Skip to content

Instantly share code, notes, and snippets.

@xvybihal

xvybihal/idm.acme.com.conf Secret

Last active July 23, 2018 13:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save xvybihal/4f3da97161a0bcd63397c5f4993ebd13 to your computer and use it in GitHub Desktop.
Save xvybihal/4f3da97161a0bcd63397c5f4993ebd13 to your computer and use it in GitHub Desktop.
Download ZIP
NetIQ Identity Manager Applications behing HTTP proxy
Raw
idm.acme.com.conf
proxy_cache_path /tmp/NGINX_cache/ keys_zone=backcache:10m;
## # WebSocket configuration
## map $http_upgrade $connection_upgrade {
## default upgrade;
## '' close;
## }
##
## # Extract the data after the final period (.) in the
## # JSESSIONID cookie and store it in the $route_cookie variable.
## map $cookie_jsessionid $route_cookie {
## ~.+\.(?P<route>w+)$ $route;
## }
##
## # Search the URL for a trailing jsessionid parameter, extract the
## # data after the final period (.), and store it in
## # the $route_uri variable.
## map $request_uri $route_uri {
## jsessionid=.+\.(?P<route>w+)$ $route;
## }
##
##
## upstream tomcat {
## zone tomcat 64k;
## server idm.acme.com:8543 fail_timeout=0;
## }
server {
listen 80; #default_server;
listen [::]:80; #default_server;
server_name idm.acme.com sspr.acme.com idmdash.acme.com imanager.acme.com iman.acme.com;
location / { return 301 https://$host$request_uri; }
}
#--------------------------------------------------------------------------------------
#--- idm.acme.com ---------------------------------------------------------------
#--------------------------------------------------------------------------------------
server { # SSL
server_name idm.acme.com;
include conf.d/includes/ssl_security_options.conf;
listen [::]:443 ssl http2; #default_server;
listen 443 ssl http2; #default_server;
ssl_certificate /etc/nginx/ssl/wildcard.acme.com-2018.crt;
ssl_certificate_key /etc/nginx/ssl/wildcard.acme.com.key;
ssl_trusted_certificate /etc/nginx/ssl/Trustico-TrustProvider-IntermediateCA.crt;
access_log /var/log/nginx/idm.acme.com_access.log;
error_log /var/log/nginx/idm.acme.com_error.log;
location = /favicon.ico { try_files $uri =404; log_not_found off; }
location / {
proxy_cache backcache;
proxy_http_version 1.1;
#proxy_set_header Host $proxy_host;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
#proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_ssl_session_reuse off;
proxy_ssl_trusted_certificate /etc/nginx/ssl/TRUSTED_CA.crt;
proxy_ssl_verify off; #FIXME
#proxy_pass https://idm.acme.com:8543/idmdash/;
return 301 https://$host/idmdash$request_uri; # rather redirect instead of proxy_pass, so i would not end up with https://idm.acme.com/#/dashboard, but preferably https://idm.acme.com/idmdash/#/dashboard
proxy_read_timeout 90;
proxy_redirect https://idm.acme.com:8543 https://idm.acme.com;
location ~* /(idmdash|sspr|IDMProv|idmadmin|osp) {
proxy_pass https://idm.acme.com:8543; # no slash will append whole location
}
location /nps/ {
proxy_pass https://idm1.acme.com:8443; # no slash will append whole location
}
location ^~ /idmdash/commons/ {
# serve some static stuff directly
# add nginx user to novlua group, or set proper ACLs ;)
root /opt/netiq/idm/apps/tomcat/webapps;
try_files $uri $uri/ =404;
}
}
## location ~* /(idmdash|sspr|IDMProv|idmadmin) {
## #rewrite ^ /index.php$uri;
## #try_files $uri $uri/ =404;
## proxy_cache backcache;
##
## proxy_http_version 1.1;
## proxy_set_header Host $proxy_host;
## proxy_set_header Upgrade $http_upgrade;
## #proxy_set_header Connection $connection_upgrade;
## proxy_set_header X-Real-IP $remote_addr;
## proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
## proxy_set_header X-Forwarded-Proto $scheme;
##
## proxy_buffer_size 128k;
## proxy_buffers 4 256k;
## proxy_busy_buffers_size 256k;
##
## proxy_ssl_session_reuse off;
## proxy_ssl_trusted_certificate /etc/nginx/ssl/TRUSTED_CA.crt;
## proxy_ssl_verify off; #FIXME
##
## proxy_pass https://idm.acme.com:8543; # no slash will append location
## proxy_read_timeout 90;
##
## proxy_redirect https://idm.acme.com:8543 https://idm.acme.com;
## }
## location /nps/ {
## #rewrite ^ /index.php$uri;
## #try_files $uri $uri/ =404;
## proxy_cache backcache;
##
## proxy_http_version 1.1;
## #proxy_set_header Host $proxy_host;
## proxy_set_header Upgrade $http_upgrade;
## #proxy_set_header Connection $connection_upgrade;
## proxy_set_header X-Real-IP $remote_addr;
## proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
## proxy_set_header X-Forwarded-Proto $scheme;
##
## proxy_buffer_size 128k;
## proxy_buffers 4 256k;
## proxy_busy_buffers_size 256k;
##
## proxy_ssl_session_reuse off;
## proxy_ssl_trusted_certificate /etc/nginx/ssl/TRUSTED_CA.crt;
## proxy_ssl_verify off; #FIXME
##
## #rewrite ^ /nps$1;
## #rewrite ^ /$1 last;
## #rewrite ^/imanager(.*)$ $1;
## proxy_pass https://idm1.acme.com:8443;
## proxy_read_timeout 90;
##
## proxy_redirect https://idm1.acme.com:8443 https://idm.acme.com;
## }
} # server idm.acme.com
#--------------------------------------------------------------------------------------
#--- imanager.acme.com ---------------------------------------------------------------
#--------------------------------------------------------------------------------------
server { # SSL
server_name imanager.acme.com iman.acme.com;
include conf.d/includes/ssl_security_options.conf;
listen [::]:443 ssl http2; #default_server;
listen 443 ssl http2; #default_server;
access_log /var/log/nginx/iamanager.acme.com_access.log;
error_log /var/log/nginx/iamanager.acme.com_error.log;
ssl_certificate /etc/nginx/ssl/wildcard.acme.com-2018.crt;
ssl_certificate_key /etc/nginx/ssl/wildcard.acme.com.key;
ssl_trusted_certificate /etc/nginx/ssl/Trustico-TrustProvider-IntermediateCA.crt;
location = /favicon.ico { try_files $uri =404; log_not_found off; }
location / { return 301 https://$host/nps; }
location /nps {
#rewrite ^ /index.php$uri;
#try_files $uri $uri/ =404;
proxy_cache backcache;
proxy_http_version 1.1;
proxy_set_header Host $proxy_host;
proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_ssl_session_reuse off;
proxy_ssl_trusted_certificate /etc/nginx/ssl/TRUSTED_CA.crt;
proxy_ssl_verify off; #FIXME
#rewrite ^$ /nps/$1;
#rewrite ^ /nps$1;
#rewrite ^/imanager(.*)$ $1;
proxy_pass https://idm1.acme.com:8443;
proxy_read_timeout 90;
proxy_redirect https://idm1.acme.com:8443 https://imanager.acme.com;
}
} # server imanager.acme.com
Raw
nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
include /etc/nginx/mime.types;
#default_type application/octet-stream;
default_type text/plain;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
aio on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 35s;
types_hash_max_size 2048;
server_tokens off;
etag on;
client_max_body_size 65m;
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 60s;
open_file_cache_min_uses 5;
open_file_cache_errors off;
charset utf-8;
## Compression.
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 2;
#gzip_http_version 1.1;
gzip_min_length 256;
gzip_types text/plain text/css image/svg+xml application/javascript image/png image/gif image/jpeg application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf;
gzip_vary on;
gzip_proxied any; # Compression for all requests.
gzip_disable "msie6";
## Serve already compressed files directly, bypassing on-the-fly compression.
gzip_static on;
index index.html index.php;
include /etc/nginx/conf.d/*.conf;
}
Raw
ssl_security_options.conf
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam-4096.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_ecdh_curve secp384r1;
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521; # Needs new OpenSSL!
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 1.1.1.1 8.8.4.4 valid=300s;
# resolver_timeout 3s;
# ssl_trusted_certificate /etc/nginx/ssl/
# add_header Strict-Transport-Security "max-age=15768000;"; # not yet
add_header Content-Security-Policy "upgrade-insecure-requests";
#add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
#add_header X-Frame-Options "SAMEORIGIN";
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment