openafc_final/dispatcher/nginx.conf.template

#
# Copyright (C) 2022 Broadcom. All rights reserved. The term "Broadcom"
# refers solely to the Broadcom Inc. corporate affiliate that owns
# the software below. This work is licensed under the OpenAFC Project License,
# a copy of which is included with this software program
#

http {
    log_format short_fmt '[$time_local] $request_time $upstream_response_time';
    log_format error_fmt '[$time_local] $remote_addr - $ssl_client_s_dn - $remote_user - $request_uri - $uri';
    access_log  /dev/stdout  error_fmt;
    error_log  /dev/stdout debug;


    upstream msghnd {
        # use hash algo to capture complete client address
        hash $binary_remote_addr consistent;
        server ${AFC_MSGHND_NAME}:${AFC_MSGHND_PORT};
        # idle connections preserved in the cache of each worker
        keepalive  32;
    }

    upstream webui {
        # use hash algo to capture complete client address
        hash $binary_remote_addr consistent;
        server ${AFC_WEBUI_NAME}:${AFC_WEBUI_PORT};
        # idle connections preserved in the cache of each worker
        keepalive  32;
    }

    map $scheme:$afc_https_enforce $should_redirect {
        http:TRUE 1;
        default 0;
    }

    server {
        listen 80;
        listen [::]:80 ipv6only=on;
        listen 443 ssl;
        listen [::]:443 ipv6only=on ssl;

        server_name ${AFC_SERVER_NAME};
        
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_certificate /certificates/servers/server.cert.pem;
        ssl_certificate_key /certificates/servers/server.key.pem;

        ssl_client_certificate /etc/nginx/certs/client.bundle.pem;
        ssl_verify_client optional;
        ssl_verify_depth 10;

        #ssl_stapling on;
        #ssl_stapling_verify on;

        # ignoring attempts to establish a session with a client that requests a wrong host name
        set $reject_request 0;
        set $afc_server_name ${AFC_SERVER_NAME};

        if ($host != $server_name) {
            set $reject_request 1;
        }
        # ... but not in case of a wildcard
        if ($afc_server_name = "_") {
            set $reject_request 0;
        }
        # we won't return any response to the client in case of rejection, just close the connection
        if ($reject_request) {
            return 444;
        }
        
        # To enforce check HTTPS set AFC_ENFORCE_HTTPS to the value "true"
        set $afc_https_enforce ${AFC_ENFORCE_HTTPS};
        # To enforce check mTLS set AFC_ENFORCE_MTLS to the value "true"
        # otherwise it is optional
        set $afc_mtls_status ${AFC_ENFORCE_MTLS};

        if ($should_redirect = 1) {
            return 301 https://$host$request_uri;
        }

        set $afc_mtls_enforce ${AFC_ENFORCE_MTLS};

        location /fbrat/ap-afc/availableSpectrumInquirySec {
           #if ($ssl_client_verify != SUCCESS) {
           #    return 403;
           #}
            # disable buffering for latency
            proxy_buffering off;
            # response to a request
            proxy_read_timeout ${AFC_PROXY_CONN_TOUT};
            # establish a connection with a proxied server
            proxy_connect_timeout 720;
            # transmit a request to a proxied server
            proxy_send_timeout 720;
            sendfile on;
            proxy_bind $server_addr;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_pass http://webui;
            proxy_redirect http:// $scheme://;
            # keep connections open by changing it's header
            proxy_http_version 1.1;
            proxy_set_header   "Connection" "";
        }

        location /fbrat/ap-afc/availableSpectrumInquiry {
            if ($ssl_client_verify != SUCCESS) {
                set $afc_mtls_status "${afc_mtls_status}_false";
            }
            # check if mtls is enforced and ssl_client_verify is not success
            if ($afc_mtls_status = true_false) {
                return 403;
            }
            # disable buffering for latency
            proxy_buffering off;
            # response to a request
            proxy_read_timeout ${AFC_PROXY_CONN_TOUT};
            # establish a connection with a proxied server
            proxy_connect_timeout 720;
            # transmit a request to a proxied server
            proxy_send_timeout 720;
            proxy_pass http://msghnd$uri$is_args$args;
            # keep connections open by changing it's header
            proxy_http_version 1.1;
            proxy_set_header   "Connection" "";
            access_log off;
            log_not_found off;
        }

        # forbid internal tests
        location /fbrat/ap-afc/availableSpectrumInquiryInternal {
            return 403;
        }

        # forbid webdav methods other than GET
        location /fbrat/ratapi/v1/files {
            limit_except GET { deny  all; }
            sendfile on;
            proxy_bind $server_addr;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_pass http://webui;
            proxy_redirect http:// $scheme://;
        }

        # forbid internal request
        location /fbrat/ratapi/v1/GetAfcConfigByRulesetID {
            return 403;
        }

        # forbid internal request
        location /fbrat/ratapi/v1/GetRulesetIDs {
            return 403;
        }

        location / {
            if ($request_uri = "/") {
                return 301 $scheme://$http_host/fbrat;
            }
            sendfile on;
            proxy_bind $server_addr;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_pass http://webui;
            proxy_redirect http:// $scheme://;
        }

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504;
        #error_page   500 502 503 504  /50x.html;
        #location = /50x.html {
        #    root   /usr/share/nginx/html;
        #}

        error_page 403 /403.html;
        location /403.html {
            access_log /dev/stdout error_fmt;
        }
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header Content-Security-Policy  "script-src 'self' 'unsafe-eval' https://maps.googleapis.com https://code.jquery.com https://netdna.bootstrapcdn.com/bootstrap https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; style-src 'self' https://fonts.googleapis.com https://netdna.bootstrapcdn.com https://www.gstatic.com/recaptcha/ 'unsafe-inline'";
        add_header X-XSS-Protection "1; mode=block";
        add_header Referrer-Policy "strict-origin-when-cross-origin";
        add_header Permissions-Policy "geolocation=(self), microphone=(), camera=(), speaker=(), vibrate=(), payment=(), fullscreen=(self), sync-xhr=(), magnetometer=(), gyroscope=(), accelerometer=(), usb=(), autoplay=(), midi=(), encrypted-media=(), vr=(), xr-spatial-tracking=()";
        add_header Feature-Policy "geolocation 'self'; microphone 'none'; camera 'none'; speaker 'none'; vibrate 'none'; payment 'none'; fullscreen 'self'; sync-xhr 'none'; magnetometer 'none'; gyroscope 'none'; accelerometer 'none'; usb 'none'; autoplay 'none'; midi 'none'; encrypted-media 'self'; vr 'none'; xr-spatial-tracking 'none';";
   }

    # only for healthcheck
    server {
        listen 127.0.0.1:80;

        location /fbrat/ap-afc/healthy {
            return 200 "OK";
        }

    }

    # Source data for NginxExporter (generator of Nginx Prometheus metrics)
    server {
        listen 8080;
        location /stub_status {
            stub_status;
        }
    }

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    sendfile       on;
    tcp_nopush     on;

    keepalive_timeout  180;
    server_tokens off;
}