ansible-openappsec/roles/openappsec/files/nginx/conf.d/subdomain.example.com.conf

upstream application01 {
  server 10.0.0.10:443;
}

server {
  listen 80 proxy_protocol;
  server_name subdomain.example.com;

  # proxy protocol settings
  set_real_ip_from  10.0.0.1/32;
  real_ip_header    proxy_protocol;
  real_ip_recursive on;

  # logging
  access_log  syslog:server=log.example.local vhost;
  error_log   syslog:server=log.example.local;

  location ^~ /.well-known/acme-challenge {
    alias /mnt/certs/challenge;
  }

  location / {
    return 301 https://$host$request_uri;
  }
}

server {
  listen 443 proxy_protocol ssl http2;
  server_name subdomain.example.com;

  # proxy protocol settings
  set_real_ip_from  10.0.0.1/32;
  real_ip_header    proxy_protocol;
  real_ip_recursive on;

  # logging
  access_log  syslog:server=log.example.local vhost;
  error_log   syslog:server=log.example.local;

  # certificates
  ssl_certificate     /mnt/certs/certs/subdomain.example.com/fullchain.pem;
  ssl_certificate_key /mnt/certs/certs/subdomain.example.com/privkey.pem;

  # tls settings
  ssl_dhparam /etc/nginx/dhparam.pem;
  ssl_session_timeout 4h;
  ssl_session_tickets off;
  ssl_session_cache shared:SSL:20m;
  ssl_ecdh_curve secp384r1;
  ssl_prefer_server_ciphers off;
  ssl_protocols TLSv1.3 TLSv1.2;
  ssl_stapling on;
  ssl_stapling_verify on;

  location / {

    # set headers
    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $proxy_protocol_addr;
    proxy_set_header X-Forwarded-For   $proxy_protocol_addr;
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Proto $scheme;

    # pass upstream
    proxy_pass https://application01;
  }
}
Initial Commit 2024-02-06 07:49:42 +01:00			`upstream application01 {`
			`server 10.0.0.10:443;`
			`}`

			`server {`
			`listen 80 proxy_protocol;`
			`server_name subdomain.example.com;`

			`# proxy protocol settings`
			`set_real_ip_from 10.0.0.1/32;`
			`real_ip_header proxy_protocol;`
			`real_ip_recursive on;`

			`# logging`
			`access_log syslog:server=log.example.local vhost;`
			`error_log syslog:server=log.example.local;`

			`location ^~ /.well-known/acme-challenge {`
			`alias /mnt/certs/challenge;`
			`}`

			`location / {`
			`return 301 https://$host$request_uri;`
			`}`
			`}`

			`server {`
			`listen 443 proxy_protocol ssl http2;`
			`server_name subdomain.example.com;`

			`# proxy protocol settings`
			`set_real_ip_from 10.0.0.1/32;`
			`real_ip_header proxy_protocol;`
			`real_ip_recursive on;`

			`# logging`
			`access_log syslog:server=log.example.local vhost;`
			`error_log syslog:server=log.example.local;`

			`# certificates`
			`ssl_certificate /mnt/certs/certs/subdomain.example.com/fullchain.pem;`
			`ssl_certificate_key /mnt/certs/certs/subdomain.example.com/privkey.pem;`

			`# tls settings`
			`ssl_dhparam /etc/nginx/dhparam.pem;`
			`ssl_session_timeout 4h;`
			`ssl_session_tickets off;`
			`ssl_session_cache shared:SSL:20m;`
			`ssl_ecdh_curve secp384r1;`
			`ssl_prefer_server_ciphers off;`
			`ssl_protocols TLSv1.3 TLSv1.2;`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`

			`location / {`

			`# set headers`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $proxy_protocol_addr;`
			`proxy_set_header X-Forwarded-For $proxy_protocol_addr;`
			`proxy_set_header X-Forwarded-Host $host;`
			`proxy_set_header X-Forwarded-Proto $scheme;`

			`# pass upstream`
			`proxy_pass https://application01;`
			`}`
			`}`