205 lines
7.9 KiB
Handlebars
205 lines
7.9 KiB
Handlebars
user nginx;
|
|
error_log /var/log/nginx/error.log debug;
|
|
pid /var/run/nginx.pid;
|
|
worker_processes auto;
|
|
worker_rlimit_nofile 33282;
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
# rate limiting
|
|
limit_req_status 429;
|
|
limit_req_zone $binary_remote_addr zone=ratelimit:10m rate=${PROXY_RATE_LIMIT_API_PER_SECOND}r/s;
|
|
limit_req_zone $binary_remote_addr zone=webhooks:10m rate=${PROXY_RATE_LIMIT_WEBHOOKS_PER_SECOND}r/s;
|
|
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
proxy_set_header Host $host;
|
|
charset utf-8;
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
server_tokens off;
|
|
types_hash_max_size 2048;
|
|
resolver {{ resolver }} valid=10s ipv6=off;
|
|
|
|
# buffering
|
|
client_header_buffer_size 1k;
|
|
client_max_body_size 20M;
|
|
ignore_invalid_headers off;
|
|
proxy_buffering off;
|
|
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" "$http_x_forwarded_for" '
|
|
'response_time=$upstream_response_time proxy_host=$proxy_host upstream_addr=$upstream_addr';
|
|
|
|
access_log /var/log/nginx/access.log main;
|
|
|
|
map $http_upgrade $connection_upgrade {
|
|
default "upgrade";
|
|
}
|
|
|
|
server {
|
|
listen 10000 default_server;
|
|
listen [::]:10000 default_server;
|
|
server_name _;
|
|
client_max_body_size 1000m;
|
|
ignore_invalid_headers off;
|
|
proxy_buffering off;
|
|
|
|
set $csp_default "default-src 'self'";
|
|
set $csp_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.budibase.net https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io";
|
|
set $csp_style "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me https://maxcdn.bootstrapcdn.com";
|
|
set $csp_object "object-src 'none'";
|
|
set $csp_base_uri "base-uri 'self'";
|
|
set $csp_connect "connect-src 'self' https://*.budibase.net https://api-iam.intercom.io https://api-iam.intercom.io https://api-ping.intercom.io https://app.posthog.com wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io https://uploads.intercomcdn.com https://uploads.intercomusercontent.com https://*.s3.amazonaws.com https://*.s3.us-east-2.amazonaws.com https://*.s3.us-east-1.amazonaws.com https://*.s3.us-west-1.amazonaws.com https://*.s3.us-west-2.amazonaws.com https://*.s3.af-south-1.amazonaws.com https://*.s3.ap-east-1.amazonaws.com https://*.s3.ap-southeast-3.amazonaws.com https://*.s3.ap-south-1.amazonaws.com https://*.s3.ap-northeast-3.amazonaws.com https://*.s3.ap-northeast-2.amazonaws.com https://*.s3.ap-southeast-1.amazonaws.com https://*.s3.ap-southeast-2.amazonaws.com https://*.s3.ap-northeast-1.amazonaws.com https://*.s3.ca-central-1.amazonaws.com https://*.s3.cn-north-1.amazonaws.com https://*.s3.cn-northwest-1.amazonaws.com https://*.s3.eu-central-1.amazonaws.com https://*.s3.eu-west-1.amazonaws.com https://*.s3.eu-west-2.amazonaws.com https://*.s3.eu-south-1.amazonaws.com https://*.s3.eu-west-3.amazonaws.com https://*.s3.eu-north-1.amazonaws.com https://*.s3.sa-east-1.amazonaws.com https://*.s3.me-south-1.amazonaws.com https://*.s3.us-gov-east-1.amazonaws.com https://*.s3.us-gov-west-1.amazonaws.com";
|
|
set $csp_font "font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me https://maxcdn.bootstrapcdn.com https://js.intercomcdn.com https://fonts.intercomcdn.com";
|
|
set $csp_frame "frame-src 'self' https:";
|
|
set $csp_img "img-src http: https: data: blob:";
|
|
set $csp_manifest "manifest-src 'self'";
|
|
set $csp_media "media-src 'self' https://js.intercomcdn.com";
|
|
set $csp_worker "worker-src 'none'";
|
|
|
|
error_page 502 503 504 /error.html;
|
|
location = /error.html {
|
|
root /usr/share/nginx/html;
|
|
internal;
|
|
}
|
|
|
|
# Security Headers
|
|
add_header X-Frame-Options SAMEORIGIN always;
|
|
add_header X-Content-Type-Options nosniff always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header Content-Security-Policy "${csp_default}; ${csp_script}; ${csp_style}; ${csp_object}; ${csp_base_uri}; ${csp_connect}; ${csp_font}; ${csp_frame}; ${csp_img}; ${csp_manifest}; ${csp_media}; ${csp_worker};" always;
|
|
|
|
# upstreams
|
|
set $apps {{ apps }};
|
|
set $worker {{ worker }};
|
|
set $minio {{ minio }};
|
|
set $couchdb {{ couchdb }};
|
|
{{#if watchtower}}
|
|
set $watchtower {{ watchtower }};
|
|
{{/if}}
|
|
|
|
location /app {
|
|
proxy_pass http://$apps:4002;
|
|
}
|
|
|
|
location = / {
|
|
proxy_pass http://$apps:4002;
|
|
}
|
|
|
|
{{#if watchtower}}
|
|
location = /v1/update {
|
|
proxy_pass http://$watchtower:8080;
|
|
}
|
|
{{/if}}
|
|
|
|
location ~ ^/(builder|app_) {
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_pass http://$apps:4002;
|
|
}
|
|
|
|
location ~ ^/api/(system|admin|global)/ {
|
|
proxy_pass http://$worker:4003;
|
|
}
|
|
|
|
location /worker/ {
|
|
proxy_pass http://$worker:4003;
|
|
rewrite ^/worker/(.*)$ /$1 break;
|
|
}
|
|
|
|
location /api/backups/ {
|
|
proxy_read_timeout 1800s;
|
|
proxy_connect_timeout 1800s;
|
|
proxy_send_timeout 1800s;
|
|
proxy_pass http://app-service;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection "";
|
|
}
|
|
|
|
location /api/ {
|
|
# calls to the API are rate limited with bursting
|
|
limit_req zone=ratelimit burst=20 nodelay;
|
|
|
|
# 120s timeout on API requests
|
|
proxy_read_timeout 120s;
|
|
proxy_connect_timeout 120s;
|
|
proxy_send_timeout 120s;
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_pass http://$apps:4002;
|
|
}
|
|
|
|
location /api/webhooks/ {
|
|
# calls to webhooks are rate limited
|
|
limit_req zone=webhooks nodelay;
|
|
|
|
# Rest of configuration copied from /api/ location above
|
|
# 120s timeout on API requests
|
|
proxy_read_timeout 120s;
|
|
proxy_connect_timeout 120s;
|
|
proxy_send_timeout 120s;
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_pass http://$apps:4002;
|
|
}
|
|
|
|
location /db/ {
|
|
proxy_pass http://$couchdb:5984;
|
|
rewrite ^/db/(.*)$ /$1 break;
|
|
}
|
|
|
|
location /socket/ {
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection 'upgrade';
|
|
proxy_set_header Host $host;
|
|
proxy_cache_bypass $http_upgrade;
|
|
proxy_pass http://$apps:4002;
|
|
}
|
|
|
|
location / {
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $http_host;
|
|
|
|
proxy_connect_timeout 300;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection "";
|
|
chunked_transfer_encoding off;
|
|
|
|
proxy_pass http://$minio:9000;
|
|
}
|
|
|
|
client_header_timeout 60;
|
|
client_body_timeout 60;
|
|
keepalive_timeout 60;
|
|
|
|
# gzip
|
|
gzip on;
|
|
gzip_vary on;
|
|
gzip_proxied any;
|
|
gzip_comp_level 6;
|
|
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
|
|
}
|
|
}
|