added reverse proxy example config

- signed-off-by: trimstray <[email protected]>

Author: trimstray

lib/nginx/dhparam_4096-with-ds.pem

@@ -0,0 +1,15 @@
+geo $globals_external_geo_acl {
+
+  # Status code:
+  #  - 0 = false
+  #  - 1 = true
+  default 0;
+
+  ### EXTERNAL ###
+  216.129.67.216/32 1;
+
+  ### GUEST IP ###
+  65.64.29.68/32 1;
+  88.151.87.220/32 1;
+
+}

lib/nginx/dhparam_4096.pem

@@ -0,0 +1,15 @@
+map $remote_addr $globals_external_map_acl {
+
+  # Status code:
+  #  - 0 = false
+  #  - 1 = true
+  default 0;
+
+  ### EXTERNAL ###
+  216.129.67.216/32 1;
+
+  ### GUEST IP ###
+  65.64.29.68/32 1;
+  88.151.87.220/32 1;
+
+}

lib/nginx/master/_acls/external.geo.acl

@@ -0,0 +1,15 @@
+geo $globals_internal_geo_acl {
+
+  # Status code:
+  #  - 0 = false
+  #  - 1 = true
+  default 0;
+
+  ### INTERNAL ###
+  10.255.10.0/24 1;
+  10.255.20.0/24 1;
+  10.255.30.0/24 1;
+  172.31.254.0/24 1;
+  192.168.0.0/16 1;
+
+}

lib/nginx/master/_acls/external.map.acl

@@ -0,0 +1,15 @@
+map $remote_addr $globals_internal_map_acl {
+
+  # Status code:
+  #  - 0 = false
+  #  - 1 = true
+  default 0;
+
+  ### INTERNAL ###
+  10.255.10.0/24 1;
+  10.255.20.0/24 1;
+  10.255.30.0/24 1;
+  172.31.254.0/24 1;
+  192.168.0.0/16 1;
+
+}

lib/nginx/master/_acls/internal.geo.acl

@@ -0,0 +1,36 @@
+default_type                  application/octet-stream;
+
+log_format main               '$remote_addr - $remote_user [$time_local] '
+                              '"$request_method $scheme://$host$request_uri '
+                              '$server_protocol" $status $body_bytes_sent '
+                              '"$http_referer" "$http_user_agent" '
+                              '$request_time';
+
+server_tokens                 off;
+
+ignore_invalid_headers        on;
+
+if_modified_since             before;
+server_names_hash_max_size    1024;
+
+tcp_nodelay                   off;
+tcp_nopush                    on;
+
+sendfile                      on;
+
+client_body_buffer_size       64k;
+client_header_buffer_size     1k;
+client_max_body_size          64k;
+large_client_header_buffers   2 1k;
+
+# Enabling in the case of problems with large traffic.
+# client_body_timeout         5s;
+# client_header_timeout       5s
+client_body_timeout           10s;
+client_header_timeout         10s;
+
+keepalive_requests            100;
+keepalive_timeout             5s 5s;
+send_timeout                  20s;
+
+gzip                          off;

lib/nginx/master/_acls/internal.map.acl

@@ -0,0 +1,22 @@
+proxy_set_header              Host $host;
+
+proxy_set_header              X-Real-IP $remote_addr;
+
+# alternative:                X-Forwarded-Proto $scheme;
+proxy_set_header              X-Forwarded-Proto "https";
+
+proxy_set_header              X-Forwarded-For $proxy_add_x_forwarded_for;
+
+proxy_hide_header             X-Powered-By;
+proxy_hide_header							X-AspNetMvc-Version;
+proxy_hide_header							X-AspNet-Version;
+proxy_hide_header							X-Drupal-Cache;
+
+more_set_headers              "Server: phaing7K";
+
+# proxy_buffering             off;
+proxy_buffers                 4 256k;
+proxy_buffer_size             128k;
+proxy_busy_buffers_size       256k;
+
+proxy_intercept_errors        on;

lib/nginx/master/_basic/main.conf

@@ -0,0 +1,23 @@
+# requests limiting
+limit_req_zone                $binary_remote_addr zone=per_ip_10r_s:20m rate=10r/s;
+limit_req_zone                $binary_remote_addr zone=per_ip_60r_s:200m rate=60r/s;
+limit_req_zone                $binary_remote_addr zone=per_ip_600r_s:200m rate=600r/s;
+limit_req_zone                $binary_remote_addr zone=per_ip_3000r_m:200m rate=3000r/m;
+
+# connections limititng
+limit_conn_zone               $binary_remote_addr zone=per_ip_connections:200m;
+
+# ratelimiting POST method
+map $request_method $limit_post_map {
+  default                     "";
+  POST                        $binary_remote_addr;
+}
+
+map $request_method $limit_post_per_vhost_map {
+  default                     "";
+  POST                        $server_name;
+}
+
+limit_req_zone                $limit_post_map zone=per_ip_post_limit_50r_s:20m rate=50r/s;
+limit_req_zone                $limit_post_per_vhost_map zone=per_server_post_limit_30r_s:20m rate=30r/s;
+limit_req_status              420;

lib/nginx/master/_basic/proxy-params.conf

@@ -0,0 +1,13 @@
+add_header                    Allow "GET, POST, HEAD" always;
+
+if ($request_method !~ ^(GET|POST|HEAD)$) {
+
+  return 405;
+
+}
+
+if ($request_uri ~ "/\.") {
+
+  return 403;
+
+}

lib/nginx/master/_basic/rate-limiting.conf

@@ -0,0 +1 @@
+listen                        192.168.250.2:80;

lib/nginx/master/_helpers/limits.conf

@@ -0,0 +1,15 @@
+listen                        192.168.250.2:443 ssl http2;
+
+ssl_session_cache             shared:SSL:10m;
+ssl_session_timeout           24h;
+ssl_session_tickets           off;
+ssl_buffer_size               1400;
+
+ssl_protocols                 TLSv1.2;
+ssl_ciphers                   "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
+
+ssl_prefer_server_ciphers     on;
+
+ssl_ecdh_curve                secp521r1:secp384r1;
+
+# ssl_dhparam                 /etc/nginx/dhparam_4096-with-ds.pem;

lib/nginx/master/_helpers/static.conf

@@ -0,0 +1 @@
+listen                        127.0.0.1:80;

lib/nginx/master/_listen/192.168.250.2/http.conf

@@ -0,0 +1,15 @@
+listen                        127.0.0.1:443 ssl http2;
+
+ssl_session_cache             shared:SSL:10m;
+ssl_session_timeout           24h;
+ssl_session_tickets           off;
+ssl_buffer_size               1400;
+
+ssl_protocols                 TLSv1.2;
+ssl_ciphers                   "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
+
+ssl_prefer_server_ciphers     on;
+
+ssl_ecdh_curve                secp521r1:secp384r1;
+
+# ssl_dhparam                 /etc/nginx/dhparam_4096-with-ds.pem;

lib/nginx/master/_listen/192.168.250.2/https.conf

@@ -0,0 +1 @@
+allow 195.156.18.216;

lib/nginx/master/_listen/localhost/http.conf

@@ -0,0 +1,8 @@
+upstream blkcipher_info_prod_backend {
+  server 10.217.10.10:4000    max_fails=3     fail_timeout=15s;
+  server 10.217.10.11:4000    max_fails=3     fail_timeout=15s;
+}
+
+upstream blkcipher_info_test_backend {
+  server 10.217.11.20:4000    max_fails=3     fail_timeout=30s;
+}

lib/nginx/master/_listen/localhost/https.conf

@@ -0,0 +1,2 @@
+ssl_certificate               /etc/nginx/master/_server/blkcipher.info/certs/nginx_blkcipher.info_bundle.crt;
+ssl_certificate_key           /etc/nginx/master/_server/blkcipher.info/certs/blkcipher.info.key;

lib/nginx/master/_server/blkcipher.info/acls/demo.conf

@@ -0,0 +1 @@
+user:$apr1$WWUPPs0j$MajkasP5Wqp23.3EsBaRl/

lib/nginx/master/_server/blkcipher.info/backends.conf

@@ -0,0 +1,79 @@
+# server {
+#
+#   include                   /etc/nginx/master/_listen/192.168.250.2/http.conf;
+#
+#   include                   /etc/nginx/master/_static/errors.conf;
+#
+#   root                      /usr/share/www/http-error-pages/sites/other;
+#
+#   server_name               blkcipher.info www.blkcipher.info;
+#
+#   location / {
+#
+#     return                  301 https://$host$request_uri;
+#
+#   }
+#
+#   location ~ /\.well-known/acme-challenge {
+#
+#     root                    /var/www;
+#
+#   }
+#
+#   access_log                /var/log/nginx/domains/blkcipher.info/blkcipher.info-access.log main;
+#   error_log                 /var/log/nginx/domains/blkcipher.info/blkcipher.info-error.log crit;
+#
+# }
+
+server {
+
+  include                     /etc/nginx/master/_listen/192.168.250.2/https.conf;
+
+  include                     /etc/nginx/master/_server/blkcipher.info/certs/blkcipher.info.conf;
+
+  include                     /etc/nginx/master/_static/errors.conf;
+
+  include                     /etc/nginx/master/_helpers/limits.conf;
+
+  add_header                  Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
+  add_header                  X-XSS-Protection "1; mode=block" always;
+  add_header                  X-Frame-Options "SAMEORIGIN" always;
+  add_header                  Referrer-Policy "no-referrer";
+  add_header                  X-Content-Type-Options "nosniff" always;
+  add_header                  Content-Security-Policy "default-src 'none'; script-src 'none'; img-src 'self'; style-src 'self' https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com; font-src 'self' https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';";
+  add_header                  Feature-Policy "geolocation none; midi none; notifications none; push none; sync-xhr none; microphone none; camera none; magnetometer none; gyroscope none; speaker none; vibrate none; fullscreen self; payment none; usb none;";
+
+  root                        /usr/share/www/http-error-pages/sites/other;
+
+  server_name                 blkcipher.info www.blkcipher.info;
+
+  if ($host = www.blkcipher.info) {
+
+    return                    301 https://blkcipher.info$request_uri;
+
+  }
+
+  location / {
+
+    # proxy_pass              http://blkcipher_info_prod_backend;
+    proxy_pass                http://localhost:80;
+    client_max_body_size      2m;
+
+  }
+
+  location ~ ^/(blog) {
+
+    return                    301 https://blkcipher.info;
+
+  }
+
+  location ~ /\.well-known/acme-challenge {
+
+    root                      /var/www;
+
+  }
+
+  access_log                  /var/log/nginx/domains/blkcipher.info/blkcipher.info-access.log main;
+  error_log                   /var/log/nginx/domains/blkcipher.info/blkcipher.info-error.log crit;
+
+}

lib/nginx/master/_server/blkcipher.info/certs/blkcipher.info.conf

@@ -0,0 +1,2 @@
+ssl_certificate               /etc/nginx/master/_server/defaults/certs/nginx_defaults_bundle.crt;
+ssl_certificate_key           /etc/nginx/master/_server/defaults/certs/defaults.key;

lib/nginx/master/_server/blkcipher.info/certs/blkcipher.info.key

@@ -0,0 +1,54 @@
+# server {
+#
+#   include                   /etc/nginx/master/_listen/192.168.250.2/http.conf;
+#
+#   include                   /etc/nginx/master/_static/errors.conf;
+#
+#   root                      /usr/share/www/http-error-pages/sites/other;
+#
+#   server_name               default_server;
+#
+#   location / {
+#
+#     root                    /etc/nginx/master/_static/error-pages/sites/other;
+#
+#   }
+#
+#   access_log                /var/log/nginx/defaults/defaults-access.log main;
+#   error_log                 /var/log/nginx/defaults/defaults-error.log crit;
+#
+# }
+
+server {
+
+  include                     /etc/nginx/master/_listen/192.168.250.2/https.conf;
+
+  include                     /etc/nginx/master/_server/defaults/certs/defaults.conf;
+
+  include                     /etc/nginx/master/_static/errors.conf;
+
+  include                     /etc/nginx/master/_helpers/limits.conf;
+
+  add_header                  Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
+  add_header                  X-XSS-Protection "1; mode=block" always;
+  add_header                  X-Frame-Options "SAMEORIGIN" always;
+  add_header                  Referrer-Policy "no-referrer";
+  add_header                  X-Content-Type-Options "nosniff" always;
+  add_header                  Content-Security-Policy "default-src 'none'; script-src 'none'; img-src 'self'; style-src 'self' https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com; font-src 'self' https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';";
+  add_header                  Feature-Policy "geolocation none; midi none; notifications none; push none; sync-xhr none; microphone none; camera none; magnetometer none; gyroscope none; speaker none; vibrate none; fullscreen self; payment none; usb none;";
+
+  root                        /usr/share/www/http-error-pages/sites/other;
+
+  server_name                 default_server;
+
+  location / {
+
+      # root                  /usr/share/www/http-error-pages/sites/other;
+      return                  301 https://badssl.com;
+
+  }
+
+  access_log                  /var/log/nginx/defaults/defaults-access.log main;
+  error_log                   /var/log/nginx/defaults/defaults-error.log crit;
+
+}

lib/nginx/master/_server/blkcipher.info/certs/nginx_blkcipher.info_bundle.crt

@@ -0,0 +1,7 @@
+upstream localhost_backend {
+  server 127.0.0.1:80         max_fails=3     fail_timeout=30s;
+}
+
+upstream static_localhost_backend {
+  server 127.0.0.1:8000       max_fails=3     fail_timeout=30s;
+}

lib/nginx/master/_server/blkcipher.info/credentials/demo.txt

@@ -0,0 +1,2 @@
+ssl_certificate               /etc/nginx/master/_server/localhost/certs/nginx_localhost_bundle.crt;
+ssl_certificate_key           /etc/nginx/master/_server/localhost/certs/localhost.key;