;
    ssl_certificate_key /etc/ssl/private/oitc.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    add_header X-Frame-Options "SAMEORIGIN";

    # root directive should be global
    root   /opt/openitc/frontend/webroot/;
    index  index.php;

    access_log /opt/openitc/logs/nginx/access.log;
    error_log /opt/openitc/logs/nginx/error.log;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

   location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|ttf|woff)$ {
   try_files $uri $uri/ /index.php?$query_string /index.php?$args;
   expires 1m;
   access_log off;
   add_header Cache-Control "public";
 }

 location ~* \.(?:css|js)$ {
   try_files $uri $uri/ /index.php?$query_string /index.php?$args;
   expires 1m;
   access_log off;
   add_header Cache-Control "public";
 }

    location ~ \.php$ {
        try_files $uri =404;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass    unix:/var/run/php/php7.2-fpm.sock;
        fastcgi_index   index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param OITC_DEBUG 1;
        fastcgi_read_timeout 300;
    }

    #Proxy for WebSockets over HTTPS (firewalls bypass)
    location /sudo_server {
        proxy_pass http://127.0.0.1:8081;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    #Proxy for WebSockets over HTTPS (firewalls bypass)
    location /chat_server {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    #Proxy for WebSockets over HTTPS (firewalls bypass)
    location /query_log {
        proxy_pass http://127.0.0.1:8082;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    #Proxy for WebSockets over HTTPS (firewalls bypass)
    location /push_notifications {
        proxy_pass http://127.0.0.1:8083;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    #Proxy for Grafana
    location ^~ /grafana/ {
        proxy_pass         http://127.0.0.1:3033/;
        sub_filter 'http://localhost:3033/grafana/' 'https://$host/grafana/';
        sub_filter_once off;
    }

    #phpMyAdmin config
    location /phpmyadmin {
        root /usr/share/;
        index index.php index.html index.htm;

        location ~ ^/phpmyadmin/(.+\.php)$ {
            try_files $uri =404;
            root /usr/share/;
            fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include /etc/nginx/fastcgi_params;
        }

        location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
            root /usr/share/;
        }
    }

    location /phpMyAdmin {
        rewrite ^/* /phpmyadmin last;
    }

}
	# openITCOCKPIT nginx default config for Ubuntu Xenial
	# By Daniel Ziegler <daniel.ziegler@it-novum.com>
	# Created: 11 Jan. 2017
	#
	# Changelog
	# + Added phpMyAdmin part
	# + Added WebSocket Proxy
	# - Removed unnecessary config parts
	# + Added HTTP to HTTPS redirect
	# + Modify for Bionic
	# + Add reverse proxy for /query_log
	# + Add reverse proxy for /push_notifications
	# + Add reverse proxy for Grafana
	# + Add add_header X-Frame-Options "SAMEORIGIN";
	# - Remove pnp4nagios config
	# + Add OITC_DEBUG env
	# Enable HTTP2


	#redirect from http to https
	server {
	listen 80;
	server_tokens off;
	add_header X-Frame-Options "SAMEORIGIN";
	return 301 https://$host$request_uri;
	}

	server {
	client_max_body_size 16M;
	listen 443 ssl http2;
	server_tokens off;
	ssl_certificate /etc/ssl/certs/oitc.crt;
	ssl_certificate_key /etc/ssl/private/oitc.key;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;

	add_header X-Frame-Options "SAMEORIGIN";

	# root directive should be global
	root /opt/openitc/frontend/webroot/;
	index index.php;

	access_log /opt/openitc/logs/nginx/access.log;
	error_log /opt/openitc/logs/nginx/error.log;

	location / {
	try_files $uri $uri/ /index.php?$args;
	}

	location ~* \.(?:jpg\|jpeg\|gif\|png\|ico\|cur\|gz\|svg\|svgz\|mp4\|ogg\|ogv\|webm\|htc\|ttf\|woff)$ {
	try_files $uri $uri/ /index.php?$query_string /index.php?$args;
	expires 1m;
	access_log off;
	add_header Cache-Control "public";
	}

	location ~* \.(?:css\|js)$ {
	try_files $uri $uri/ /index.php?$query_string /index.php?$args;
	expires 1m;
	access_log off;
	add_header Cache-Control "public";
	}

	location ~ \.php$ {
	try_files $uri =404;
	include /etc/nginx/fastcgi_params;
	fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param OITC_DEBUG 1;
	fastcgi_read_timeout 300;
	}

	#Proxy for WebSockets over HTTPS (firewalls bypass)
	location /sudo_server {
	proxy_pass http://127.0.0.1:8081;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	}

	#Proxy for WebSockets over HTTPS (firewalls bypass)
	location /chat_server {
	proxy_pass http://127.0.0.1:8080;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	}

	#Proxy for WebSockets over HTTPS (firewalls bypass)
	location /query_log {
	proxy_pass http://127.0.0.1:8082;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	}

	#Proxy for WebSockets over HTTPS (firewalls bypass)
	location /push_notifications {
	proxy_pass http://127.0.0.1:8083;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	}

	#Proxy for Grafana
	location ^~ /grafana/ {
	proxy_pass http://127.0.0.1:3033/;
	sub_filter 'http://localhost:3033/grafana/' 'https://$host/grafana/';
	sub_filter_once off;
	}

	#phpMyAdmin config
	location /phpmyadmin {
	root /usr/share/;
	index index.php index.html index.htm;

	location ~ ^/phpmyadmin/(.+\.php)$ {
	try_files $uri =404;
	root /usr/share/;
	fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	include /etc/nginx/fastcgi_params;
	}

	location ~* ^/phpmyadmin/(.+\.(jpg\|jpeg\|gif\|css\|png\|js\|ico\|html\|xml\|txt))$ {
	root /usr/share/;
	}
	}

	location /phpMyAdmin {
	rewrite ^/* /phpmyadmin last;
	}

	}