Redirect dari server lain
#nano /etc/nginx/conf.d/example.yoniys.com.conf
server { listen 443 ssl; server_name example.yoniys.com;
access_log /var/log/nginx/example.yoniys.com.access.log; error_log /var/log/nginx/example.yoniys.com.error.log;
ssl_certificate /ssl/example.yoniys.com_ecc/example.yoniys.com.cer; # directory ssl ssl_certificate_key /ssl/example.yoniys.com_ecc/example.yoniys.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_stapling on; ssl_stapling_verify on; location / { proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_ssl_verify off;
# config ini mengarah ke ip public suatu server dimana service running di port 9000 proxy_pass http://192.168.5.234:9000; #proxy_pass xxx; proxy_http_version 1.1; } }
server { listen 80; server_name example.yoniys.com;
# redirects both www and non-www to https return 301 https://$host$request_uri; } |
map $http_upgrade $connection_upgrade { default Upgrade; '' close; } upstream yoniyscom { server 172.16.1.12:31733; #diisi dengan ip cluster kubernetes (biasanya ip master), port merupakan config pada NodePort di service kubernetes server 172.16.1.13:31733; server 172.16.1.14:31733; } server { listen 443 ssl http2; server_name ~^(?<subdomain>.+)\.yoniys\.com yoniys.com; access_log /var/log/nginx/yoniys.com.access.log; error_log /var/log/nginx/yoniys.com.error.log;
ssl_certificate /etc/nginx/ssl/star-yoniys.com/yoniys.com.cert; ssl_certificate_key /etc/nginx/ssl/star-yoniys.com/yoniys.com.key;
# Temuan pentest ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; #ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
# Enable OSCP ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/star-yoniys.com/yoniys.com.chain;
# Improvement dari NGINX server development # SSL session cache ssl_session_cache shared:TLS:2m; ssl_buffer_size 4k;
# HSTS # instruct browsers to enforce secure connections #add_header Strict-Transport-Security "max-age=63072000" always;
# Prevents the webpage from being embedded in frames from other domains. #add_header X-Frame-Options SAMEORIGIN; # Prevents browsers from interpreting files as a different MIME type than declared by the server. #add_header X-Content-Type-Options nosniff; # Enables the browser's Cross-Site Scripting (XSS) filter. #add_header X-XSS-Protection "1; mode=block"; location / { proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_ssl_verify off; proxy_pass http://yoniyscom; proxy_http_version 1.1; proxy_request_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; # This allows the ability for the execute shell window to remain open for up to 15 minutes. Without this parameter, the default is 1 minute and will automatically close. proxy_read_timeout 900s; #client_max_body_size 100M; #post_max_size 30M; #upload_max_filesize 30M; #memory_limit 30M; #proxy_cache PROXYCACHE; #proxy_cache_valid 200 15m; #proxy_cache_valid 404 2m; }
} server { listen 80; server_name ~^(?<subdomain>.+)\.yoniys\.com yoniys.com; # redirects both www and non-www to https return 301 https://$host$request_uri; } |
Tidak ada komentar:
Posting Komentar