-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathcustom-nginx-reverse-proxy.conf
178 lines (147 loc) · 5.29 KB
/
custom-nginx-reverse-proxy.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
worker_processes auto;
events {
accept_mutex on;
multi_accept on;
worker_connections 512;
}
http {
include mime.types;
server_names_hash_bucket_size 128;
sendfile on;
proxy_buffers 8 1024k;
proxy_buffer_size 1024k;
aio on;
directio 4m;
tcp_nopush on;
tcp_nodelay on;
upstream platform {
server 10.200.10.1:3333;
}
upstream network_explorer {
server 10.200.10.1:3334;
}
upstream brokers_ws {
server 10.200.10.1:8690;
server 10.200.10.1:8790;
keepalive 20;
keepalive_requests 50;
keepalive_timeout 60s;
}
upstream brokers_http {
server 10.200.10.1:8691;
server 10.200.10.1:8791;
keepalive 20;
keepalive_requests 50;
keepalive_timeout 60s;
}
upstream storage_http {
server 10.200.10.1:8891;
}
upstream mainchain_rpc_http {
server 10.200.10.1:8545;
}
upstream mainchain_rpc_ws {
server 10.200.10.1:8450;
}
upstream sidechain_rpc_http {
server 10.200.10.1:8546;
}
upstream sidechain_rpc_ws {
server 10.200.10.1:8451;
}
server {
proxy_connect_timeout 10s;
listen 80;
# UNCOMMENT FOR SSL
# -----------------
# listen 443 ssl;
# ssl_certificate /etc/nginx/mounted-certs/bundle.crt;
# ssl_certificate_key /etc/nginx/mounted-certs/secret.key;
# if ($scheme = http) {
# return 301 https://$host$request_uri;
# }
# Enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Disables all weak ciphers
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
location /health_check {
return 200;
access_log off;
add_header Content-Type text/plain;
add_header Cache-Control no-cache;
keepalive_timeout 0;
}
# Websocket endpoint
location /api/v2/ws {
add_header X-debug "/api/v2/ws";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://brokers_ws;
proxy_read_timeout 240s;
}
# Data REST endpoints
location ~ /api/v2/streams/(.*)/(data|metadata/partitions/.*|storage/partitions/.*|data/partitions/.*)$ {
add_header X-debug "/api/v2/streams";
proxy_pass http://storage_http;
proxy_read_timeout 240s;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
# Data Volume endpoint
location /api/v2/volume {
add_header X-debug "/api/v2/volume";
proxy_pass http://brokers_http;
proxy_read_timeout 240s;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
# Network explorer
location /network-explorer/ {
proxy_pass http://network_explorer$request_uri;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
### Utility paths proxied to the Ethereum nodes in the docker stack. Useful if SSL is terminated at nginx ###
location /mainchain-rpc/http/ {
proxy_pass http://mainchain_rpc_http/;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location /mainchain-rpc/ws/ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://mainchain_rpc_ws/;
}
location /sidechain-rpc/http/ {
proxy_pass http://sidechain_rpc_http/;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location /sidechain-rpc/ws/ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://sidechain_rpc_ws/;
}
# Proxy everything else to the Hub app
location / {
add_header X-debug "/";
proxy_pass http://platform;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
}
}