1package kube
2
3configMap: nginx: "nginx.conf": """
4 events {
5 worker_connections 768;
6 }
7 http {
8 sendfile on;
9 tcp_nopush on;
10 tcp_nodelay on;
11 # needs to be high for some download jobs.
12 keepalive_timeout 400;
13 # proxy_connect_timeout 300;
14 proxy_send_timeout 300;
15 proxy_read_timeout 300;
16 send_timeout 300;
17
18 types_hash_max_size 2048;
19
20 include /etc/nginx/mime.types;
21 default_type application/octet-stream;
22
23 access_log /dev/stdout;
24 error_log /dev/stdout;
25
26 # Disable POST body size constraints. We often deal with large
27 # files. Especially docker containers may be large.
28 client_max_body_size 0;
29
30 upstream goget {
31 server localhost:7070;
32 }
33
34 # Redirect incoming Google Cloud Storage notifications:
35 server {
36 listen 443 ssl;
37 server_name notify.example.com notify2.example.com;
38
39 ssl_certificate /etc/ssl/server.crt;
40 ssl_certificate_key /etc/ssl/server.key;
41
42 # Security enhancements to deal with poodles and the like.
43 # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
44 # ssl_ciphers 'AES256+EECDH:AES256+EDH';
45 ssl_ciphers \"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4\";
46
47 # We don't like poodles.
48 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
49 ssl_session_cache shared:SSL:10m;
50
51 # Enable Forward secrecy.
52 ssl_dhparam /etc/ssl/dhparam.pem;
53 ssl_prefer_server_ciphers on;
54
55 # Enable HTST.
56 add_header Strict-Transport-Security max-age=1209600;
57
58 # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
59 chunked_transfer_encoding on;
60
61 location / {
62 proxy_pass http://tasks:7080;
63 proxy_connect_timeout 1;
64 }
65 }
66
67 server {
68 listen 80;
69 listen 443 ssl;
70 server_name x.example.com example.io;
71
72 location ~ \"(/[^/]+)(/.*)?\" {
73 set $myhost $host;
74 if ($arg_go-get = \"1\") {
75 set $myhost \"goget\";
76 }
77 proxy_pass http://$myhost$1;
78 proxy_set_header Host $host;
79 proxy_set_header X-Real-IP $remote_addr;
80 proxy_set_header X-Scheme $scheme;
81 proxy_connect_timeout 1;
82 }
83
84 location / {
85 set $myhost $host;
86 if ($arg_go-get = \"1\") {
87 set $myhost \"goget\";
88 }
89 proxy_pass http://$myhost;
90 proxy_set_header Host $host;
91 proxy_set_header X-Real-IP $remote_addr;
92 proxy_set_header X-Scheme $scheme;
93 proxy_connect_timeout 1;
94 }
95 }
96
97 server {
98 listen 80;
99 server_name www.example.com w.example.com;
100
101 resolver 8.8.8.8;
102
103 location / {
104 proxy_set_header X-Forwarded-Host $host;
105 proxy_set_header X-Forwarded-Server $host;
106 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
107 proxy_set_header X-Real-IP $remote_addr;
108
109 proxy_pass http://$host.default.example.appspot.com/$request_uri;
110 proxy_redirect http://$host.default.example.appspot.com/ /;
111 }
112 }
113
114 # Kubernetes URI space. Maps URIs paths to specific servers using the
115 # proxy.
116 server {
117 listen 80;
118 listen 443 ssl;
119 server_name proxy.example.com;
120
121 ssl_certificate /etc/ssl/server.crt;
122 ssl_certificate_key /etc/ssl/server.key;
123
124 # Security enhancements to deal with poodles and the like.
125 # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
126 # ssl_ciphers 'AES256+EECDH:AES256+EDH';
127 ssl_ciphers \"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4\";
128
129 # We don't like poodles.
130 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
131 ssl_session_cache shared:SSL:10m;
132
133 # Enable Forward secrecy.
134 ssl_dhparam /etc/ssl/dhparam.pem;
135 ssl_prefer_server_ciphers on;
136
137 # Enable HTST.
138 add_header Strict-Transport-Security max-age=1209600;
139
140 if ($ssl_protocol = \"\") {
141 rewrite ^ https://$host$request_uri? permanent;
142 }
143
144 # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
145 chunked_transfer_encoding on;
146
147 location / {
148 proxy_pass http://kubeproxy:4180;
149 proxy_set_header Host $host;
150 proxy_set_header X-Real-IP $remote_addr;
151 proxy_set_header X-Scheme $scheme;
152 proxy_connect_timeout 1;
153 }
154 }
155
156 server {
157 # We could add the following line and the connection would still be SSL,
158 # but it doesn't appear to be necessary. Seems saver this way.
159 listen 80;
160 listen 443 default ssl;
161 server_name ~^(?<sub>.*)\\.example\\.com$;
162
163 ssl_certificate /etc/ssl/server.crt;
164 ssl_certificate_key /etc/ssl/server.key;
165
166 # Security enhancements to deal with poodles and the like.
167 # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
168 # ssl_ciphers 'AES256+EECDH:AES256+EDH';
169 ssl_ciphers \"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4\";
170
171 # We don't like poodles.
172 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
173 ssl_session_cache shared:SSL:10m;
174
175 # Enable Forward secrecy.
176 ssl_dhparam /etc/ssl/dhparam.pem;
177 ssl_prefer_server_ciphers on;
178
179 # Enable HTST.
180 add_header Strict-Transport-Security max-age=1209600;
181
182 if ($ssl_protocol = \"\") {
183 rewrite ^ https://$host$request_uri? permanent;
184 }
185
186 # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
187 chunked_transfer_encoding on;
188
189 location / {
190 proxy_pass http://authproxy:4180;
191 proxy_set_header Host $host;
192 proxy_set_header X-Real-IP $remote_addr;
193 proxy_set_header X-Scheme $scheme;
194 proxy_connect_timeout 1;
195 }
196 }
197 }
198 """
View as plain text