Domů Procházet Nápověda
Přihlásit se
tum
/
soc
Sledovat 1
Oblíbit 0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Revize 3 Vydání 0 Wiki

Bez popisu

Strom: 9bd700d33c
Větve Značky
soc
/
iris-web
/
docker
/
nginx
/
nginx-newui....

nginx-newui.conf 6.3KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174 
  1. #  IRIS Source Code
    2. 

  2. #  Copyright (C) 2021 - Airbus CyberSecurity (SAS)
    3. 

  3. #  ir@cyberactionlab.net
    4. 

  4. #
    5. 

  5. #  This program is free software; you can redistribute it and/or
    6. 

  6. #  modify it under the terms of the GNU Lesser General Public
    7. 

  7. #  License as published by the Free Software Foundation; either
    8. 

  8. #  version 3 of the License, or (at your option) any later version.
    9. 

  9. #
    10. 

  10. #  This program is distributed in the hope that it will be useful,
    11. 

  11. #  but WITHOUT ANY WARRANTY; without even the implied warranty of
    12. 

  12. #  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    13. 

  13. #  Lesser General Public License for more details.
    14. 

  14. #
    15. 

  15. #  You should have received a copy of the GNU Lesser General Public License
    16. 

  16. #  along with this program; if not, write to the Free Software Foundation,
    17. 

  17. #  Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
    18. 

  18. 

  19. 

  20. worker_processes auto;
    21. 

  21. pid /var/run/nginx.pid;
    22. 

  22. 

  23. events {
    24. 

  24.     worker_connections 1024;
    25. 

  25. }
    26. 

  26. 

  27. http {
    28. 

  28.     map $request_uri $csp_header {
    29. 

  29.         default "default-src 'self' https://analytics.dfir-iris.org; script-src 'self' 'unsafe-inline' https://analytics.dfir-iris.org; style-src 'self' 'unsafe-inline'; img-src 'self' data:;";
    30. 

  30.     }
    31. 

  31.     include /etc/nginx/mime.types;
    32. 

  32. 

  33.     default_type application/octet-stream;
    34. 

  34. 

  35.     log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    36. 

  36.                       '$status $body_bytes_sent "$http_referer" '
    37. 

  37.                       '"$http_user_agent" "$http_x_forwarded_for"';
    38. 

  38. 

  39.     access_log  /var/log/nginx/access.log main;
    40. 

  40.     error_log   /var/log/nginx/error.log debug;
    41. 

  41. 

  42.     server_tokens off;
    43. 

  43. 

  44.     sendfile    on;
    45. 

  45.     tcp_nopush  on;
    46. 

  46.     tcp_nodelay on;
    47. 

  47. 

  48.     types_hash_max_size             2048;
    49. 

  49.     types_hash_bucket_size          128;
    50. 

  50.     proxy_headers_hash_max_size     2048;
    51. 

  51.     proxy_headers_hash_bucket_size  128;
    52. 

  52.     proxy_buffering                 on;
    53. 

  53.     proxy_buffers                   8 16k;
    54. 

  54.     proxy_buffer_size               4k;
    55. 

  55. 

  56.     client_header_buffer_size   2k;
    57. 

  57.     large_client_header_buffers 8 64k;
    58. 

  58.     client_body_buffer_size     64k;
    59. 

  59.     client_max_body_size        100M;
    60. 

  60. 

  61.     reset_timedout_connection   on;
    62. 

  62.     keepalive_timeout           90s;
    63. 

  63.     client_body_timeout         90s;
    64. 

  64.     send_timeout                90s;
    65. 

  65.     client_header_timeout       90s;
    66. 

  66.     fastcgi_read_timeout        90s;
    67. 

  67.     # WORKING TIMEOUT FOR PROXY CONF
    68. 

  68.     proxy_read_timeout          90s;
    69. 

  69.     uwsgi_read_timeout          90s;
    70. 

  70. 

  71.     gzip off;
    72. 

  72.     gzip_disable "MSIE [1-6]\.";
    73. 

  73. 

  74.     # FORWARD CLIENT IDENTITY TO SERVER
    75. 

  75.     proxy_set_header    HOST                $http_host;
    76. 

  76.     proxy_set_header    X-Forwarded-Proto   $scheme;
    77. 

  77.     proxy_set_header    X-Real-IP           $remote_addr;
    78. 

  78.     proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    79. 

  79. 

  80.     # FULLY DISABLE SERVER CACHE
    81. 

  81.     add_header          Last-Modified $date_gmt;
    82. 

  82.     add_header          'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
    83. 

  83.     if_modified_since   off;
    84. 

  84.     expires             off;
    85. 

  85.     etag                off;
    86. 

  86.     proxy_no_cache      1;
    87. 

  87.     proxy_cache_bypass  1;
    88. 

  88. 

  89.     # SSL CONF, STRONG CIPHERS ONLY
    90. 

  90.     ssl_protocols               TLSv1.2 TLSv1.3;
    91. 

  91. 

  92.     ssl_prefer_server_ciphers   on;
    93. 

  93.     ssl_certificate             /www/certs/${CERT_FILENAME};
    94. 

  94.     ssl_certificate_key         /www/certs/${KEY_FILENAME};
    95. 

  95.     ssl_ecdh_curve              secp521r1:secp384r1:prime256v1;
    96. 

  96.     ssl_buffer_size             4k;
    97. 

  97. 

  98.     # DISABLE SSL SESSION CACHE
    99. 

  99.     ssl_session_tickets         off;
    100. 

  100.     ssl_session_cache           none;
    101. 

  101. 

  102.     access_log /var/log/nginx/audit_platform_access.log main;
    103. 

  103.     error_log  /var/log/nginx/audit_platform_error.log debug;
    104. 

  104. 

  105.     server {
    106. 

  106.         listen          ${INTERFACE_HTTPS_PORT} ssl;
    107. 

  107.         server_name     ${SERVER_NAME};
    108. 

  108.         root            /www/data;
    109. 

  109.         index           index.html;
    110. 

  110.         error_page      500 502 503 504  /50x.html;
    111. 

  111. 

  112.         add_header Content-Security-Policy $csp_header;
    113. 

  113. 

  114.         # SECURITY HEADERS
    115. 

  115.         add_header X-XSS-Protection             "1; mode=block";
    116. 

  116.         add_header X-Frame-Options              DENY;
    117. 

  117.         add_header X-Content-Type-Options       nosniff;
    118. 

  118.         # max-age = 31536000s = 1 year
    119. 

  119.         add_header Strict-Transport-Security    "max-age=31536000: includeSubDomains" always;
    120. 

  120.         add_header Front-End-Https              on;
    121. 

  121. 

  122.         location / {
    123. 

  123.             proxy_pass http://${IRIS_FRONTEND_SERVER}:${IRIS_FRONTEND_PORT};
    124. 

  124.             proxy_http_version 1.1;
    125. 

  125.             proxy_set_header Upgrade $http_upgrade;
    126. 

  126.             proxy_set_header Connection 'upgrade';
    127. 

  127.             proxy_set_header Host $host;
    128. 

  128.             proxy_cache_bypass $http_upgrade;
    129. 

  129.             proxy_set_header X-Forwarded-Proto $scheme;
    130. 

  130.             proxy_set_header X-Forwarded-For $remote_addr;
    131. 

  131.             proxy_set_header Origin $http_origin;
    132. 

  132.         }
    133. 

  133. 

  134.         location /api/v2/ {
    135. 

  135.             proxy_pass  http://${IRIS_UPSTREAM_SERVER}:${IRIS_UPSTREAM_PORT};
    136. 

  136. 

  137.             location ~ ^/(manage/templates/add|manage/cases/upload_files) {
    138. 

  138.                 keepalive_timeout           10m;
    139. 

  139.                 client_body_timeout         10m;
    140. 

  140.                 send_timeout                10m;
    141. 

  141.                 proxy_read_timeout          10m;
    142. 

  142.                 client_max_body_size        0M;
    143. 

  143.                 proxy_request_buffering off;
    144. 

  144.                 proxy_pass  http://${IRIS_UPSTREAM_SERVER}:${IRIS_UPSTREAM_PORT};
    145. 

  145.             }
    146. 

  146. 

  147.             location ~ ^/(datastore/file/add|datastore/file/add-interactive) {
    148. 

  148.                 keepalive_timeout           10m;
    149. 

  149.                 client_body_timeout         10m;
    150. 

  150.                 send_timeout                10m;
    151. 

  151.                 proxy_read_timeout          10m;
    152. 

  152.                 client_max_body_size        0M;
    153. 

  153.                 proxy_request_buffering off;
    154. 

  154.                 proxy_pass  http://${IRIS_UPSTREAM_SERVER}:${IRIS_UPSTREAM_PORT};
    155. 

  155.             }
    156. 

  156.         }
    157. 

  157. 

  158.         location /socket.io {
    159. 

  159.             proxy_set_header Host $http_host;
    160. 

  160.             proxy_set_header X-Real-IP $remote_addr;
    161. 

  161.             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    162. 

  162.             proxy_set_header X-Forwarded-Proto $scheme;
    163. 

  163.             proxy_http_version 1.1;
    164. 

  164.             proxy_buffering off;
    165. 

  165.             proxy_set_header Upgrade $http_upgrade;
    166. 

  166.             proxy_set_header Connection "Upgrade";
    167. 

  167.             proxy_pass http://${IRIS_UPSTREAM_SERVER}:${IRIS_UPSTREAM_PORT}/socket.io;
    168. 

  168.         }
    169. 

  169. 

  170.         location = /50x.html {
    171. 

  171.             root   /usr/share/nginx/html;
    172. 

  172.         }
    173. 

  173.     }
    174. 

  174. }
    175.