-
Notifications
You must be signed in to change notification settings - Fork 1
nginx as reverse proxy (example)
pgbv edited this page May 14, 2024
·
2 revisions
nfkstats-vhost.conf:
server {
listen 80;
listen [::]:80;
server_name stats.needforkill.ru;
access_log /var/log/nginx/stats.needforkill.ru-access.log
error_log /var/log/nginx/stats.needforkill.ru-error.log;
location / {
return 301 https://$host$request_uri;
}
location = /nfkstats.php {
# allow only ip addresses you want to get statistics from
# some examples:
allow 192.0.2.20;
allow 198.51.100.194;
deny all;
# max uploaded demo size
client_max_body_size 8M;
# example proxy pass params is included below
include snippets/proxypass.conf;
proxy_pass http://127.0.0.1:8080;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name stats.needforkill.ru;
access_log /var/log/nginx/stats.needforkill.ru-access.log
error_log /var/log/nginx/stats.needforkill.ru-error.log;
ssl_certificate /etc/letsencrypt/live/stats.needforkill.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stats.needforkill.ru/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/stats.needforkill.ru/chain.pem;
# older tls are required for ndm-adapter program to work on older systems (win 7-)
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /etc/nginx/certs/dhparams.pem;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;
ssl_prefer_server_ciphers off;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:30m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
location / {
include /etc/nginx/snippets/proxypass.conf;
proxy_pass http://127.0.0.1:8080;
}
# nfk servers won't send stats using https anyway, so we can just return 403
location = /nfkstats.php {
return 403;
}
# protec creating a new season either with basic auth or with ip whitelisting
location ^~ /do/new_seasonJGA/ {
#allow 127.0.0.1;
#deny all;
auth_basic "Protected area";
auth_basic_user_file snippets/nfkstats_auth;
include /etc/nginx/snippets/proxypass.conf;
proxy_pass http://127.0.0.1:8080;
}
}
snippets/proxypass.conf:
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_buffering off;
fastcgi_param REMOTE_ADDR $http_x_real_ip;