-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnginx.conf
74 lines (56 loc) · 3.02 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# /etc/nginx/nginx.conf
# Note that in this project, we're actually only hosting HTTP servers, but this is fine for how we have it set up.
# The thing is, we could have HTTP servers that use SSL/TLS (HTTPS) but it complicates the setup quite a bit.
# This is how the traffic flows to my box and how it's handled:
# Unencrypted Data
# Client | H |
# | [cipher] (Encrypted traffic, TLS) | I |
# Internet | D | "tunnel"
# | [cipher] (TLS encryption maintained) | D |
# Homelab Router | E |
# | [cipher] (TLS encryption continues) | N |
# Edge NGINX (vct-nginx) - HTTPS by default, handles SSL/TLS Unencrypted Data
# | [plain] (Decrypted, plain HTTP traffic)
# LXC Docker Host (vct-hackhouse2024) - traffic routed to containers
# | [plain] (Plain HTTP, no TLS)
# Docker Container (hackhouse2024)
# | [plain] (Plain HTTP, no TLS)
# Hackhouse2024 NGINX
# | [plain]
# |-------> Static resources
# |-------> (proxy) Rogue API
# Basically, an encrypted tunnel of traffic is created between my homelab and the client.
# No MITM can occur because of TLS encryption. The only thing that can be seen is the IP
# address of the server and (possibly) the DNS queries being made (use DoH to prevent this).
# Because I have an edge LXC container 'vct-nginx' which takes all incoming HTTPS traffic,
# handles certificate updates, and then proxies the traffic to the appropriate container.
# Simply deploying the Docker container on your computer and port forwarding it will only
# expose the 'hackhouse2024 NGINX' server to the internet. This will only expose HTTP
# traffic. To keep the project (and server mgmt) simple, this configuration uses HTTP only.
user nginx;
worker_processes auto;
# Speeds up regex matching
pcre_jit on;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
# Logs are disabled for the demonstration because they are not required.
access_log /dev/null;
error_log stderr crit;
default_type application/octet-stream;
### Optimization settings to follow. ###
# Transmits packets more efficiently by combining the header and content into a single packet
tcp_nopush on;
# Sends files without having to go through the usermode crap which saves CPU cycles
sendfile on;
### Typical security settings to follow. ###
# Don't disclose what version of nginx is running. If we're on an old version (for whatever reason) we don't want to
# disclose that, especially if thee are known vulnerabilities for said version.
server_tokens off;
# Limit the size of the client request body to 1MB. This can prevent DoS attacks.
client_max_body_size 1m;
# Inclues whatever servers we have in the http.d directory
include /etc/nginx/http.d/*.conf;
}