2017-08-29 23:14:28 +03:00
#user awx;
2017-06-30 22:25:10 +03:00
worker_processes 1;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
2019-08-20 21:33:02 +03:00
server_tokens off;
2017-06-30 22:25:10 +03:00
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
2018-06-28 14:09:13 +03:00
access_log /dev/stdout main;
2017-06-30 22:25:10 +03:00
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
sendfile on;
#tcp_nopush on;
#gzip on;
upstream uwsgi {
2018-03-15 19:41:40 +03:00
server 127.0.0.1:8050;
2017-06-30 22:25:10 +03:00
}
upstream daphne {
2018-03-15 19:41:40 +03:00
server 127.0.0.1:8051;
2017-06-30 22:25:10 +03:00
}
2019-04-03 18:50:10 +03:00
{% if ssl_certificate is defined %}
server {
listen 8052 default_server;
server_name _;
# Redirect all HTTP links to the matching HTTPS page
return 301 https://$host$request_uri;
}
{%endif %}
2017-06-30 22:25:10 +03:00
server {
2019-02-28 16:06:59 +03:00
{% if ssl_certificate is defined %}
2019-04-03 18:50:10 +03:00
listen 8053 ssl;
2018-08-04 11:50:16 +03:00
ssl_certificate /etc/nginx/awxweb.pem;
ssl_certificate_key /etc/nginx/awxweb.pem;
2019-02-28 16:06:59 +03:00
{% else %}
listen 8052 default_server;
{% endif %}
2017-06-30 22:25:10 +03:00
# If you have a domain name, this is where to add it
server_name _;
keepalive_timeout 65;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
2019-09-26 20:12:54 +03:00
add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
2019-01-21 14:32:41 +03:00
# Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
add_header X-Frame-Options "DENY";
2019-04-03 18:50:10 +03:00
2018-04-03 20:24:30 +03:00
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
2019-04-03 18:50:10 +03:00
2017-06-30 22:25:10 +03:00
location /static/ {
alias /var/lib/awx/public/static/;
}
location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; }
2018-08-02 18:24:51 +03:00
location /websocket {
2017-06-30 22:25:10 +03:00
# Pass request to the upstream alias
proxy_pass http://daphne;
# Require http version 1.1 to allow for upgrade requests
proxy_http_version 1.1;
# We want proxy_buffering off for proxying to websockets.
proxy_buffering off;
# http://en.wikipedia.org/wiki/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# enable this if you use HTTPS:
proxy_set_header X-Forwarded-Proto https;
# pass the Host: header from the client for the sake of redirects
proxy_set_header Host $http_host;
# We've set the Host header, so we don't need Nginx to muddle
# about with redirects
proxy_redirect off;
# Depending on the request value, set the Upgrade and
# connection headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
location / {
# Add trailing / if missing
2017-10-13 00:30:57 +03:00
rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
2017-06-30 22:25:10 +03:00
uwsgi_read_timeout 120s;
uwsgi_pass uwsgi;
include /etc/nginx/uwsgi_params;
2018-06-05 18:16:08 +03:00
{%- if extra_nginx_include is defined %}
include {{ extra_nginx_include }};
{%- endif %}
2018-08-07 17:07:06 +03:00
proxy_set_header X-Forwarded-Port 443;
2017-06-30 22:25:10 +03:00
}
}
}