-
Notifications
You must be signed in to change notification settings - Fork 54
/
nginx.conf
185 lines (155 loc) · 7.17 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
# nginx.conf -- docker-openresty
#
# This file is installed to:
# `/usr/local/openresty/nginx/conf/nginx.conf`
# and is the file loaded by nginx at startup,
# unless the user specifies otherwise.
#
# It tracks the upstream OpenResty's `nginx.conf`, but removes the `server`
# section and adds this directive:
# `include /etc/nginx/conf.d/*.conf;`
#
# The `docker-openresty` file `nginx.vh.default.conf` is copied to
# `/etc/nginx/conf.d/default.conf`. It contains the `server section
# of the upstream `nginx.conf`.
#
# See https://github.com/openresty/docker-openresty/blob/master/README.md#nginx-config-files
#
user nginx;
worker_processes 1;
#user nobody;
#worker_processes 1;
# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;
# Used by lua below
env ECOSYSTEM_API;
env ECOSYSTEM_STORE;
env AVATAR_HOSTNAME;
env SDDOC_URL;
env SLACK_URL;
env ROOT_URL;
env CANARY_RELEASE;
env RELEASE_VERSION;
env SHOW_AVATAR;
env FEEDBACK_HOSTNAME;
env FEEDBACK_SCRIPT;
env FEEDBACK_CONFIG;
env FEEDBACK_SCRIPT_CSP_POLICY;
env DOWNLOAD_ARTIFACT_DIR;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
# Enables or disables the use of underscores in client request header fields.
# When the use of underscores is disabled, request header fields whose names contain underscores are marked as invalid and become subject to the ignore_invalid_headers directive.
# underscores_in_headers off;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
# Log in JSON Format
# log_format nginxlog_json escape=json '{ "timestamp": "$time_iso8601", '
# '"remote_addr": "$remote_addr", '
# '"body_bytes_sent": $body_bytes_sent, '
# '"request_time": $request_time, '
# '"response_status": $status, '
# '"request": "$request", '
# '"request_method": "$request_method", '
# '"host": "$host",'
# '"upstream_addr": "$upstream_addr",'
# '"http_x_forwarded_for": "$http_x_forwarded_for",'
# '"http_referrer": "$http_referer", '
# '"http_user_agent": "$http_user_agent", '
# '"http_version": "$server_protocol", '
# '"nginx_access": true }';
# access_log /dev/stdout nginxlog_json;
# See Move default writable paths to a dedicated directory (#119)
# https://github.com/openresty/docker-openresty/issues/119
client_body_temp_path /var/run/openresty/nginx-client-body;
proxy_temp_path /var/run/openresty/nginx-proxy;
fastcgi_temp_path /var/run/openresty/nginx-fastcgi;
uwsgi_temp_path /var/run/openresty/nginx-uwsgi;
scgi_temp_path /var/run/openresty/nginx-scgi;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
root /usr/local/openresty/nginx/html;
# Generated by running `ember csp-headers --environment production`
set_by_lua_block $csp_header {
local defaultSrc = "default-src 'none'"
local styleSrc = "style-src 'self' 'unsafe-inline'"
local connectSrc = "connect-src 'self' " .. (os.getenv("ECOSYSTEM_API") or "") .. " " .. (os.getenv("ECOSYSTEM_STORE") or "");
local frameSrc = "frame-src 'self' " .. (os.getenv("ECOSYSTEM_API") or "").. " " .. (os.getenv("ECOSYSTEM_STORE") or "") .. " " .. (os.getenv("FEEDBACK_HOSTNAME") or "")
local fontSrc = "font-src 'self'"
local imgSrc = "img-src 'self' https: data: " .. (os.getenv("AVATAR_HOSTNAME") or "")
local mediaSrc = "media-src 'self'"
local manifestSrc = "manifest-src 'self'"
local workerSrc = "worker-src blob:"
local scriptSrc = "script-src 'self' " .. (os.getenv("FEEDBACK_SCRIPT_CSP_POLICY") or "")
-- trailing CSP semi-colon is appended here
return defaultSrc .. "; " ..
styleSrc .. "; " ..
connectSrc .. "; " ..
frameSrc .. "; " ..
fontSrc .. "; " ..
imgSrc .. "; " ..
mediaSrc .. "; " ..
manifestSrc .. "; " ..
workerSrc .. "; " ..
scriptSrc .. "; "
}
add_header x-content-type-options 'nosniff';
add_header x-frame-options 'SAMEORIGIN';
add_header x-xss-protection '1; mode=block';
add_header Content-Security-Policy $csp_header;
set_by_lua_block $rootURL {
return os.getenv("ROOT_URL") or "";
}
location / {
header_filter_by_lua_block {
local pattern = "use_canary="
local header = "never"
local canary_release = (os.getenv("CANARY_RELEASE") or "")
if canary_release == "true" then
header = "always"
end
local data = ngx.req.get_headers()['Cookie']
if data == nil or string.find(data, pattern) == nil then
local expires_time = ngx.cookie_time(ngx.time()+60)
local cookieStr = "use_canary=".. header .. ";Path=/;secure=true;httponly=true;samesite=Strict;Max-Age=60;expires=" .. expires_time
ngx.header["Set-Cookie"] = cookieStr
end
}
sub_filter_types text/html text/css;
sub_filter "/assets" "$rootURL/assets";
sub_filter_once off;
index index.html;
try_files $uri $uri/ /index.html?/$request_uri;
}
# Dynamic configuration for the ember app
location /assets/supplementary_config.js {
content_by_lua_block {
ngx.say("window.SUPPLEMENTARY_CONFIG = { ROOT_URL: '", os.getenv("ROOT_URL") or "", "', SDAPI_HOSTNAME: '", os.getenv("ECOSYSTEM_API"), "', SDSTORE_HOSTNAME: '", os.getenv("ECOSYSTEM_STORE"), "', SDDOC_URL: '", (os.getenv("SDDOC_URL") or ""), "', SLACK_URL: '", (os.getenv("SLACK_URL") or ""), "', RELEASE_VERSION: '", os.getenv("RELEASE_VERSION") or "", "', SHOW_AVATAR: '", os.getenv("SHOW_AVATAR") or "", "', FEEDBACK_HOSTNAME: '", (os.getenv("FEEDBACK_HOSTNAME") or ""), "', FEEDBACK_SCRIPT: '", (os.getenv("FEEDBACK_SCRIPT") or ""), "', FEEDBACK_CONFIG: '", (os.getenv("FEEDBACK_CONFIG") or ""), "', DOWNLOAD_ARTIFACT_DIR: '", (os.getenv("DOWNLOAD_ARTIFACT_DIR") or ""), "' };")
}
}
set_by_lua $ecosystem_api 'return os.getenv("ECOSYSTEM_API")';
rewrite ^/pipelines/([^/]*)/badge$ $ecosystem_api/v4/pipelines/$1/badge redirect;
rewrite ^/pipelines/([^/]*)/([^/]*)/badge$ $ecosystem_api/v4/pipelines/$1/$2/badge redirect;
}
#include /etc/nginx/conf.d/*.conf;
# Don't reveal OpenResty version to clients.
# server_tokens off;
}