Mainflux.mainflux/docker/nginx.conf

###
# Mainflux NGINX Conf
#
# Taken for /etc/nginx/nginx.conf on Debian machine
# and https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/nginx.conf
###

##
# User:
# - 'www-data' on Debian
# - 'nginx' on Alpine
##
#user www-data;
user nginx;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

###
# HTTP
###
http {

    ##
    # Basic Settings
    ##
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Virtual Host Configs
    ##

    # HTTPS
    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        # SSL configuration
        #
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;

        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        # Certificates
        ssl_certificate /etc/ssl/certs/mainflux-server.crt;
        ssl_certificate_key /etc/ssl/private/mainflux-server.key;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;


        # from https://cipherli.st/
        # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_ecdh_curve secp384r1;
        ssl_session_tickets off;
        ssl_stapling off;
        ssl_stapling_verify on;
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;

        # Disable preloading HSTS for now.  You can use the commented out header line that includes
        # the "preload" directive if you understand the implications.
        #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header Access-Control-Allow-Origin '*';
        add_header Access-Control-Allow-Methods '*';
        add_header Access-Control-Allow-Headers "*";

        server_name localhost;

        # Proxy pass to users service
        location ~ ^/(users|tokens) {
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass https://users:8180;

            # Allow OPTIONS method CORS
            if ($request_method = OPTIONS ) {
                add_header Content-Length 0;
                add_header Content-Type text/plain;
                return 200;
            }
        }

        # Proxy pass to things service
        location ~ ^/(things|channels) {
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            add_header Access-Control-Expose-Headers Location;
            proxy_pass https://things:8182;

            # Allow OPTIONS method CORS
            if ($request_method = OPTIONS ) {
                add_header Content-Length 0;
                add_header Content-Type text/plain;
                return 200;
            }
        }

        location /version {
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass https://things:8182;

            # Allow OPTIONS method CORS
            if ($request_method = OPTIONS ) {
                add_header Content-Length 0;
                add_header Content-Type text/plain;
                return 200;
            }
        }

        # Proxy pass to mainflux-http-adapter
        location /http/ {
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass http://http-adapter:8185/;

            # Allow OPTIONS method CORS
            if ($request_method = OPTIONS ) {
                add_header Content-Length 0;
                add_header Content-Type text/plain;
                return 200;
            }
        }

        # Proxy pass to mainflux-ws-adapter
        location /ws/ {
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
            proxy_connect_timeout 7d;
            proxy_send_timeout 7d;
            proxy_read_timeout 7d;
            proxy_pass http://ws-adapter:8186/;

            # Allow OPTIONS method CORS
            if ($request_method = OPTIONS ) {
                add_header Content-Length 0;
                add_header Content-Type text/plain;
                return 200;
            }
        }

        # Proxy pass to mainflux-mqtt-adapter
        location /mqtt {
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
            proxy_connect_timeout 7d;
            proxy_send_timeout 7d;
            proxy_read_timeout 7d;
            proxy_pass http://mqtt-adapter:8880/;

            # Allow OPTIONS method CORS
            if ($request_method = OPTIONS ) {
                add_header Content-Length 0;
                add_header Content-Type text/plain;
                return 200;
            }
        }

        location / {
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass http://dashflux:3000/;

            # Allow OPTIONS method CORS
            if ($request_method = OPTIONS ) {
                add_header Content-Length 0;
                add_header Content-Type text/plain;
                return 200;
            }
        }
    }
}

# MQTT
stream {
    # MQTT
    server {
        listen 8883 ssl;
        listen [::]:8883 ssl;

        # Certificates
        ssl_certificate /etc/ssl/certs/mainflux-server.crt;
        ssl_certificate_key /etc/ssl/private/mainflux-server.key;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;


        # from https://cipherli.st/
        # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_ecdh_curve secp384r1;
        ssl_session_tickets off;
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;

        proxy_pass mqtt-adapter:1883;
    }
}