flashcatcloud/n9e-helm
1
0
Fork 0
mirror of https://github.com/flashcatcloud/n9e-helm.git synced 2026-03-02 22:29:00 +00:00
Code Issues Packages Projects Releases 10 Wiki Activity
Files
master
n9e-helm/templates/nginx/configmap-https.yaml
kongfei a797cb3e68 nwebapi->n9e
2023-03-28 17:26:33 +08:00

118 lines
3.8 KiB
YAML
Raw Permalink Blame History

{{/*
# Copyright 2022 flashcat.cloud | 快猫星云
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
*/}}
{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }}
{{- $scheme := (include "nightingale.component.scheme" .) -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "nightingale.nginx" . }}
labels:
{{ include "nightingale.labels" . | indent 4 }}
data:
nginx.conf: |+
worker_processes auto;
pid /tmp/nginx.pid;
events {
worker_connections 3096;
use epoll;
multi_accept on;
}
http {
client_body_temp_path /tmp/client_body_temp;
proxy_temp_path /tmp/proxy_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
tcp_nodelay on;
# this is necessary for us to be able to disable request buffering in all cases
proxy_http_version 1.1;
upstream n9e {
server "{{ template "nightingale.n9e" . }}:{{ template "nightingale.n9e.servicePort" . }}";
}
log_format timed_combined '[$time_local]:$remote_addr - '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
access_log /dev/stdout timed_combined;
map $http_x_forwarded_proto $x_forwarded_proto {
default $http_x_forwarded_proto;
"" $scheme;
}
server {
{{- if .Values.ipFamily.ipv4.enabled }}
listen 8443 ssl;
{{- end}}
{{- if .Values.ipFamily.ipv6.enabled }}
listen [::]:8443 ssl;
{{- end }}
# server_name nightingaledomain.com;
server_tokens off;
# SSL
ssl_certificate /etc/nginx/cert/tls.crt;
ssl_certificate_key /etc/nginx/cert/tls.key;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
# Add extra headers
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header Content-Security-Policy "frame-ancestors 'none'";
location / {
proxy_pass {{ $scheme }}://n9e/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
proxy_cookie_path / "/; HttpOnly; Secure";
proxy_buffering off;
proxy_request_buffering off;
}
}
server {
{{- if .Values.ipFamily.ipv4.enabled }}
listen 8080;
{{- end}}
{{- if .Values.ipFamily.ipv6.enabled }}
listen [::]:8080;
{{- end}}
#server_name nightingaledomain.com;
return 301 https://$host$request_uri;
}
}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink