Added reverse proxy template

Signed-off-by: ojullien <[email protected]>

src/VERSION

@@ -1 +1 @@
-v1.0.0-20210220
+v1.0.0-20210223

src/conf-available/proxy.conf

@@ -0,0 +1,30 @@
+## -----------------------------------------------------
+## NGINX 1.x
+## User proxy default configuration file.
+##
+## @context http
+## @module ngx_http_ssl_module
+## -----------------------------------------------------
+
+# Sets the HTTP protocol version for proxying.
+proxy_http_version 1.1;
+
+# Defines a timeout for establishing a connection with a proxied server.
+proxy_connect_timeout 60s;
+
+# Sets a timeout for transmitting a request to the proxied server.
+proxy_send_timeout 360s;
+
+# Defines a timeout for reading a response from the proxied server.
+proxy_read_timeout 60s;
+
+# By default, nginx does not pass the header fields “Date”, “Server”,
+# “X-Pad”, and “X-Accel-...” from the response of a proxied server to a client.
+proxy_hide_header X-Powered-By;
+#proxy_hide_header Etag;
+
+# Sets the text that should be changed in the “Location” and “Refresh” header fields of a proxied server response.
+proxy_redirect off;
+
+# Defines conditions under which the response will not be taken from a cache.
+#proxy_cache_bypass $http_upgrade;

src/sites-available/reverseproxy.tld/http.conf

@@ -2,55 +2,48 @@
 ## NGINX 1.x
 ## Reverse proxy configuration for a name-based vhost.
 ##
-## @context virtual host
-## @module proxy_module proxy_http_module
-## @author Olivier Jullien <https://github.com/ojullien>
+## RENAME all reverseproxy.tld occurences in files, filenames and
+##        directory names with your domain name.
+##
+## @Context http
+## @module ngx_http_core_module, ngx_http_proxy_module
 ## -----------------------------------------------------
 
-Define USER_DOMAIN_NAME reverseproxy.tld
-Define USER_SITE_DIR ${USER_DOMAIN_NAME}
-
-<VirtualHost *:80>
+server {
 
-    # System environment variables
-    Include sites-available/shared/system-env.conf
+    listen [::]:80;
+    listen 80;
 
     # Log
-    Include sites-available/${USER_SITE_DIR}/include/log.conf
+    include sites-available/reverseproxy.tld/include/log.conf;
 
     # Server name configuration
-    Include sites-available/${USER_SITE_DIR}/include/vhost.conf
+    include sites-available/reverseproxy.tld/include/vhost.conf;
 
     # Forwarding information to backend systems
-    RequestHeader set "X-PROXY-UNIQUE-ID" "%{UNIQUE_ID}e"
-    RequestHeader set "X-PROXY-REMOTE-USER" "%{REMOTE_USER}e"
+    # By default, NGINX redefines two header fields in proxied requests, “Host” and “Connection”,
+    # and eliminates the header fields whose values are empty strings.
+    # “Host” is set to the $proxy_host variable, and “Connection” is set to close.
+    location / {
+        # You must define in this proxy server /etc/hosts file the backend IP address of www.reverseproxy.tld
+        proxy_pass https://www.domain.tld;
+        proxy_set_header X-Proxy-Unique-Id "$request_id";
+        include proxy_params;
+    }
 
     # You may activate some access control
-    #Include sites-available/shared/access_control/directives_for_static_website.conf
+    #include sites-available/snippets/headers/headers_for_static_website.conf;
     # Or
-    #Include sites-available/shared/access_control/directives_for_application.conf
+    #include sites-available/snippets/headers/headers_for_application.conf;
 
     # You may activate more security rules
-    #Include sites-available/shared/security/enhancement.conf
-
-    # you may use proxy_http_module or proxy_http2_module
-    ProxyPass "/" "http://<remote [ip address | domain name]>/" keepalive=On retry=5
-    ProxyPassReverse "/" "http://<remote [ip address | domain name]>/"
-
-</VirtualHost>
+    #include sites-available/snippets/security/access_restriction.conf;
 
-<VirtualHost *:80>
-    ServerName ${USER_DOMAIN_NAME}
-    RedirectPermanent "/" "http://www.${USER_DOMAIN_NAME}/"
-</VirtualHost>
+}
 
-UnDefine USER_SITE_DIR
-UnDefine USER_DOMAIN_NAME
 server {
+    listen [::]:80;
     listen 80;
-    server_name r.nf.id.au;
-    access_log /var/log/nginx/goto.access.log;
-    location / {
-        proxy_pass http://127.0.0.1:9980;
-    }
+    server_name reverseproxy.tld;
+    return 301 $scheme://www.reverseproxy.tld$request_uri;
 }

src/sites-available/reverseproxy.tld/https.conf

@@ -2,84 +2,79 @@
 ## NGINX 1.x
 ## Reverse proxy SSL configuration for a name-based vhost.
 ##
-## @context virtual host
-## @module ssl_module proxy_module proxy_http2_module
-## @author Olivier Jullien <https://github.com/ojullien>
+## @Context http
+## @module ngx_http_core_module, ngx_http_ssl_module
+##         ngx_http_v2_module
 ## -----------------------------------------------------
 
-Define USER_DOMAIN_NAME reverseproxy.tld
-Define USER_SITE_DIR ${USER_DOMAIN_NAME}
+server {
 
-<VirtualHost *:443>
+    listen [::]:443 ssl http2;
+    listen 443 ssl http2;
 
-    # System environment variables
-    Include sites-available/shared/system-env.conf
+    # SSL
+    include sites-available/reverseproxy.tld/include/ssl.conf;
 
     # Log
-    Include sites-available/${USER_SITE_DIR}/include/log.conf
-
-    # SSL
-    Include sites-available/${USER_SITE_DIR}_rp/include/ssl.conf
+    include sites-available/reverseproxy.tld/include/log.conf;
 
     # Server name configuration
-    Include sites-available/${USER_SITE_DIR}/include/vhost.conf
+    include sites-available/reverseproxy.tld/include/vhost.conf;
 
     # Forwarding information to backend systems
-    RequestHeader set "X-PROXY-UNIQUE-ID" "%{UNIQUE_ID}e"
-    RequestHeader set "X-PROXY-REMOTE-USER" "%{REMOTE_USER}e"
-    RequestHeader set "X-PROXY-SSL-PROTOCOL" "%{SSL_PROTOCOL}s"
-    RequestHeader set "X-PROXY-SSL-CIPHER" "%{SSL_CIPHER}s"
-    RequestHeader set "X-Forwarded-Proto" "https"
+    # By default, NGINX redefines two header fields in proxied requests, “Host” and “Connection”,
+    # and eliminates the header fields whose values are empty strings.
+    # “Host” is set to the $proxy_host variable, and “Connection” is set to close.
+    location / {
+        # You must define in this proxy server /etc/hosts file the backend IP address of www.reverseproxy.tld
+        proxy_pass https://www.reverseproxy.tld;
+        proxy_set_header X-Proxy-Unique-Id "$request_id";
+        include proxy_params;
+    }
 
     # You may activate some access control
-    #Include sites-available/shared/access_control/directives_for_static_website.conf
+    #include sites-available/snippets/headers/headers_for_static_website.conf;
     # Or
-    #Include sites-available/shared/access_control/directives_for_application.conf
+    #include sites-available/snippets/headers/headers_for_application.conf;
 
     # You may activate more security rules
-    #Include sites-available/shared/security/enhancement.conf
-
-    # The backend server needs to support HTTP/2 !
-    ProxyPass "/" "h2://<remote [ip address | domain name]>/" keepalive=On retry=5
-    ProxyPassReverse "/" "https://<remote [ip address | domain name]>/"
-
-</VirtualHost>
-
-<VirtualHost *:80>
-    ServerName ${USER_DOMAIN_NAME}
-    ServerAlias www.${USER_DOMAIN_NAME}
-    RedirectPermanent "/" "https://www.${USER_DOMAIN_NAME}/"
-</VirtualHost>
+    #include sites-available/snippets/security/access_restriction.conf;
 
-UnDefine USER_SITE_DIR
-UnDefine USER_DOMAIN_NAME
-
-By default, NGINX redefines two header fields in proxied requests, “Host” and “Connection”, and eliminates the header fields whose values are empty strings. “Host” is set to the $proxy_host variable, and “Connection” is set to close.
+}
 
-But NGINX does not have ProxyPassReverse... The solution is adding a few missing HTTP headers.
-https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect
 server {
-    listen myhost:80;
-    server_name  myhost;
-    location / {
-        root /path/to/myapp/public;
-        proxy_set_header X-Forwarded-Host $host:$server_port;
-        proxy_set_header X-Forwarded-Server $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_pass http://myapp:8080;
-    }
+    listen [::]:443 ssl http2;
+    listen 443 ssl http2;
+    server_name reverseproxy.tld;
+    include sites-available/reverseproxy.tld/include/ssl.conf;
+    return 301 $scheme://www.reverseproxy.tld$request_uri;
 }
-proxy_set_header Host $http_host;
-proxy_set_header X-Real-IP $remote_addr;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Forwarded-Proto $scheme;
-
-         proxy_http_version 1.1;
 
-          proxy_set_header Host               $host;
-          proxy_set_header X-Real-IP          $remote_addr;
-          proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
-          proxy_set_header X-Forwarded-Proto  $scheme;
+# If you DO use HSTS:
+# you must redirect http://domain.tld to https://domain.tld first, before adding the www subdomain.
+# https://domain.tld to https://www.domain.tld
+# The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top
+# level domain, not just the subdomain.
+server {
+    listen [::]:80;
+    listen 80;
+    server_name www.reverseproxy.tld;
+    return 301 https://www.reverseproxy.tld$request_uri;
+}
 
+server {
+    listen [::]:80;
+    listen 80;
+    server_name reverseproxy.tld;
+    return 301 https://reverseproxy.tld$request_uri;
+}
 
-          https://doc.dataiku.com/dss/latest/installation/proxies.html
+# If you DO NOT use HSTS:
+# you can immediately redirect http://domain.tld to https://www.domain.tld
+# Comment all lines above and uncomment all lines below.
+#server {
+#    listen [::]:80;
+#    listen 80;
+#    server_name reverseproxy.tld www.reverseproxy.tld
+#    return 301 https://www.reverseproxy.tld$request_uri;
+#}

src/sites-available/reverseproxy.tld/include/log.conf

@@ -1,14 +1,10 @@
 ## -----------------------------------------------------
 ## NGINX 1.x
-## Directives for log configuration.
+## Directives for logging configuration.
 ##
-## @context virtual host
-## @module core, log_config_module
-## @author Olivier Jullien <https://github.com/ojullien>
+## @Context server
+## @Module ngx_http_core_module, ngx_http_log_module
 ## -----------------------------------------------------
 
-# Log
-LogLevel warn
-ErrorLog ${APACHE_LOG_DIR}/${USER_SITE_DIR}/error.log
-CustomLog ${APACHE_LOG_DIR}/${USER_SITE_DIR}/access.log proxy_combined env=!donotlog
-#CustomLog ${APACHE_LOG_DIR}/${USER_SITE_DIR}/deflate.log deflate
+error_log  /var/log/nginx/reverseproxy.tld/error.log warn;
+access_log /var/log/nginx/reverseproxy.tld/access.log proxy_combined if=$loggable;

src/sites-available/reverseproxy.tld/include/ssl.conf

@@ -2,38 +2,19 @@
 ## NGINX 1.x
 ## Directives for SSL configuration.
 ##
-## @Context virtual host
-## @Module ssl_module
-## @author Olivier Jullien <https://github.com/ojullien>
+## @context server
+## @module ngx_http_ssl_module
 ## -----------------------------------------------------
 
-# SSL
-SSLEngine on
-
-# Log
-LogLevel ssl:warn
-
 # Server PEM-encoded X.509 certificate data file: "/path/to/signed_certificate_followed_by_intermediate_certs"
-SSLCertificateFile "/path/to/signed_certificate_followed_by_intermediate_certs.pem"
+ssl_certificate "/path/to/signed_certificate_followed_by_intermediate_certs";
 
 # Server PEM-encoded private key file: "/path/to/private/key"
-SSLCertificateKeyFile "/path/to/private/key.pem"
-
-# Online Certificate Status Protocol (OCSP) Stapling
-SSLUseStapling off
-
-# File of concatenated PEM-encoded CA Certificates for Client Authentication
-# This file is not necessary if the SSLCertificateFile does include intermediate CA certificates in their chain.
-#SSLCACertificateFile "/path/to/StandardSSLCA2.chain.pem"
-
-# Http2
-Protocols h2 http/1.1
+ssl_certificate_key "/path/to/private/key";
 
-# Enable the usage of the SSL/TLS Protocol Engine for proxy.
-SSLProxyEngine On
-SSLProxyVerify none
-SSLProxyCheckPeerExpire On
-SSLProxyVerifyDepth 3
-SSLProxyCheckPeerCN on
-SSLProxyCheckPeerName on
+# If OCSP stapling is enabled
+#ssl_trusted_certificate "/path/to/signed_certificate_followed_by_intermediate_certs"
 
+# HTTP Strict Transport Security
+include sites-available/snippets/security/hsts_without_preload.conf;
+# Use hsts_with_preload.conf when all tests are ok.