-
-
Save xvybihal/4f3da97161a0bcd63397c5f4993ebd13 to your computer and use it in GitHub Desktop.
NetIQ Identity Manager Applications behing HTTP proxy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m; | |
## # WebSocket configuration | |
## map $http_upgrade $connection_upgrade { | |
## default upgrade; | |
## '' close; | |
## } | |
## | |
## # Extract the data after the final period (.) in the | |
## # JSESSIONID cookie and store it in the $route_cookie variable. | |
## map $cookie_jsessionid $route_cookie { | |
## ~.+\.(?P<route>w+)$ $route; | |
## } | |
## | |
## # Search the URL for a trailing jsessionid parameter, extract the | |
## # data after the final period (.), and store it in | |
## # the $route_uri variable. | |
## map $request_uri $route_uri { | |
## jsessionid=.+\.(?P<route>w+)$ $route; | |
## } | |
## | |
## | |
## upstream tomcat { | |
## zone tomcat 64k; | |
## server idm.acme.com:8543 fail_timeout=0; | |
## } | |
server { | |
listen 80; #default_server; | |
listen [::]:80; #default_server; | |
server_name idm.acme.com sspr.acme.com idmdash.acme.com imanager.acme.com iman.acme.com; | |
location / { return 301 https://$host$request_uri; } | |
} | |
#-------------------------------------------------------------------------------------- | |
#--- idm.acme.com --------------------------------------------------------------- | |
#-------------------------------------------------------------------------------------- | |
server { # SSL | |
server_name idm.acme.com; | |
include conf.d/includes/ssl_security_options.conf; | |
listen [::]:443 ssl http2; #default_server; | |
listen 443 ssl http2; #default_server; | |
ssl_certificate /etc/nginx/ssl/wildcard.acme.com-2018.crt; | |
ssl_certificate_key /etc/nginx/ssl/wildcard.acme.com.key; | |
ssl_trusted_certificate /etc/nginx/ssl/Trustico-TrustProvider-IntermediateCA.crt; | |
access_log /var/log/nginx/idm.acme.com_access.log; | |
error_log /var/log/nginx/idm.acme.com_error.log; | |
location = /favicon.ico { try_files $uri =404; log_not_found off; } | |
location / { | |
proxy_cache backcache; | |
proxy_http_version 1.1; | |
#proxy_set_header Host $proxy_host; | |
proxy_set_header Host $host; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_cache_bypass $http_upgrade; | |
proxy_redirect off; | |
#proxy_set_header Connection $connection_upgrade; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_buffer_size 128k; | |
proxy_buffers 4 256k; | |
proxy_busy_buffers_size 256k; | |
proxy_ssl_session_reuse off; | |
proxy_ssl_trusted_certificate /etc/nginx/ssl/TRUSTED_CA.crt; | |
proxy_ssl_verify off; #FIXME | |
#proxy_pass https://idm.acme.com:8543/idmdash/; | |
return 301 https://$host/idmdash$request_uri; # rather redirect instead of proxy_pass, so i would not end up with https://idm.acme.com/#/dashboard, but preferably https://idm.acme.com/idmdash/#/dashboard | |
proxy_read_timeout 90; | |
proxy_redirect https://idm.acme.com:8543 https://idm.acme.com; | |
location ~* /(idmdash|sspr|IDMProv|idmadmin|osp) { | |
proxy_pass https://idm.acme.com:8543; # no slash will append whole location | |
} | |
location /nps/ { | |
proxy_pass https://idm1.acme.com:8443; # no slash will append whole location | |
} | |
location ^~ /idmdash/commons/ { | |
# serve some static stuff directly | |
# add nginx user to novlua group, or set proper ACLs ;) | |
root /opt/netiq/idm/apps/tomcat/webapps; | |
try_files $uri $uri/ =404; | |
} | |
} | |
## location ~* /(idmdash|sspr|IDMProv|idmadmin) { | |
## #rewrite ^ /index.php$uri; | |
## #try_files $uri $uri/ =404; | |
## proxy_cache backcache; | |
## | |
## proxy_http_version 1.1; | |
## proxy_set_header Host $proxy_host; | |
## proxy_set_header Upgrade $http_upgrade; | |
## #proxy_set_header Connection $connection_upgrade; | |
## proxy_set_header X-Real-IP $remote_addr; | |
## proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
## proxy_set_header X-Forwarded-Proto $scheme; | |
## | |
## proxy_buffer_size 128k; | |
## proxy_buffers 4 256k; | |
## proxy_busy_buffers_size 256k; | |
## | |
## proxy_ssl_session_reuse off; | |
## proxy_ssl_trusted_certificate /etc/nginx/ssl/TRUSTED_CA.crt; | |
## proxy_ssl_verify off; #FIXME | |
## | |
## proxy_pass https://idm.acme.com:8543; # no slash will append location | |
## proxy_read_timeout 90; | |
## | |
## proxy_redirect https://idm.acme.com:8543 https://idm.acme.com; | |
## } | |
## location /nps/ { | |
## #rewrite ^ /index.php$uri; | |
## #try_files $uri $uri/ =404; | |
## proxy_cache backcache; | |
## | |
## proxy_http_version 1.1; | |
## #proxy_set_header Host $proxy_host; | |
## proxy_set_header Upgrade $http_upgrade; | |
## #proxy_set_header Connection $connection_upgrade; | |
## proxy_set_header X-Real-IP $remote_addr; | |
## proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
## proxy_set_header X-Forwarded-Proto $scheme; | |
## | |
## proxy_buffer_size 128k; | |
## proxy_buffers 4 256k; | |
## proxy_busy_buffers_size 256k; | |
## | |
## proxy_ssl_session_reuse off; | |
## proxy_ssl_trusted_certificate /etc/nginx/ssl/TRUSTED_CA.crt; | |
## proxy_ssl_verify off; #FIXME | |
## | |
## #rewrite ^ /nps$1; | |
## #rewrite ^ /$1 last; | |
## #rewrite ^/imanager(.*)$ $1; | |
## proxy_pass https://idm1.acme.com:8443; | |
## proxy_read_timeout 90; | |
## | |
## proxy_redirect https://idm1.acme.com:8443 https://idm.acme.com; | |
## } | |
} # server idm.acme.com | |
#-------------------------------------------------------------------------------------- | |
#--- imanager.acme.com --------------------------------------------------------------- | |
#-------------------------------------------------------------------------------------- | |
server { # SSL | |
server_name imanager.acme.com iman.acme.com; | |
include conf.d/includes/ssl_security_options.conf; | |
listen [::]:443 ssl http2; #default_server; | |
listen 443 ssl http2; #default_server; | |
access_log /var/log/nginx/iamanager.acme.com_access.log; | |
error_log /var/log/nginx/iamanager.acme.com_error.log; | |
ssl_certificate /etc/nginx/ssl/wildcard.acme.com-2018.crt; | |
ssl_certificate_key /etc/nginx/ssl/wildcard.acme.com.key; | |
ssl_trusted_certificate /etc/nginx/ssl/Trustico-TrustProvider-IntermediateCA.crt; | |
location = /favicon.ico { try_files $uri =404; log_not_found off; } | |
location / { return 301 https://$host/nps; } | |
location /nps { | |
#rewrite ^ /index.php$uri; | |
#try_files $uri $uri/ =404; | |
proxy_cache backcache; | |
proxy_http_version 1.1; | |
proxy_set_header Host $proxy_host; | |
proxy_set_header Upgrade $http_upgrade; | |
#proxy_set_header Connection $connection_upgrade; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_buffer_size 128k; | |
proxy_buffers 4 256k; | |
proxy_busy_buffers_size 256k; | |
proxy_ssl_session_reuse off; | |
proxy_ssl_trusted_certificate /etc/nginx/ssl/TRUSTED_CA.crt; | |
proxy_ssl_verify off; #FIXME | |
#rewrite ^$ /nps/$1; | |
#rewrite ^ /nps$1; | |
#rewrite ^/imanager(.*)$ $1; | |
proxy_pass https://idm1.acme.com:8443; | |
proxy_read_timeout 90; | |
proxy_redirect https://idm1.acme.com:8443 https://imanager.acme.com; | |
} | |
} # server imanager.acme.com | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
user nginx; | |
worker_processes auto; | |
error_log /var/log/nginx/error.log warn; | |
pid /var/run/nginx.pid; | |
events { | |
worker_connections 1024; | |
multi_accept on; | |
use epoll; | |
} | |
http { | |
include /etc/nginx/mime.types; | |
#default_type application/octet-stream; | |
default_type text/plain; | |
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
'$status $body_bytes_sent "$http_referer" ' | |
'"$http_user_agent" "$http_x_forwarded_for"'; | |
access_log /var/log/nginx/access.log main; | |
sendfile on; | |
aio on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
keepalive_timeout 35s; | |
types_hash_max_size 2048; | |
server_tokens off; | |
etag on; | |
client_max_body_size 65m; | |
open_file_cache max=1000 inactive=20s; | |
open_file_cache_valid 60s; | |
open_file_cache_min_uses 5; | |
open_file_cache_errors off; | |
charset utf-8; | |
## Compression. | |
gzip on; | |
gzip_buffers 16 8k; | |
gzip_comp_level 2; | |
#gzip_http_version 1.1; | |
gzip_min_length 256; | |
gzip_types text/plain text/css image/svg+xml application/javascript image/png image/gif image/jpeg application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf; | |
gzip_vary on; | |
gzip_proxied any; # Compression for all requests. | |
gzip_disable "msie6"; | |
## Serve already compressed files directly, bypassing on-the-fly compression. | |
gzip_static on; | |
index index.html index.php; | |
include /etc/nginx/conf.d/*.conf; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ssl_protocols TLSv1.2 TLSv1.3; | |
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; | |
ssl_prefer_server_ciphers on; | |
ssl_dhparam /etc/nginx/ssl/dhparam-4096.pem; | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_timeout 1d; | |
ssl_session_tickets off; | |
ssl_ecdh_curve secp384r1; | |
client_max_body_size 512M; | |
fastcgi_buffers 64 4K; | |
# Enable gzip but do not remove ETag headers | |
gzip on; | |
gzip_vary on; | |
gzip_comp_level 4; | |
gzip_min_length 256; | |
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; | |
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; | |
# ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521; # Needs new OpenSSL! | |
# ssl_stapling on; | |
# ssl_stapling_verify on; | |
# resolver 1.1.1.1 8.8.4.4 valid=300s; | |
# resolver_timeout 3s; | |
# ssl_trusted_certificate /etc/nginx/ssl/ | |
# add_header Strict-Transport-Security "max-age=15768000;"; # not yet | |
add_header Content-Security-Policy "upgrade-insecure-requests"; | |
#add_header X-Xss-Protection "1; mode=block" always; | |
add_header X-Content-Type-Options "nosniff" always; | |
#add_header X-Frame-Options "SAMEORIGIN"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment