1apiVersion: v1
2kind: ConfigMap
3metadata:
4 name: nginx
5data:
6 nginx.conf: |-
7 events {
8 worker_connections 768;
9 }
10 http {
11 sendfile on;
12 tcp_nopush on;
13 tcp_nodelay on;
14 # needs to be high for some download jobs.
15 keepalive_timeout 400;
16 # proxy_connect_timeout 300;
17 proxy_send_timeout 300;
18 proxy_read_timeout 300;
19 send_timeout 300;
20
21 types_hash_max_size 2048;
22
23 include /etc/nginx/mime.types;
24 default_type application/octet-stream;
25
26 access_log /dev/stdout;
27 error_log /dev/stdout;
28
29 # Disable POST body size constraints. We often deal with large
30 # files. Especially docker containers may be large.
31 client_max_body_size 0;
32
33 upstream goget {
34 server localhost:7070;
35 }
36
37 # Redirect incoming Google Cloud Storage notifications:
38 server {
39 listen 443 ssl;
40 server_name notify.example.com notify2.example.com;
41
42 ssl_certificate /etc/ssl/server.crt;
43 ssl_certificate_key /etc/ssl/server.key;
44
45 # Security enhancements to deal with poodles and the like.
46 # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
47 # ssl_ciphers 'AES256+EECDH:AES256+EDH';
48 ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
49
50 # We don't like poodles.
51 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
52 ssl_session_cache shared:SSL:10m;
53
54 # Enable Forward secrecy.
55 ssl_dhparam /etc/ssl/dhparam.pem;
56 ssl_prefer_server_ciphers on;
57
58 # Enable HTST.
59 add_header Strict-Transport-Security max-age=1209600;
60
61 # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
62 chunked_transfer_encoding on;
63
64 location / {
65 proxy_pass http://tasks:7080;
66 proxy_connect_timeout 1;
67 }
68 }
69
70 server {
71 listen 80;
72 listen 443 ssl;
73 server_name x.example.com example.io;
74
75 location ~ "(/[^/]+)(/.*)?" {
76 set $myhost $host;
77 if ($arg_go-get = "1") {
78 set $myhost "goget";
79 }
80 proxy_pass http://$myhost$1;
81 proxy_set_header Host $host;
82 proxy_set_header X-Real-IP $remote_addr;
83 proxy_set_header X-Scheme $scheme;
84 proxy_connect_timeout 1;
85 }
86
87 location / {
88 set $myhost $host;
89 if ($arg_go-get = "1") {
90 set $myhost "goget";
91 }
92 proxy_pass http://$myhost;
93 proxy_set_header Host $host;
94 proxy_set_header X-Real-IP $remote_addr;
95 proxy_set_header X-Scheme $scheme;
96 proxy_connect_timeout 1;
97 }
98 }
99
100 server {
101 listen 80;
102 server_name www.example.com w.example.com;
103
104 resolver 8.8.8.8;
105
106 location / {
107 proxy_set_header X-Forwarded-Host $host;
108 proxy_set_header X-Forwarded-Server $host;
109 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
110 proxy_set_header X-Real-IP $remote_addr;
111
112 proxy_pass http://$host.default.example.appspot.com/$request_uri;
113 proxy_redirect http://$host.default.example.appspot.com/ /;
114 }
115 }
116
117 server {
118 # We could add the following line and the connection would still be SSL,
119 # but it doesn't appear to be necessary. Seems saver this way.
120 listen 80;
121 listen 443 default ssl;
122 server_name ~^(?<sub>.*)\.example\.com$;
123
124 ssl_certificate /etc/ssl/server.crt;
125 ssl_certificate_key /etc/ssl/server.key;
126
127 # Security enhancements to deal with poodles and the like.
128 # See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
129 # ssl_ciphers 'AES256+EECDH:AES256+EDH';
130 ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
131
132 # We don't like poodles.
133 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
134 ssl_session_cache shared:SSL:10m;
135
136 # Enable Forward secrecy.
137 ssl_dhparam /etc/ssl/dhparam.pem;
138 ssl_prefer_server_ciphers on;
139
140 # Enable HTST.
141 add_header Strict-Transport-Security max-age=1209600;
142
143 if ($ssl_protocol = "") {
144 rewrite ^ https://$host$request_uri? permanent;
145 }
146
147 # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
148 chunked_transfer_encoding on;
149
150 location / {
151 proxy_pass http://authproxy:4180;
152 proxy_set_header Host $host;
153 proxy_set_header X-Real-IP $remote_addr;
154 proxy_set_header X-Scheme $scheme;
155 proxy_connect_timeout 1;
156 }
157 }
158 }
View as plain text