user nginx; error_log /var/log/nginx/error.log debug; pid /var/run/nginx.pid; worker_processes auto; worker_rlimit_nofile 33282; events { worker_connections 1024; } http { # rate limiting limit_req_status 429; limit_req_zone $binary_remote_addr zone=ratelimit:10m rate=${PROXY_RATE_LIMIT_API_PER_SECOND}r/s; limit_req_zone $binary_remote_addr zone=webhooks:10m rate=${PROXY_RATE_LIMIT_WEBHOOKS_PER_SECOND}r/s; include /etc/nginx/mime.types; default_type application/octet-stream; proxy_set_header Host $host; charset utf-8; sendfile on; tcp_nopush on; tcp_nodelay on; server_tokens off; types_hash_max_size 2048; resolver ${RESOLVER} valid=10s ipv6=off; # buffering client_header_buffer_size 1k; client_max_body_size 20M; ignore_invalid_headers off; proxy_buffering off; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' 'response_time=$upstream_response_time proxy_host=$proxy_host upstream_addr=$upstream_addr'; access_log /var/log/nginx/access.log main; map $http_upgrade $connection_upgrade { default "upgrade"; } server { listen 10000 default_server; listen [::]:10000 default_server; server_name _; client_max_body_size 1000m; ignore_invalid_headers off; proxy_buffering off; error_page 502 503 504 /error.html; location = /error.html { root /usr/share/nginx/html; internal; } # Security Headers add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection "1; mode=block" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # upstreams set $apps ${APPS_UPSTREAM_URL}; set $worker ${WORKER_UPSTREAM_URL}; set $minio ${MINIO_UPSTREAM_URL}; set $couchdb ${COUCHDB_UPSTREAM_URL}; location /health { access_log off; add_header 'Content-Type' 'application/json'; return 200 '{ "status": "OK" }'; } location /app { proxy_pass $apps; } location /embed { rewrite /embed/(.*) /app/$1 break; proxy_pass $apps; proxy_redirect off; proxy_set_header Host $host; proxy_set_header x-budibase-embed "true"; add_header x-budibase-embed "true"; add_header Content-Security-Policy "frame-ancestors *"; } location = / { proxy_pass $apps; } location ~ ^/(builder|app_) { proxy_http_version 1.1; proxy_set_header Connection $connection_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass $apps; } location ~ ^/api/(system|admin|global)/ { proxy_set_header Host $host; # Enable buffering for potentially large OIDC configs proxy_buffering on; proxy_buffer_size 16k; proxy_buffers 4 32k; proxy_pass $worker; } location /worker/ { proxy_set_header Host $host; proxy_pass $worker; rewrite ^/worker/(.*)$ /$1 break; } location /api/backups/ { # calls to export apps are limited limit_req zone=ratelimit burst=20 nodelay; # 1800s timeout for app export requests proxy_read_timeout 1800s; proxy_connect_timeout 1800s; proxy_send_timeout 1800s; proxy_http_version 1.1; proxy_set_header Connection $connection_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass $apps; } location /api/ { # calls to the API are rate limited with bursting limit_req zone=ratelimit burst=20 nodelay; # 120s timeout on API requests proxy_read_timeout 120s; proxy_connect_timeout 120s; proxy_send_timeout 120s; proxy_http_version 1.1; proxy_set_header Connection $connection_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass $apps; } location /api/webhooks/ { # calls to webhooks are rate limited limit_req zone=webhooks nodelay; # Rest of configuration copied from /api/ location above # 120s timeout on API requests proxy_read_timeout 120s; proxy_connect_timeout 120s; proxy_send_timeout 120s; proxy_http_version 1.1; proxy_set_header Connection $connection_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass $apps; } location /db/ { proxy_pass $couchdb; rewrite ^/db/(.*)$ /$1 break; } location /socket/ { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; proxy_pass $apps; } location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_connect_timeout 300; proxy_http_version 1.1; proxy_set_header Connection ""; chunked_transfer_encoding off; proxy_pass $minio; } location /files/signed/ { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # IMPORTANT: Signed urls will inspect the host header of the request. # Normally a signed url will need to be generated with a specified client host in mind. # To support dynamic hosts, e.g. some unknown self-hosted installation url, # use a predefined host header. The host 'minio-service' is also used at the time of url signing. proxy_set_header Host minio-service; proxy_connect_timeout 300; proxy_http_version 1.1; proxy_set_header Connection ""; chunked_transfer_encoding off; proxy_pass $minio; rewrite ^/files/signed/(.*)$ /$1 break; } client_header_timeout 120; client_body_timeout 120; keepalive_timeout 120; # gzip gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; } # From https://docs.datadoghq.com/integrations/nginx/?tab=kubernetes server { listen 81; server_name localhost; access_log off; allow 127.0.0.1; allow 10.0.0.0/8; deny all; location /nginx_status { # Choose your status module # freely available with open source NGINX stub_status; # for open source NGINX < version 1.7.5 # stub_status on; # available only with NGINX Plus # status; # ensures the version information can be retrieved server_tokens on; } } }