webportal / compose

default.conf 6.78 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 
#user  nobody;
#worker_processes  1;

#error_log  /var/log/nginx/error.log warn;
#pid        /var/run/nginx.pid;

#events {
#    worker_connections  1024;
#}

#http {
	# redirect all http traffic to https
	server {
		listen 80;
		server_name webportal.com www.webportal.com;
		client_max_body_size 100m;
		return 301 https://$host$request_uri;
	}
	
	upstream odoo8 {
		server odoo:8069;
	}

	upstream odoo8-im {
		server odoo:8072;
	}
	
	# don't send the nginx version number in error pages and Server header
	server_tokens off;
	
	# config to don't allow the browser to render the page inside an frame or iframe
	# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
	# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
	# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	add_header X-Frame-Options SAMEORIGIN;

	# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
	# to disable content-type sniffing on some browsers.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
	# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
	# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
	add_header X-Content-Type-Options nosniff;

	# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
	# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for 
	# this particular website if it was disabled by the user.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	add_header X-XSS-Protection "1; mode=block";

	# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
	# you can tell the browser that it can only download content from the domains you explicitly allow
	# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
	# https://www.owasp.org/index.php/Content_Security_Policy
	# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
	# directives for css and js(if you have inline css or js, you will need to keep it too).
	# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
	add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
	
	server {
		listen 443 ssl;
		server_name webportal.com www.webportal.com;

		client_max_body_size 100m;

		ssl_certificate /etc/nginx/conf.d/ssl/crt.crt;
		ssl_certificate_key /etc/nginx/conf.d/ssl/key.key;

		# enable session resumption to improve https performance
		# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
		ssl_session_cache shared:SSL:50m;
		ssl_session_timeout 5m;

		# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
		#ssl_dhparam /etc/nginx/ssl/dhparam.pem;

		# enables server-side protection from BEAST attacks
		# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
		ssl_prefer_server_ciphers on;
		
		# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
		
		# ciphers chosen for forward secrecy and compatibility
		# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
		ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

		# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
		# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
		resolver 8.8.8.8;
		ssl_stapling on;
		#ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt;

		# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
		# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
		add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

		# ... the rest of your configuration
		#access_log /var/log/nginx/odoo.access.log;
		#error_log /var/log/nginx/odoo.error.log;
		
		location / {
			proxy_read_timeout 300000;
			proxy_pass http://odoo8;
			
			proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
			proxy_redirect off;

			# set headers
			proxy_set_header    Host            $host;
			proxy_set_header    X-Real-IP       $remote_addr;
			proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header    X-Forwarded-Proto https;
		}

		location /longpolling {
			proxy_read_timeout 300000;
			proxy_pass http://odoo8-im;

			proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
			proxy_redirect off;

			# set headers
			proxy_set_header    Host            $host;
			proxy_set_header    X-Real-IP       $remote_addr;
			proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header    X-Forwarded-Proto https;
		}

		# cache some static data in memory for 60mins.
		# under heavy load this should relieve stress on the OpenERP web interface a bit.
		location /web/static/ {
			proxy_cache_valid 200 60m;
			proxy_buffering on;
			expires 864000;
			proxy_pass http://odoo8;
			proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
			proxy_redirect off;

			# set headers
			proxy_set_header    Host            $host;
			proxy_set_header    X-Real-IP       $remote_addr;
			proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header    X-Forwarded-Proto https;
		}
	}
#}