276 lines
10 KiB
Plaintext
276 lines
10 KiB
Plaintext
user nginx;
|
|
error_log /var/log/nginx/error.log debug;
|
|
pid /var/run/nginx.pid;
|
|
worker_processes auto;
|
|
worker_rlimit_nofile 33282;
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
# rate limiting
|
|
limit_req_status 429;
|
|
limit_req_zone $binary_remote_addr zone=ratelimit:10m rate=${PROXY_RATE_LIMIT_API_PER_SECOND}r/s;
|
|
limit_req_zone $binary_remote_addr zone=webhooks:10m rate=${PROXY_RATE_LIMIT_WEBHOOKS_PER_SECOND}r/s;
|
|
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
proxy_set_header Host $host;
|
|
charset utf-8;
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
server_tokens off;
|
|
types_hash_max_size 2048;
|
|
resolver ${RESOLVER} valid=10s ipv6=off;
|
|
|
|
# buffering
|
|
client_header_buffer_size 1k;
|
|
client_max_body_size 20M;
|
|
ignore_invalid_headers off;
|
|
proxy_buffering off;
|
|
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" "$http_x_forwarded_for" '
|
|
'response_time=$upstream_response_time proxy_host=$proxy_host upstream_addr=$upstream_addr';
|
|
|
|
access_log /var/log/nginx/access.log main;
|
|
|
|
map $http_upgrade $connection_upgrade {
|
|
default "upgrade";
|
|
}
|
|
|
|
server {
|
|
listen 10000 default_server;
|
|
listen [::]:10000 default_server;
|
|
server_name _;
|
|
client_max_body_size 1000m;
|
|
ignore_invalid_headers off;
|
|
proxy_buffering off;
|
|
|
|
set $csp_default "default-src 'self'";
|
|
set $csp_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.budibase.net https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io https://d2l5prqdbvm3op.cloudfront.net https://us-assets.i.posthog.com";
|
|
set $csp_style "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me https://maxcdn.bootstrapcdn.com";
|
|
set $csp_object "object-src 'none'";
|
|
set $csp_base_uri "base-uri 'self'";
|
|
set $csp_connect "connect-src 'self' https://*.budibase.app https://*.budibaseqa.app https://*.budibase.net https://api-iam.intercom.io https://api-iam.intercom.io https://api-ping.intercom.io https://app.posthog.com https://us.i.posthog.com wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io https://uploads.intercomcdn.com https://uploads.intercomusercontent.com https://*.amazonaws.com https://*.s3.amazonaws.com https://*.s3.us-east-2.amazonaws.com https://*.s3.us-east-1.amazonaws.com https://*.s3.us-west-1.amazonaws.com https://*.s3.us-west-2.amazonaws.com https://*.s3.af-south-1.amazonaws.com https://*.s3.ap-east-1.amazonaws.com https://*.s3.ap-southeast-3.amazonaws.com https://*.s3.ap-south-1.amazonaws.com https://*.s3.ap-northeast-3.amazonaws.com https://*.s3.ap-northeast-2.amazonaws.com https://*.s3.ap-southeast-1.amazonaws.com https://*.s3.ap-southeast-2.amazonaws.com https://*.s3.ap-northeast-1.amazonaws.com https://*.s3.ca-central-1.amazonaws.com https://*.s3.cn-north-1.amazonaws.com https://*.s3.cn-northwest-1.amazonaws.com https://*.s3.eu-central-1.amazonaws.com https://*.s3.eu-west-1.amazonaws.com https://*.s3.eu-west-2.amazonaws.com https://*.s3.eu-south-1.amazonaws.com https://*.s3.eu-west-3.amazonaws.com https://*.s3.eu-north-1.amazonaws.com https://*.s3.sa-east-1.amazonaws.com https://*.s3.me-south-1.amazonaws.com https://*.s3.us-gov-east-1.amazonaws.com https://*.s3.us-gov-west-1.amazonaws.com https://api.github.com";
|
|
set $csp_font "font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me https://maxcdn.bootstrapcdn.com https://js.intercomcdn.com https://fonts.intercomcdn.com";
|
|
set $csp_frame "frame-src 'self' https:";
|
|
set $csp_img "img-src http: https: data: blob:";
|
|
set $csp_manifest "manifest-src 'self'";
|
|
set $csp_media "media-src 'self' https://js.intercomcdn.com https://cdn.budi.live";
|
|
set $csp_worker "worker-src blob:";
|
|
|
|
error_page 502 503 504 /error.html;
|
|
location = /error.html {
|
|
root /usr/share/nginx/html;
|
|
internal;
|
|
}
|
|
|
|
# Security Headers
|
|
add_header X-Frame-Options SAMEORIGIN always;
|
|
add_header X-Content-Type-Options nosniff always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header Content-Security-Policy "${csp_default}; ${csp_script}; ${csp_style}; ${csp_object}; ${csp_base_uri}; ${csp_connect}; ${csp_font}; ${csp_frame}; ${csp_img}; ${csp_manifest}; ${csp_media}; ${csp_worker};" always;
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
|
|
|
# upstreams
|
|
set $apps ${APPS_UPSTREAM_URL};
|
|
set $worker ${WORKER_UPSTREAM_URL};
|
|
set $minio ${MINIO_UPSTREAM_URL};
|
|
set $couchdb ${COUCHDB_UPSTREAM_URL};
|
|
|
|
location /health {
|
|
access_log off;
|
|
add_header 'Content-Type' 'application/json';
|
|
return 200 '{ "status": "OK" }';
|
|
}
|
|
|
|
location /app {
|
|
proxy_pass $apps;
|
|
}
|
|
|
|
location /embed {
|
|
rewrite /embed/(.*) /app/$1 break;
|
|
proxy_pass $apps;
|
|
proxy_redirect off;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header x-budibase-embed "true";
|
|
add_header x-budibase-embed "true";
|
|
add_header Content-Security-Policy "frame-ancestors *";
|
|
}
|
|
|
|
location = / {
|
|
proxy_pass $apps;
|
|
}
|
|
|
|
location ~ ^/(builder|app_) {
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Connection $connection_upgrade;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_pass $apps;
|
|
}
|
|
|
|
location ~ ^/api/(system|admin|global)/ {
|
|
proxy_set_header Host $host;
|
|
proxy_pass $worker;
|
|
}
|
|
|
|
location /worker/ {
|
|
proxy_set_header Host $host;
|
|
proxy_pass $worker;
|
|
rewrite ^/worker/(.*)$ /$1 break;
|
|
}
|
|
|
|
location /api/backups/ {
|
|
# calls to export apps are limited
|
|
limit_req zone=ratelimit burst=20 nodelay;
|
|
|
|
# 1800s timeout for app export requests
|
|
proxy_read_timeout 1800s;
|
|
proxy_connect_timeout 1800s;
|
|
proxy_send_timeout 1800s;
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_pass $apps;
|
|
}
|
|
|
|
location /api/ {
|
|
# calls to the API are rate limited with bursting
|
|
limit_req zone=ratelimit burst=20 nodelay;
|
|
|
|
# 120s timeout on API requests
|
|
proxy_read_timeout 120s;
|
|
proxy_connect_timeout 120s;
|
|
proxy_send_timeout 120s;
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_pass $apps;
|
|
}
|
|
|
|
location /api/webhooks/ {
|
|
# calls to webhooks are rate limited
|
|
limit_req zone=webhooks nodelay;
|
|
|
|
# Rest of configuration copied from /api/ location above
|
|
# 120s timeout on API requests
|
|
proxy_read_timeout 120s;
|
|
proxy_connect_timeout 120s;
|
|
proxy_send_timeout 120s;
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_pass $apps;
|
|
}
|
|
|
|
location /db/ {
|
|
proxy_pass $couchdb;
|
|
rewrite ^/db/(.*)$ /$1 break;
|
|
}
|
|
|
|
location /socket/ {
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection 'upgrade';
|
|
proxy_set_header Host $host;
|
|
proxy_cache_bypass $http_upgrade;
|
|
proxy_pass $apps;
|
|
}
|
|
|
|
location / {
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $http_host;
|
|
|
|
proxy_connect_timeout 300;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection "";
|
|
chunked_transfer_encoding off;
|
|
|
|
proxy_pass $minio;
|
|
}
|
|
|
|
location /files/signed/ {
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# IMPORTANT: Signed urls will inspect the host header of the request.
|
|
# Normally a signed url will need to be generated with a specified client host in mind.
|
|
# To support dynamic hosts, e.g. some unknown self-hosted installation url,
|
|
# use a predefined host header. The host 'minio-service' is also used at the time of url signing.
|
|
proxy_set_header Host minio-service;
|
|
|
|
proxy_connect_timeout 300;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection "";
|
|
chunked_transfer_encoding off;
|
|
|
|
proxy_pass $minio;
|
|
rewrite ^/files/signed/(.*)$ /$1 break;
|
|
}
|
|
|
|
client_header_timeout 120;
|
|
client_body_timeout 120;
|
|
keepalive_timeout 120;
|
|
|
|
# gzip
|
|
gzip on;
|
|
gzip_vary on;
|
|
gzip_proxied any;
|
|
gzip_comp_level 6;
|
|
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
|
|
}
|
|
|
|
# From https://docs.datadoghq.com/integrations/nginx/?tab=kubernetes
|
|
server {
|
|
listen 81;
|
|
server_name localhost;
|
|
|
|
access_log off;
|
|
allow 127.0.0.1;
|
|
allow 10.0.0.0/8;
|
|
deny all;
|
|
|
|
location /nginx_status {
|
|
# Choose your status module
|
|
|
|
# freely available with open source NGINX
|
|
stub_status;
|
|
|
|
# for open source NGINX < version 1.7.5
|
|
# stub_status on;
|
|
|
|
# available only with NGINX Plus
|
|
# status;
|
|
|
|
# ensures the version information can be retrieved
|
|
server_tokens on;
|
|
}
|
|
}
|
|
}
|