The nginx configuration file is located in
/etc/nginx/sites-available/default
# The upstreams are needed because the actual dashboard & api webservers
# might not be running on the same system. They could run on another computer or
# in a virtual machine with another IP address.
#
upstream dashboard {
server 10.1.1.1:5000;
}
upstream api {
server 10.1.1.1:5001;
}
# Default server configuration
#
server {
listen 443 ssl;
server_name 10.1.1.1;
### SSL configuration ###
# Add Strict-Transport-Security to prevent man-in-the-middle attacks
add_header Strict-Transport-Security "max-age=31536000";
#include snippets/snakeoil.conf; # Self signed certs generated by the ssl-cert package
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_protocols TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
keepalive_timeout 70;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Location of the nginx error log
error_log /usr/local/share/nginx/routing.log;
# Set start locations
index index.html index.htm;
# Redirect www to non-www
if ($host = 'www.10.1.1.1' ) {
rewrite ^/(.*)$ https://10.1.1.1/$1 permanent;
}
# Dashboard
location / {
add_header Front-End-Https on;
add_header Cache-Control "public, must-revalidate";
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";
proxy_pass http://dashboard;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# API
location ^~ /api/ {
add_header Front-End-Https on;
add_header Cache-Control "public, must-revalidate";
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";
rewrite ^/api(/.*)$ $1 break;
proxy_pass http://api;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# Remote Access
location /remoteaccess/ {
add_header Front-End-Https on;
add_header Cache-Control "public, must-revalidate";
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";
proxy_buffering off;
proxy_pass http://10.1.1.1:8080/guacamole/;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# Deny access to .htaccess files, if Apache's document root concurs with nginx's one
location ~ /\.ht {
deny all;
}
}
# Redirect everything from port 80 to 443 (HTTP -> HTTPS)
server {
listen 80;
server_name 10.1.1.1;
return 301 https://$server_name$request_uri;
}