mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
Update nginx config and docs with user recs (#481)
* Update nginx config and docs with user recs * Fix typo
This commit is contained in:
Jamil
@@ -64,8 +64,8 @@ Shown below is a complete listing of the configuration options available in
|
||||
| `default['firezone']['nginx']['worker_processes']` | Number of nginx worker processes. | `node['cpu'] && node['cpu']['total'] ? node['cpu']['total'] : 1` |
|
||||
| `default['firezone']['nginx']['worker_connections']` | Max number of simultaneous connections that can be opened by a worker process. | `1024` |
|
||||
| `default['firezone']['nginx']['worker_rlimit_nofile']` | Changes the limit on the maximum number of open files for worker processes. Uses nginx default if nil. | `nil` |
|
||||
| `default['firezone']['nginx']['multi_accept']` | Whether workers should accept one connection at a time or multiple. | `false` |
|
||||
| `default['firezone']['nginx']['event']` | Specifies the connection processing method to use inside nginx events context. | `nil` |
|
||||
| `default['firezone']['nginx']['multi_accept']` | Whether workers should accept one connection at a time or multiple. | `true` |
|
||||
| `default['firezone']['nginx']['event']` | Specifies the connection processing method to use inside nginx events context. | `'epoll'` |
|
||||
| `default['firezone']['nginx']['server_tokens']` | Enables or disables emitting nginx version on error pages and in the “Server” response header field. | `nil` |
|
||||
| `default['firezone']['nginx']['server_names_hash_bucket_size']` | Sets the bucket size for the server names hash tables. | `64` |
|
||||
| `default['firezone']['nginx']['sendfile']` | Enables or disables the use of nginx's `sendfile()`. | `'on'` |
|
||||
@@ -78,6 +78,10 @@ Shown below is a complete listing of the configuration options available in
|
||||
| `default['firezone']['nginx']['client_body_buffer_size']` | nginx client body buffer size. Set to `nil` to use nginx default. | `nil` |
|
||||
| `default['firezone']['nginx']['client_max_body_size']` | nginx client max body size. | `'250m'` |
|
||||
| `default['firezone']['nginx']['default']['modules']` | Specify additional nginx modules. | `[]` |
|
||||
| `default['firezone']['nginx']['enable_rate_limiting']` | Enable or disable nginx rate limiting. | `true` |
|
||||
| `default['firezone']['nginx']['rate_limiting_zone_name']` | Nginx rate limiting zone name. | `'firezone'` |
|
||||
| `default['firezone']['nginx']['rate_limiting_backoff']` | Nginx rate limiting backoff. | `'10m'` |
|
||||
| `default['firezone']['nginx']['rate_limit']` | Nginx rate limit. | `'10r/s'` |
|
||||
| `default['firezone']['postgresql']['enabled']` | Enable or disable bundled Postgresql. Set to `false` and fill in the `database` options below to use your own Postgresql instance. | `true` |
|
||||
| `default['firezone']['postgresql']['username']` | Username for Postgresql. | `node['firezone']['user']` |
|
||||
| `default['firezone']['postgresql']['data_directory']` | Postgresql data directory. | `"#{node['firezone']['var_directory']}/postgresql/13.3/data"` |
|
||||
|
||||
@@ -128,8 +128,8 @@ default['firezone']['nginx']['keepalive_timeout'] = 65
|
||||
default['firezone']['nginx']['worker_processes'] = node['cpu'] && node['cpu']['total'] ? node['cpu']['total'] : 1
|
||||
default['firezone']['nginx']['worker_connections'] = 1024
|
||||
default['firezone']['nginx']['worker_rlimit_nofile'] = nil
|
||||
default['firezone']['nginx']['multi_accept'] = false
|
||||
default['firezone']['nginx']['event'] = nil
|
||||
default['firezone']['nginx']['multi_accept'] = true
|
||||
default['firezone']['nginx']['event'] = 'epoll'
|
||||
default['firezone']['nginx']['server_tokens'] = nil
|
||||
default['firezone']['nginx']['server_names_hash_bucket_size'] = 64
|
||||
default['firezone']['nginx']['sendfile'] = 'on'
|
||||
@@ -143,6 +143,14 @@ default['firezone']['nginx']['client_body_buffer_size'] = nil
|
||||
default['firezone']['nginx']['client_max_body_size'] = '250m'
|
||||
default['firezone']['nginx']['default']['modules'] = []
|
||||
|
||||
# Nginx rate limiting configuration.
|
||||
# Note that requests are also rate limited by the upstream Phoenix application.
|
||||
default['firezone']['nginx']['enable_rate_limiting'] = true
|
||||
default['firezone']['nginx']['rate_limiting_zone_name'] = 'firezone'
|
||||
default['firezone']['nginx']['rate_limiting_backoff'] = '10m'
|
||||
default['firezone']['nginx']['rate_limit'] = '10r/s'
|
||||
|
||||
|
||||
# ## Postgres
|
||||
|
||||
# ### Use the bundled Postgres instance (default, recommended):
|
||||
|
||||
@@ -84,6 +84,15 @@ http {
|
||||
limit_req_zone $binary_remote_addr zone=<%= @nginx['rate_limiting_zone_name'] %>:<%= @nginx['rate_limiting_backoff'] %> rate=<%= @nginx['rate_limit'] %>;
|
||||
|
||||
<% end -%>
|
||||
|
||||
# Security headers
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
||||
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
|
||||
add_header Permissions-Policy "interest-cohort=()" always;
|
||||
add_header Cache-Control "public, max-age=2700";
|
||||
|
||||
include <%= @nginx['dir'] %>/conf.d/*.conf;
|
||||
include <%= @nginx['dir'] %>/sites-enabled/*;
|
||||
}
|
||||
|
||||
@@ -18,6 +18,10 @@ server {
|
||||
server_name <%= @fqdn %>;
|
||||
<% if @nginx['force_ssl'] -%>
|
||||
location / {
|
||||
<% if @nginx['enable_rate_limiting'] -%>
|
||||
limit_req zone=<%= @nginx['rate_limiting_zone_name'] %>;
|
||||
|
||||
<% end -%>
|
||||
if ($http_x_forwarded_proto != 'https') {
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user