Skip to content

nginx as reverse proxy (example)

Jump to bottom
pgbv edited this page May 14, 2024 · 2 revisions

nfkstats-vhost.conf:

server {
        listen 80;
        listen [::]:80;
        server_name stats.needforkill.ru;

        access_log /var/log/nginx/stats.needforkill.ru-access.log
        error_log /var/log/nginx/stats.needforkill.ru-error.log;

        location / {
                return 301 https://$host$request_uri;
        }

        location = /nfkstats.php {
                # allow only ip addresses you want to get statistics from
                # some examples:
                allow 192.0.2.20;
                allow 198.51.100.194;
                deny all;

                # max uploaded demo size
                client_max_body_size 8M;

                include snippets/proxypass.conf;
                proxy_pass http://127.0.0.1:8080;
        }
}

server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name stats.needforkill.ru;

        access_log /var/log/nginx/stats.needforkill.ru-access.log
        error_log /var/log/nginx/stats.needforkill.ru-error.log;

        ssl_certificate /etc/letsencrypt/live/stats.needforkill.ru/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/stats.needforkill.ru/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/stats.needforkill.ru/chain.pem;

        # older tls are required for ndm-adapter program to work on older systems (win 7-)
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_dhparam /etc/nginx/certs/dhparams.pem;
        ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;
        ssl_prefer_server_ciphers off;
        ssl_ecdh_curve secp384r1;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:30m;
        ssl_session_tickets off;
        ssl_stapling on;
        ssl_stapling_verify on;

        location / {
                include /etc/nginx/snippets/proxypass.conf;
                proxy_pass http://127.0.0.1:8080;
        }

        # nfk servers won't send stats using https anyway, so we can just return 403
        location = /nfkstats.php {
                return 403;
        }

        # protec creating a new season either with basic auth or with ip whitelisting
        location ^~ /do/new_seasonJGA/ {
                #allow 127.0.0.1;
                #deny all;
                auth_basic "Protected area";
                auth_basic_user_file snippets/nfkstats_auth;

                include /etc/nginx/snippets/proxypass.conf;
                proxy_pass http://127.0.0.1:8080;
        }
}

snippets/proxypass.conf:

                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Connection "";
                proxy_http_version 1.1;
                proxy_buffering off;
                fastcgi_param REMOTE_ADDR $http_x_real_ip;
Clone this wiki locally