diff --git a/controllers/nginx/pkg/cmd/controller/metrics.go b/controllers/nginx/pkg/cmd/controller/metrics.go index 86fa3ce2e..d4c76fa27 100644 --- a/controllers/nginx/pkg/cmd/controller/metrics.go +++ b/controllers/nginx/pkg/cmd/controller/metrics.go @@ -42,17 +42,23 @@ func (em exeMatcher) MatchAndName(nacl common.NameAndCmdline) (bool, string) { } func (n *NGINXController) setupMonitor(args []string) { - var enableVts = true // TODO fix true - pc, err := newProcessCollector(true, exeMatcher{"nginx", args}, enableVts) + pc, err := newProcessCollector(true, exeMatcher{"nginx", args}, false) if err != nil { - glog.Fatalf("unexpected error registering nginx collector: %v", err) + glog.Warningf("unexpected error registering nginx collector: %v", err) } + n.namedProcessCollector = pc + err = prometheus.Register(pc) if err != nil { glog.Warningf("unexpected error registering nginx collector: %v", err) } + +} + +func (n *NGINXController) reloadMonitor(enableVts *bool) { + n.namedProcessCollector.vtsCollector = enableVts } var ( @@ -225,7 +231,7 @@ type ( scrapeChan chan scrapeRequest *proc.Grouper fs *proc.FS - vtsCollector bool + vtsCollector *bool } ) @@ -234,21 +240,21 @@ func newProcessCollector( n common.MatchNamer, vtsCollector bool) (*namedProcessCollector, error) { - fs, err := proc.NewFS("/proc") - if err != nil { - return nil, err - } + //fs, err := proc.NewFS("/proc") + //if err != nil { + // return nil, err + //} p := &namedProcessCollector{ scrapeChan: make(chan scrapeRequest), Grouper: proc.NewGrouper(children, n), - fs: fs, - vtsCollector: vtsCollector, + //fs: fs, + vtsCollector: &vtsCollector, } - _, err = p.Update(p.fs.AllProcs()) - if err != nil { - return nil, err - } + //_, err = p.Update(p.fs.AllProcs()) + //if err != nil { + // return nil, err + //} go p.start() @@ -266,7 +272,7 @@ func (p *namedProcessCollector) Describe(ch chan<- *prometheus.Desc) { ch <- memVirtualbytesDesc ch <- startTimeDesc - if p.vtsCollector { + if p.vtsCollector == true { ch <- vtsBytesDesc ch <- vtsCacheDesc @@ -306,7 +312,7 @@ func (p *namedProcessCollector) start() { ch := req.results p.scrapeNginxStatus(ch) - if p.vtsCollector { + if &p.vtsCollector { p.scrapeVts(ch) } diff --git a/controllers/nginx/pkg/cmd/controller/nginx.go b/controllers/nginx/pkg/cmd/controller/nginx.go index 600638c35..61c6a5191 100644 --- a/controllers/nginx/pkg/cmd/controller/nginx.go +++ b/controllers/nginx/pkg/cmd/controller/nginx.go @@ -108,6 +108,8 @@ type NGINXController struct { storeLister ingress.StoreLister binary string + + namedProcessCollector *namedProcessCollector } // Start start a new NGINX master process running in foreground. @@ -168,16 +170,21 @@ func (n *NGINXController) start(cmd *exec.Cmd, done chan error) { // Reload checks if the running configuration file is different // to the specified and reload nginx if required func (n NGINXController) Reload(data []byte) ([]byte, bool, error) { - if !n.isReloadRequired(data) { - return []byte("Reload not required"), false, nil - } + //if !n.isReloadRequired(data) { + // return []byte("Reload not required"), false, nil + //} + + cfg := ngx_template.ReadConfig(n.configmap.Data) err := ioutil.WriteFile(cfgPath, data, 0644) if err != nil { return nil, false, err } + n.reloadMonitor(&cfg.EnableVtsStatus) + o, e := exec.Command(n.binary, "-s", "reload").CombinedOutput() + return o, true, e } diff --git a/controllers/nginx/rootfs/etc/nginx/nginx.conf b/controllers/nginx/rootfs/etc/nginx/nginx.conf index bb36624ce..1b6ed9abe 100644 --- a/controllers/nginx/rootfs/etc/nginx/nginx.conf +++ b/controllers/nginx/rootfs/etc/nginx/nginx.conf @@ -1,6 +1,2726 @@ -# A very simple nginx configuration file that forces nginx to start. + +daemon off; + +worker_processes 4; pid /run/nginx.pid; -events {} -http {} -daemon off; \ No newline at end of file +worker_rlimit_nofile 2305843009213692927; +events { + multi_accept on; + worker_connections 16384; +} + +http { + real_ip_header X-Forwarded-For; + set_real_ip_from 0.0.0.0/0; + + real_ip_recursive on; + + geoip_country /etc/nginx/GeoIP.dat; + geoip_city /etc/nginx/GeoLiteCity.dat; + geoip_proxy_recursive on; + + # + + # lua section to return proper error codes when custom pages are used + #lua_package_path '.?.lua;./etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/lua-resty-http/lib/?.lua;'; + #init_by_lua_block { + # require("error_page") + #} + + sendfile on; + #aio threads; + tcp_nopush on; + tcp_nodelay on; + + log_subrequest on; + + reset_timedout_connection on; + + keepalive_timeout 75s; + + client_header_buffer_size 1k; + large_client_header_buffers 4 8k; + + types_hash_max_size 2048; + server_names_hash_max_size 1024; + server_names_hash_bucket_size 64; + map_hash_bucket_size 64; + + include /etc/nginx/mime.types; + default_type text/html; + gzip on; + gzip_comp_level 5; + gzip_http_version 1.1; + gzip_min_length 256; + gzip_types application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component; + gzip_proxied any; + + server_tokens on; + + log_format upstreaminfo '$remote_addr - ' + '[$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" ' + '$request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status'; + + map $request_uri $loggable { + default 1; + } + + access_log /var/log/nginx/access.log upstreaminfo if=$loggable; + error_log /var/log/nginx/error.log debug; + + resolver 10.52.0.10 valid=30s; + + # Retain the default nginx handling of requests without a "Connection" header + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + # trust http_x_forwarded_proto headers correctly indicate ssl offloading + map $http_x_forwarded_proto $pass_access_scheme { + default $http_x_forwarded_proto; + '' $scheme; + } + + map $http_x_forwarded_port $pass_server_port { + default $http_x_forwarded_port; + '' $server_port; + } + + # map port 442 to 443 for header X-Forwarded-Port + map $pass_server_port $pass_port { + 442 443; + default $pass_server_port; + } + + # Map a response error watching the header Content-Type + map $http_accept $httpAccept { + default html; + application/json json; + application/xml xml; + text/plain text; + } + + map $httpAccept $httpReturnType { + default text/html; + json application/json; + xml application/xml; + text text/plain; + } + + server_name_in_redirect off; + port_in_redirect off; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + + # turn on session caching to drastically improve performance + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_session_timeout 10m; + + # allow configuring ssl session tickets + ssl_session_tickets on; + + # slightly reduce the time-to-first-byte + ssl_buffer_size 4k; + + # allow configuring custom ssl ciphers + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + + # In case of errors try the next upstream server before returning an error + proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; + + upstream staging-auditlogs-80 { + least_conn; + server 10.51.77.7:20081 max_fails=0 fail_timeout=0; + } + upstream staging-authbox-80 { + least_conn; + server 10.51.36.10:3000 max_fails=0 fail_timeout=0; + server 10.51.99.4:3000 max_fails=0 fail_timeout=0; + } + upstream staging-authorizationmanager-80 { + least_conn; + server 10.51.72.6:3000 max_fails=0 fail_timeout=0; + server 10.51.77.17:3000 max_fails=0 fail_timeout=0; + } + upstream staging-backoffice-80 { + least_conn; + server 10.51.46.9:3000 max_fails=0 fail_timeout=0; + server 10.51.99.14:3000 max_fails=0 fail_timeout=0; + } + upstream staging-companymanager-80 { + least_conn; + server 10.51.36.8:3000 max_fails=0 fail_timeout=0; + server 10.51.46.7:3000 max_fails=0 fail_timeout=0; + } + upstream staging-default-http-backend-80 { + least_conn; + server 10.51.72.12:8080 max_fails=0 fail_timeout=0; + server 10.51.77.6:8080 max_fails=0 fail_timeout=0; + } + upstream staging-eid-80 { + least_conn; + server 10.51.104.9:3000 max_fails=0 fail_timeout=0; + server 10.51.72.15:3000 max_fails=0 fail_timeout=0; + } + upstream staging-esign2-80 { + least_conn; + server 10.51.22.3:3000 max_fails=0 fail_timeout=0; + } + upstream staging-evidencemanager-80 { + least_conn; + server 10.51.22.5:3000 max_fails=0 fail_timeout=0; + server 10.51.36.6:3000 max_fails=0 fail_timeout=0; + } + upstream staging-gateway-80 { + least_conn; + server 10.51.42.9:3000 max_fails=0 fail_timeout=0; + server 10.51.77.21:3000 max_fails=0 fail_timeout=0; + } + upstream staging-idin-80 { + least_conn; + server 10.51.46.3:3000 max_fails=0 fail_timeout=0; + server 10.51.99.12:3000 max_fails=0 fail_timeout=0; + } + upstream staging-idscan-80 { + least_conn; + server 127.0.0.1:8181 max_fails=0 fail_timeout=0; + } + upstream staging-invoicemanager-80 { + least_conn; + server 10.51.36.11:3000 max_fails=0 fail_timeout=0; + server 10.51.99.10:3000 max_fails=0 fail_timeout=0; + } + upstream staging-mockphone-80 { + least_conn; + server 10.51.72.13:3000 max_fails=0 fail_timeout=0; + server 10.51.77.22:3000 max_fails=0 fail_timeout=0; + } + upstream staging-mydigidentity-80 { + least_conn; + server 10.51.56.7:3000 max_fails=0 fail_timeout=0; + server 10.51.99.5:3000 max_fails=0 fail_timeout=0; + } + upstream staging-profilemanager-80 { + least_conn; + server 10.51.104.8:3000 max_fails=0 fail_timeout=0; + server 10.51.46.10:3000 max_fails=0 fail_timeout=0; + } + upstream staging-selfserviceportal-80 { + least_conn; + server 10.51.72.3:3000 max_fails=0 fail_timeout=0; + server 10.51.77.3:3000 max_fails=0 fail_timeout=0; + } + upstream staging-serviceprovider-80 { + least_conn; + server 10.51.104.3:3000 max_fails=0 fail_timeout=0; + server 10.51.72.16:3000 max_fails=0 fail_timeout=0; + } + upstream staging-smartcardmanager-80 { + least_conn; + server 10.51.77.7:20080 max_fails=0 fail_timeout=0; + } + upstream staging-sppp-80 { + least_conn; + server 10.51.42.11:3000 max_fails=0 fail_timeout=0; + server 10.51.46.6:3000 max_fails=0 fail_timeout=0; + } + upstream upstream-default-backend { + least_conn; + server 127.0.0.1:8181 max_fails=0 fail_timeout=0; + } + server { + server_name _; + listen [::]:8080 ipv6only=off default_server reuseport backlog=511; + listen 8442 default_server reuseport backlog=511 ssl ; + # PEM sha: b23676658d28c219471e2200501312d7d188404c + ssl_certificate /ingress-controller/ssl/system-snake-oil-certificate.pem; + ssl_certificate_key /ingress-controller/ssl/system-snake-oil-certificate.pem; + + # + + location / { + set $proxy_upstream_name "upstream-default-backend"; + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; + } + + # health checks in cloud providers require the use of port 80 + location /healthz { + access_log off; + return 200; + } + + # this is required to avoid error if nginx is being monitored + # with an external software (like sysdig) + location /nginx_status { + allow 127.0.0.1; + allow ::1; + deny all; + + access_log off; + #stub_status on; + } + } + + server { + server_name audit-logs.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca + ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; + + # + + location / { + set $proxy_upstream_name "staging-auditlogs-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-auditlogs-80; + } + + } + + server { + server_name auth.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: 92115ea63b369c26de6da3154618a1c042a294d8 + ssl_certificate /ingress-controller/ssl/staging-auth.digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-auth.digidentity-staging.eu.pem; + + # + + location /health-check { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location /checks { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location / { + set $proxy_upstream_name "staging-authbox-80"; + + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-authbox-80; + } + + } + + server { + server_name backoffice.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca + ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; + + # + + location / { + set $proxy_upstream_name "staging-backoffice-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-backoffice-80; + } + + } + + server { + server_name be.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: b23676658d28c219471e2200501312d7d188404c + ssl_certificate /ingress-controller/ssl/system-snake-oil-certificate.pem; + ssl_certificate_key /ingress-controller/ssl/system-snake-oil-certificate.pem; + + # + + location /profiles { + set $proxy_upstream_name "staging-profilemanager-80"; + + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-profilemanager-80; + } + location /invoices { + set $proxy_upstream_name "staging-invoicemanager-80"; + + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-invoicemanager-80; + } + location /idscan { + set $proxy_upstream_name "staging-idscan-80"; + + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-idscan-80; + } + location /evidences { + set $proxy_upstream_name "staging-evidencemanager-80"; + + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-evidencemanager-80; + } + location /companies { + set $proxy_upstream_name "staging-companymanager-80"; + + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-companymanager-80; + } + location /authorizations { + set $proxy_upstream_name "staging-authorizationmanager-80"; + + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-authorizationmanager-80; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; + } + + } + + server { + server_name cauth2.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: b23676658d28c219471e2200501312d7d188404c + ssl_certificate /ingress-controller/ssl/system-snake-oil-certificate.pem; + ssl_certificate_key /ingress-controller/ssl/system-snake-oil-certificate.pem; + + # + + location /health-check { + set $proxy_upstream_name "staging-default-http-backend-80"; + + #Location denied, reason: an empty string is not a valid secret name + return 503; + } + location / { + set $proxy_upstream_name "staging-authbox-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-authbox-80; + } + + } + + server { + server_name cdn.auth.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: 68caaa6d34f7d66875adb214e4c4a41ab2163c01 + ssl_certificate /ingress-controller/ssl/staging-cdn.auth.digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-cdn.auth.digidentity-staging.eu.pem; + + # + + location / { + set $proxy_upstream_name "staging-authbox-80"; + + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-authbox-80; + } + + } + + server { + server_name cdn.my.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: ccc3acf6b424b944785e6b685394db7c0409abb3 + ssl_certificate /ingress-controller/ssl/staging-cdn.my.digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-cdn.my.digidentity-staging.eu.pem; + + # + + location /health-check { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location /checks { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location / { + set $proxy_upstream_name "staging-mydigidentity-80"; + + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-mydigidentity-80; + } + + } + + server { + server_name eid.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: a342af52002527fa15e351d8dae40e1cf79318a3 + ssl_certificate /ingress-controller/ssl/staging-eid.digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-eid.digidentity-staging.eu.pem; + + # + + location / { + set $proxy_upstream_name "staging-eid-80"; + + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-eid-80; + } + + } + + server { + server_name esign2.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: 0701c2076c52e17e64b7b8928f22483d04e7b937 + ssl_certificate /ingress-controller/ssl/staging-esign2-digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-esign2-digidentity-staging.eu.pem; + + # + + location / { + set $proxy_upstream_name "staging-esign2-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-esign2-80; + } + + } + + server { + server_name gate.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: 381a5918528e4b3a4660755ef9ad39f655ec0dea + ssl_certificate /ingress-controller/ssl/staging-gate.digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-gate.digidentity-staging.eu.pem; + + # + + location /health-check { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location /checks { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location / { + set $proxy_upstream_name "staging-gateway-80"; + + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-gateway-80; + } + + } + + server { + server_name gateway.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: ac978850271a8aaffd3c27ab39283d7b888f6357 + ssl_certificate /ingress-controller/ssl/staging-eherkenning-digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-eherkenning-digidentity-staging.eu.pem; + + # + + location /health-check { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location /checks { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; + } + + } + + server { + server_name idin.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: ac978850271a8aaffd3c27ab39283d7b888f6357 + ssl_certificate /ingress-controller/ssl/staging-eherkenning-digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-eherkenning-digidentity-staging.eu.pem; + + # + + location /health-check { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location /checks { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location / { + set $proxy_upstream_name "staging-idin-80"; + + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-idin-80; + } + + } + + server { + server_name mock.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca + ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; + + # + + location /serviceprovider { + set $proxy_upstream_name "staging-serviceprovider-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-serviceprovider-80; + } + location /phone { + set $proxy_upstream_name "staging-mockphone-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-mockphone-80; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; + } + + } + + server { + server_name my.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: 8750503f72e9e522ea87d0d7bfb39c12832abe40 + ssl_certificate /ingress-controller/ssl/staging-my.digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-my.digidentity-staging.eu.pem; + + # + + location /health-check { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location /checks { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location / { + set $proxy_upstream_name "staging-mydigidentity-80"; + + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-mydigidentity-80; + } + + } + + server { + server_name selfserviceportal.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: b23676658d28c219471e2200501312d7d188404c + ssl_certificate /ingress-controller/ssl/system-snake-oil-certificate.pem; + ssl_certificate_key /ingress-controller/ssl/system-snake-oil-certificate.pem; + + # + + location / { + set $proxy_upstream_name "staging-selfserviceportal-80"; + + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-selfserviceportal-80; + } + + } + + server { + server_name serviceprovider.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: 47958609f9487195f6f78abdb1133492dd2e4429 + ssl_certificate /ingress-controller/ssl/staging-serviceprovider-https.pem; + ssl_certificate_key /ingress-controller/ssl/staging-serviceprovider-https.pem; + + # + + location / { + set $proxy_upstream_name "staging-serviceprovider-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 77.250.52.167/32; + allow 83.85.75.129/32; + allow 84.104.29.40/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-serviceprovider-80; + } + + } + + server { + server_name smartcards.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca + ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; + + # + + location / { + set $proxy_upstream_name "staging-smartcardmanager-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-smartcardmanager-80; + } + + } + + server { + server_name sns.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: 7f4e396f628630573c27cb3883f0b2428a210378 + ssl_certificate /ingress-controller/ssl/staging-sns.digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-sns.digidentity-staging.eu.pem; + + # + + location /invoices/api/v1/email_notifications { + set $proxy_upstream_name "staging-invoicemanager-80"; + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-invoicemanager-80; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; + } + + } + + server { + server_name sppp.digidentity-staging.eu; + listen [::]:8080; + listen 8442 ssl ; + # PEM sha: 47958609f9487195f6f78abdb1133492dd2e4429 + ssl_certificate /ingress-controller/ssl/staging-serviceprovider-https.pem; + ssl_certificate_key /ingress-controller/ssl/staging-serviceprovider-https.pem; + + # + + location / { + set $proxy_upstream_name "staging-sppp-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 77.250.52.167/32; + allow 83.85.75.129/32; + allow 84.104.29.40/32; + deny all; + + port_in_redirect off; + # enforce ssl on server side + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 5s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-sppp-80; + } + + } + # default server, used for NGINX healthcheck and access to nginx stats + server { + # Use the port 18080 (random value just to avoid known ports) as default port for nginx. + # Changing this value requires a change in: + # https://github.com/kubernetes/contrib/blob/master/ingress/controllers/nginx/nginx/command.go#L104 + listen [::]:18080 ipv6only=off default_server reuseport backlog=511; + + location /healthz { + access_log off; + return 200; + } + + location /nginx_status { + proxy_pass http://localhost:18089; + #vhost_traffic_status_display; + #vhost_traffic_status_display_format html; + } + + # this location is used to extract nginx metrics + # using prometheus. + # TODO: enable extraction for vts module. + location /internal_nginx_status { + allow 127.0.0.1; + allow ::1; + deny all; + + access_log off; + # stub_status on; + } + + location / { + set $proxy_upstream_name "upstream-default-backend"; + proxy_pass http://upstream-default-backend; + } + + } + + # default server for services without endpoints + server { + listen 8181; + set $proxy_upstream_name "-"; + + location / { + + return 503; + + } + } +} diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl index 9813bcd24..b9ff267fe 100644 --- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl +++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl @@ -60,7 +60,7 @@ http { client_header_buffer_size {{ $cfg.ClientHeaderBufferSize }}; large_client_header_buffers {{ $cfg.LargeClientHeaderBuffers }}; - + http2_max_field_size {{ $cfg.HTTP2MaxFieldSize }}; http2_max_header_size {{ $cfg.HTTP2MaxHeaderSize }}; diff --git a/images/nginx-slim/build.sh b/images/nginx-slim/build.sh index 2236e1369..5238ccaec 100755 --- a/images/nginx-slim/build.sh +++ b/images/nginx-slim/build.sh @@ -19,7 +19,7 @@ set -e export NGINX_VERSION=1.11.10 export NDK_VERSION=0.3.0 -export VTS_VERSION=0.1.11 +export VTS_VERSION=0.1.12 export SETMISC_VERSION=0.31 export LUA_VERSION=0.10.7 export STICKY_SESSIONS_VERSION=08a395c66e42