diff --git a/controllers/nginx/pkg/cmd/controller/metrics.go b/controllers/nginx/pkg/cmd/controller/metrics.go index c2b91d191..1496cecb2 100644 --- a/controllers/nginx/pkg/cmd/controller/metrics.go +++ b/controllers/nginx/pkg/cmd/controller/metrics.go @@ -28,45 +28,6 @@ import ( "strings" ) -type exeMatcher struct { - name string - args []string -} - -func (em exeMatcher) MatchAndName(nacl common.NameAndCmdline) (bool, string) { - if len(nacl.Cmdline) == 0 { - return false, "" - } - cmd := filepath.Base(nacl.Cmdline[0]) - return em.name == cmd, "" -} - -func (n *NGINXController) setupMonitor(args []string, vtsCollector *bool) { - - // TODO fix true - pc, err := newProcessCollector(true, exeMatcher{"nginx", args}, vtsCollector) - if err != nil { - glog.Warningf("unexpected error registering nginx collector: %v", err) - } - n.namedProcessCollector = pc - - err = prometheus.Register(pc) - if err != nil { - glog.Warningf("unexpected error registering nginx collector: %v", err) - } - -} - -func (n *NGINXController) reloadMonitor(enableVts *bool) { - - if enableVts == nil { - falseVar := false - n.namedProcessCollector.vtsCollector = &falseVar - return - } - falseVar := true - n.namedProcessCollector.vtsCollector = &falseVar -} var ( // descriptions borrow from https://github.com/vozlt/nginx-module-vts @@ -228,6 +189,40 @@ var ( nil, nil) ) +type exeMatcher struct { + name string + args []string +} + +func (em exeMatcher) MatchAndName(nacl common.NameAndCmdline) (bool, string) { + if len(nacl.Cmdline) == 0 { + return false, "" + } + cmd := filepath.Base(nacl.Cmdline[0]) + return em.name == cmd, "" +} + +func (n *NGINXController) setupMonitor(args[] string, vtsCollector *bool) { + // TODO fix true + pc, err := newProcessCollector(true, exeMatcher{"nginx", args}, vtsCollector) + + if err != nil { + glog.Warningf("unexpected error registering nginx collector: %v", err) + } + + err = prometheus.Register(pc) + + if err != nil { + if err, ok := err.(prometheus.AlreadyRegisteredError); ok { + glog.Warningf("unexpected error registering nginx collector: %v", err) + }else{ + glog.Warningf("unexpected error registering nginx collector: %v", err) + } + } + +} + + type ( scrapeRequest struct { results chan<- prometheus.Metric @@ -252,13 +247,13 @@ func newProcessCollector( // return nil, err //} p := &namedProcessCollector{ - scrapeChan: make(chan scrapeRequest), - Grouper: proc.NewGrouper(children, n), + scrapeChan: make(chan scrapeRequest), + Grouper: proc.NewGrouper(children, n), //fs: fs, vtsCollector: vtsCollector, } - //_, err = p.Update(p.fs.AllProcs()) + //p.Update(p.fs.AllProcs()) //if err != nil { // return nil, err //} @@ -280,6 +275,7 @@ func (p *namedProcessCollector) Describe(ch chan<- *prometheus.Desc) { ch <- startTimeDesc if *p.vtsCollector { + glog.Info("registering vts describe") ch <- vtsBytesDesc ch <- vtsCacheDesc @@ -287,7 +283,6 @@ func (p *namedProcessCollector) Describe(ch chan<- *prometheus.Desc) { ch <- readBytesDesc ch <- vtsRequestDesc ch <- vtsResponseDesc - ch <- writeBytesDesc ch <- vtsUpstreamBackupDesc ch <- vtsUpstreamBytesDesc ch <- vtsUpstreamDownDesc @@ -313,15 +308,13 @@ func (p *namedProcessCollector) Collect(ch chan<- prometheus.Metric) { func (p *namedProcessCollector) start() { - //glog.Warningf("OOO %v", p.configmap.Data) for req := range p.scrapeChan { ch := req.results p.scrapeNginxStatus(ch) + p.scrapeProcs(ch) + p.scrapeVts(ch) - if *p.vtsCollector { - p.scrapeVts(ch) - } req.done <- struct{}{} } @@ -334,7 +327,6 @@ func (p *namedProcessCollector) scrapeNginxStatus(ch chan<- prometheus.Metric) { return } - p.scrapeProcs(ch) ch <- prometheus.MustNewConstMetric(activeDesc, prometheus.GaugeValue, float64(s.Active)) @@ -355,6 +347,11 @@ func (p *namedProcessCollector) scrapeNginxStatus(ch chan<- prometheus.Metric) { func (p *namedProcessCollector) scrapeVts(ch chan<- prometheus.Metric) { + if ! *p.vtsCollector { + glog.Warningf("vts metrics not enabled") + return + } + glog.Info("starting scrap on vts") nginxMetrics, err := getNginxVtsMetrics() if err != nil { glog.Warningf("unexpected error obtaining nginx status info: %v", err) @@ -434,34 +431,35 @@ func (p *namedProcessCollector) scrapeVts(ch chan<- prometheus.Metric) { } + } func (p *namedProcessCollector) scrapeProcs(ch chan<- prometheus.Metric) { - _, err := p.Update(p.fs.AllProcs()) - if err != nil { - glog.Warningf("unexpected error obtaining nginx process info: %v", err) - return - } - - for gname, gcounts := range p.Groups() { - glog.Infof("%v", gname) - glog.Infof("%v", gcounts) - ch <- prometheus.MustNewConstMetric(numprocsDesc, - prometheus.GaugeValue, float64(gcounts.Procs)) - ch <- prometheus.MustNewConstMetric(memResidentbytesDesc, - prometheus.GaugeValue, float64(gcounts.Memresident)) - ch <- prometheus.MustNewConstMetric(memVirtualbytesDesc, - prometheus.GaugeValue, float64(gcounts.Memvirtual)) - ch <- prometheus.MustNewConstMetric(startTimeDesc, - prometheus.GaugeValue, float64(gcounts.OldestStartTime.Unix())) - ch <- prometheus.MustNewConstMetric(cpuSecsDesc, - prometheus.CounterValue, gcounts.Cpu) - ch <- prometheus.MustNewConstMetric(readBytesDesc, - prometheus.CounterValue, float64(gcounts.ReadBytes)) - ch <- prometheus.MustNewConstMetric(writeBytesDesc, - prometheus.CounterValue, float64(gcounts.WriteBytes)) - } + //_, err := p.Update(p.fs.AllProcs()) + //if err != nil { + // glog.Warningf("unexpected error obtaining nginx process info: %v", err) + // return + //} + // + //for gname, gcounts := range p.Groups() { + // glog.Infof("%v", gname) + // glog.Infof("%v", gcounts) + // ch <- prometheus.MustNewConstMetric(numprocsDesc, + // prometheus.GaugeValue, float64(gcounts.Procs)) + // ch <- prometheus.MustNewConstMetric(memResidentbytesDesc, + // prometheus.GaugeValue, float64(gcounts.Memresident)) + // ch <- prometheus.MustNewConstMetric(memVirtualbytesDesc, + // prometheus.GaugeValue, float64(gcounts.Memvirtual)) + // ch <- prometheus.MustNewConstMetric(startTimeDesc, + // prometheus.GaugeValue, float64(gcounts.OldestStartTime.Unix())) + // ch <- prometheus.MustNewConstMetric(cpuSecsDesc, + // prometheus.CounterValue, gcounts.Cpu) + // ch <- prometheus.MustNewConstMetric(readBytesDesc, + // prometheus.CounterValue, float64(gcounts.ReadBytes)) + // ch <- prometheus.MustNewConstMetric(writeBytesDesc, + // prometheus.CounterValue, float64(gcounts.WriteBytes)) + //} } func reflectMetrics(value interface{}, desc *prometheus.Desc, ch chan<- prometheus.Metric, labels ...string) { @@ -478,4 +476,3 @@ func reflectMetrics(value interface{}, desc *prometheus.Desc, ch chan<- promethe } } - diff --git a/controllers/nginx/pkg/template/template.go b/controllers/nginx/pkg/template/template.go index 8262a5873..4a1deed02 100644 --- a/controllers/nginx/pkg/template/template.go +++ b/controllers/nginx/pkg/template/template.go @@ -213,11 +213,8 @@ func buildLocation(input interface{}) string { func buildAuthLocation(input interface{}) string { location, ok := input.(*ingress.Location) - if !ok { - return "" - } - if location.ExternalAuth.URL == "" { + if !ok || location.ExternalAuth.URL == "" { return "" } diff --git a/controllers/nginx/rootfs/etc/nginx/nginx.conf b/controllers/nginx/rootfs/etc/nginx/nginx.conf index 4f90fb49c..0fd3b7fc8 100644 --- a/controllers/nginx/rootfs/etc/nginx/nginx.conf +++ b/controllers/nginx/rootfs/etc/nginx/nginx.conf @@ -11,8 +11,8 @@ events { } http { - real_ip_header X-Forwarded-For; - set_real_ip_from 0.0.0.0/0; + set_real_ip_from 10.50.0.0/16; + real_ip_header proxy_protocol; real_ip_recursive on; @@ -20,6 +20,9 @@ http { geoip_city /etc/nginx/GeoLiteCity.dat; geoip_proxy_recursive on; + # + #vhost_traffic_status_zone shared:vhost_traffic_status:10m; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::*; # # lua section to return proper error codes when custom pages are used @@ -58,13 +61,9 @@ http { server_tokens on; - log_format upstreaminfo '$remote_addr - [$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status'; - map $request_uri $loggable { default 1; } - - access_log /var/log/nginx/access.log upstreaminfo if=$loggable; error_log /var/log/nginx/error.log notice; resolver 10.52.0.10 valid=30s; @@ -129,10 +128,143 @@ http { # In case of errors try the next upstream server before returning an error proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; + upstream gitlab-deploys-80 { + least_conn; + server 10.51.72.11:3000 max_fails=0 fail_timeout=0; + server 10.51.77.20:3000 max_fails=0 fail_timeout=0; + } + upstream gitlab-gitlab-80 { + least_conn; + server 10.51.56.14:80 max_fails=0 fail_timeout=0; + } upstream kube-system-kube-lego-nginx-8080 { least_conn; server 10.51.42.2:8080 max_fails=0 fail_timeout=0; } + upstream logging-kibana-80 { + least_conn; + server 10.51.72.8:5601 max_fails=0 fail_timeout=0; + } + upstream monitoring-alertmanager-9093 { + least_conn; + server 10.51.22.4:9093 max_fails=0 fail_timeout=0; + server 10.51.36.5:9093 max_fails=0 fail_timeout=0; + server 10.51.56.4:9093 max_fails=0 fail_timeout=0; + } + upstream monitoring-grafana-3000 { + least_conn; + server 10.51.99.11:3000 max_fails=0 fail_timeout=0; + } + upstream monitoring-prometheus-k8s-9090 { + least_conn; + server 10.51.56.3:9090 max_fails=0 fail_timeout=0; + } + upstream prd-babel-80 { + least_conn; + server 10.51.42.13:3000 max_fails=0 fail_timeout=0; + server 10.51.77.19:3000 max_fails=0 fail_timeout=0; + } + upstream prd-mockphone-80 { + least_conn; + server 10.51.22.7:3000 max_fails=0 fail_timeout=0; + server 10.51.42.12:3000 max_fails=0 fail_timeout=0; + } + upstream sentry-sentry-80 { + least_conn; + server 10.51.77.4:9000 max_fails=0 fail_timeout=0; + } + upstream staging-auditlogs-80 { + least_conn; + server 10.51.72.14:20081 max_fails=0 fail_timeout=0; + } + upstream staging-authbox-80 { + least_conn; + server 10.51.42.18:3000 max_fails=0 fail_timeout=0; + server 10.51.72.17:3000 max_fails=0 fail_timeout=0; + } + upstream staging-authorizationmanager-80 { + least_conn; + server 10.51.72.6:3000 max_fails=0 fail_timeout=0; + server 10.51.77.17:3000 max_fails=0 fail_timeout=0; + } + upstream staging-backoffice-80 { + least_conn; + server 10.51.46.9:3000 max_fails=0 fail_timeout=0; + server 10.51.99.14:3000 max_fails=0 fail_timeout=0; + } + upstream staging-companymanager-80 { + least_conn; + server 10.51.36.8:3000 max_fails=0 fail_timeout=0; + server 10.51.46.7:3000 max_fails=0 fail_timeout=0; + } + upstream staging-default-http-backend-80 { + least_conn; + server 10.51.72.12:8080 max_fails=0 fail_timeout=0; + server 10.51.77.6:8080 max_fails=0 fail_timeout=0; + } + upstream staging-eid-80 { + least_conn; + server 10.51.104.9:3000 max_fails=0 fail_timeout=0; + server 10.51.72.15:3000 max_fails=0 fail_timeout=0; + } + upstream staging-esign2-80 { + least_conn; + server 10.51.42.17:3000 max_fails=0 fail_timeout=0; + } + upstream staging-evidencemanager-80 { + least_conn; + server 10.51.22.5:3000 max_fails=0 fail_timeout=0; + server 10.51.36.6:3000 max_fails=0 fail_timeout=0; + } + upstream staging-gateway-80 { + least_conn; + server 10.51.104.11:3000 max_fails=0 fail_timeout=0; + server 10.51.72.5:3000 max_fails=0 fail_timeout=0; + } + upstream staging-idin-80 { + least_conn; + server 10.51.46.3:3000 max_fails=0 fail_timeout=0; + server 10.51.99.12:3000 max_fails=0 fail_timeout=0; + } + upstream staging-invoicemanager-80 { + least_conn; + server 10.51.22.3:3000 max_fails=0 fail_timeout=0; + server 10.51.46.12:3000 max_fails=0 fail_timeout=0; + } + upstream staging-mockphone-80 { + least_conn; + server 10.51.72.13:3000 max_fails=0 fail_timeout=0; + server 10.51.77.22:3000 max_fails=0 fail_timeout=0; + } + upstream staging-mydigidentity-80 { + least_conn; + server 10.51.36.10:3000 max_fails=0 fail_timeout=0; + server 10.51.99.4:3000 max_fails=0 fail_timeout=0; + } + upstream staging-profilemanager-80 { + least_conn; + server 10.51.104.8:3000 max_fails=0 fail_timeout=0; + server 10.51.46.10:3000 max_fails=0 fail_timeout=0; + } + upstream staging-selfserviceportal-80 { + least_conn; + server 10.51.72.3:3000 max_fails=0 fail_timeout=0; + server 10.51.77.3:3000 max_fails=0 fail_timeout=0; + } + upstream staging-serviceprovider-80 { + least_conn; + server 10.51.104.3:3000 max_fails=0 fail_timeout=0; + server 10.51.72.16:3000 max_fails=0 fail_timeout=0; + } + upstream staging-smartcardmanager-80 { + least_conn; + server 10.51.72.14:20080 max_fails=0 fail_timeout=0; + } + upstream staging-sppp-80 { + least_conn; + server 10.51.42.11:3000 max_fails=0 fail_timeout=0; + server 10.51.46.6:3000 max_fails=0 fail_timeout=0; + } upstream upstream-default-backend { least_conn; server 10.51.104.5:8080 max_fails=0 fail_timeout=0; @@ -142,14 +274,14 @@ http { } server { server_name _; - listen [::]:8080 ipv6only=off default_server reuseport backlog=511; - listen [::]:4430 ipv6only=off default_server reuseport backlog=511 ssl ; #http2; + listen [::]:8080 proxy_protocol ipv6only=off default_server reuseport backlog=511; + listen [::]:4430 proxy_protocol ipv6only=off default_server reuseport backlog=511 ssl ; #http2; # PEM sha: b23676658d28c219471e2200501312d7d188404c ssl_certificate /ingress-controller/ssl/system-snake-oil-certificate.pem; ssl_certificate_key /ingress-controller/ssl/system-snake-oil-certificate.pem; #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; - # + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location / { set $proxy_upstream_name "upstream-default-backend"; @@ -180,9 +312,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -213,9 +345,14 @@ http { server { server_name alertmanager.dta.ddy.systems; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: e7872a3b955e82f9fc2f865792bc6fdd025333ed + ssl_certificate /ingress-controller/ssl/monitoring-alertmanager.dta.ddy.systems.pem; + ssl_certificate_key /ingress-controller/ssl/monitoring-alertmanager.dta.ddy.systems.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -246,9 +383,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -259,9 +396,13 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "monitoring-alertmanager-9093"; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } client_max_body_size "1m"; @@ -287,9 +428,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -297,16 +438,91 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://monitoring-alertmanager-9093; + } + + } + + server { + server_name asentry.ddy.systems; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: b23676658d28c219471e2200501312d7d188404c + ssl_certificate /ingress-controller/ssl/system-snake-oil-certificate.pem; + ssl_certificate_key /ingress-controller/ssl/system-snake-oil-certificate.pem; + + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; + + location / { + set $proxy_upstream_name "sentry-sentry-80"; + + allow 10.50.0.0/16; + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 83.85.75.129/32; + allow 83.86.66.59/32; + allow 84.104.29.40/32; + allow 90.145.204.66/32; + allow 94.208.108.253/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://sentry-sentry-80; } } server { server_name audit-logs.digidentity-staging.eu; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca + ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -337,9 +553,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -350,9 +566,25 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "staging-auditlogs-80"; + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + deny all; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } client_max_body_size "1m"; @@ -378,9 +610,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -388,17 +620,134 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://staging-auditlogs-80; } } server { server_name auth.digidentity-staging.eu; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: 92115ea63b369c26de6da3154618a1c042a294d8 + ssl_certificate /ingress-controller/ssl/staging-auth.digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-auth.digidentity-staging.eu.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; + location /health-check { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location /checks { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -428,9 +777,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -441,9 +790,28 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "staging-authbox-80"; + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } client_max_body_size "1m"; @@ -469,9 +837,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -479,16 +847,21 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://staging-authbox-80; } } server { server_name backoffice.digidentity-staging.eu; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca + ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -519,9 +892,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -532,9 +905,25 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "staging-backoffice-80"; + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + deny all; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } client_max_body_size "1m"; @@ -560,9 +949,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -570,17 +959,307 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://staging-backoffice-80; } } server { server_name be.digidentity-staging.eu; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca + ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; + location /profiles { + set $proxy_upstream_name "staging-profilemanager-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-profilemanager-80; + } + location /invoices { + set $proxy_upstream_name "staging-invoicemanager-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-invoicemanager-80; + } + location /evidences { + set $proxy_upstream_name "staging-evidencemanager-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-evidencemanager-80; + } + location /companies { + set $proxy_upstream_name "staging-companymanager-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-companymanager-80; + } + location /authorizations { + set $proxy_upstream_name "staging-authorizationmanager-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-authorizationmanager-80; + } location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -610,9 +1289,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -651,9 +1330,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -668,9 +1347,9 @@ http { server { server_name cauth.digidentity-staging.eu; - listen [::]:8080; + listen [::]:8080 proxy_protocol; - # + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -701,9 +1380,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -742,9 +1421,316 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; + } + + } + + server { + server_name cauth2.digidentity-staging.eu; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: b23676658d28c219471e2200501312d7d188404c + ssl_certificate /ingress-controller/ssl/system-snake-oil-certificate.pem; + ssl_certificate_key /ingress-controller/ssl/system-snake-oil-certificate.pem; + + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; + + location /health-check { + set $proxy_upstream_name "staging-default-http-backend-80"; + + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location / { + set $proxy_upstream_name "staging-authbox-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-authbox-80; + } + + } + + server { + server_name cdn.auth.digidentity-staging.eu; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: d377fdb3299b80661314481c6e49342fa8e9288b + ssl_certificate /ingress-controller/ssl/staging-cdn.auth.digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-cdn.auth.digidentity-staging.eu.pem; + + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; + + location /assets { + set $proxy_upstream_name "staging-authbox-80"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-authbox-80; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://upstream-default-backend; + } + + } + + server { + server_name cdn.my.digidentity-staging.eu; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: e1c751d9b7a289c0e54c4b534aaae54406f0bc66 + ssl_certificate /ingress-controller/ssl/staging-cdn.my.digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-cdn.my.digidentity-staging.eu.pem; + + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; + + location /assets { + set $proxy_upstream_name "staging-mydigidentity-80"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-mydigidentity-80; + } + location / { + set $proxy_upstream_name "upstream-default-backend"; + + port_in_redirect off; + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -759,9 +1745,14 @@ http { server { server_name dash.ddy.systems; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: 13353f306e25526e1eaa8d0b85473d211c4264dd + ssl_certificate /ingress-controller/ssl/gitlab-dash.ddy.systems.pem; + ssl_certificate_key /ingress-controller/ssl/gitlab-dash.ddy.systems.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -792,9 +1783,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -805,9 +1796,19 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "gitlab-deploys-80"; + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 83.85.75.129/32; + allow 94.208.108.253/32; + deny all; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } client_max_body_size "1m"; @@ -833,9 +1834,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -843,16 +1844,21 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://gitlab-deploys-80; } } server { server_name eid.digidentity-staging.eu; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: a342af52002527fa15e351d8dae40e1cf79318a3 + ssl_certificate /ingress-controller/ssl/staging-eid.digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-eid.digidentity-staging.eu.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -883,9 +1889,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -896,9 +1902,28 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "staging-eid-80"; + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } client_max_body_size "1m"; @@ -924,9 +1949,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -934,16 +1959,21 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://staging-eid-80; } } server { server_name esign2.digidentity-staging.eu; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: 0701c2076c52e17e64b7b8928f22483d04e7b937 + ssl_certificate /ingress-controller/ssl/staging-esign2-digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-esign2-digidentity-staging.eu.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -974,9 +2004,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -987,9 +2017,20 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "staging-esign2-80"; + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } client_max_body_size "1m"; @@ -1015,9 +2056,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1025,17 +2066,134 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://staging-esign2-80; } } server { server_name gate.digidentity-staging.eu; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: 381a5918528e4b3a4660755ef9ad39f655ec0dea + ssl_certificate /ingress-controller/ssl/staging-gate.digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-gate.digidentity-staging.eu.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; + location /health-check { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location /checks { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -1065,9 +2223,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1078,9 +2236,28 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "staging-gateway-80"; + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } client_max_body_size "1m"; @@ -1106,9 +2283,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1116,17 +2293,134 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://staging-gateway-80; } } server { server_name gateway.digidentity-staging.eu; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: faac8a7a8c2a62b8d8e098d00132e4e58611f46f + ssl_certificate /ingress-controller/ssl/staging-eherkenning-digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-eherkenning-digidentity-staging.eu.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; + location /health-check { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location /checks { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -1156,9 +2450,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1197,9 +2491,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1214,9 +2508,14 @@ http { server { server_name gitlab.dmtw.nl; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: cb796ae5a3ada39619752170afc88da389c7fe4a + ssl_certificate /ingress-controller/ssl/gitlab-gitlab.dmtw.nl.pem; + ssl_certificate_key /ingress-controller/ssl/gitlab-gitlab.dmtw.nl.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -1247,9 +2546,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1260,11 +2559,23 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "gitlab-gitlab-80"; + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 83.84.117.190/32; + allow 83.85.75.129/32; + allow 83.86.66.59/32; + allow 94.208.108.253/32; + deny all; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } - client_max_body_size "1m"; + client_max_body_size "100m"; proxy_set_header Host $host; @@ -1288,9 +2599,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1298,16 +2609,21 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://gitlab-gitlab-80; } } server { server_name grafana.dta.ddy.systems; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: 59324865d0393cf34e51510acd2e65087d871053 + ssl_certificate /ingress-controller/ssl/monitoring-grafana.dta.ddy.systems.pem; + ssl_certificate_key /ingress-controller/ssl/monitoring-grafana.dta.ddy.systems.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -1338,9 +2654,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1351,9 +2667,13 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "monitoring-grafana-3000"; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } client_max_body_size "1m"; @@ -1379,9 +2699,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1389,17 +2709,134 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://monitoring-grafana-3000; } } server { server_name idin.digidentity-staging.eu; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: faac8a7a8c2a62b8d8e098d00132e4e58611f46f + ssl_certificate /ingress-controller/ssl/staging-eherkenning-digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-eherkenning-digidentity-staging.eu.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; + location /health-check { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location /checks { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -1429,9 +2866,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1442,9 +2879,28 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "staging-idin-80"; + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } client_max_body_size "1m"; @@ -1470,9 +2926,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1480,16 +2936,21 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://staging-idin-80; } } server { server_name kibana.dta.ddy.systems; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: 08de7f1098864931d5a0b59f027f3fae5686dc0f + ssl_certificate /ingress-controller/ssl/logging-kibana.dta.ddy.systems.pem; + ssl_certificate_key /ingress-controller/ssl/logging-kibana.dta.ddy.systems.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -1520,9 +2981,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1533,9 +2994,15 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "logging-kibana-80"; + allow 10.50.0.0/16; + deny all; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } client_max_body_size "1m"; @@ -1561,9 +3028,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1571,17 +3038,136 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://logging-kibana-80; } } server { server_name mock.digidentity-staging.eu; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca + ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; + location /serviceprovider { + set $proxy_upstream_name "staging-serviceprovider-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-serviceprovider-80; + } + location /phone { + set $proxy_upstream_name "staging-mockphone-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-mockphone-80; + } location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -1611,9 +3197,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1652,9 +3238,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1669,10 +3255,127 @@ http { server { server_name my.digidentity-staging.eu; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: 8750503f72e9e522ea87d0d7bfb39c12832abe40 + ssl_certificate /ingress-controller/ssl/staging-my.digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-my.digidentity-staging.eu.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; + location /health-check { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } + location /checks { + set $proxy_upstream_name "staging-default-http-backend-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-default-http-backend-80; + } location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -1702,9 +3405,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1715,9 +3418,28 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "staging-mydigidentity-80"; + allow 213.125.23.194/32; + allow 34.195.0.0/16; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 82.169.78.168/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + allow 95.211.121.65/32; + deny all; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } client_max_body_size "1m"; @@ -1743,9 +3465,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1753,17 +3475,120 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://staging-mydigidentity-80; } } server { server_name prd.dmtw.nl; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: 7134d20604308601dab72387837394ce69c6e788 + ssl_certificate /ingress-controller/ssl/prd-prd.dmtw.nl.pem; + ssl_certificate_key /ingress-controller/ssl/prd-prd.dmtw.nl.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; + location /mock_phone { + set $proxy_upstream_name "prd-mockphone-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 95.238.110.237/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://prd-mockphone-80; + } + location /babel { + set $proxy_upstream_name "prd-babel-80"; + + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 95.238.110.237/32; + deny all; + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://prd-babel-80; + } location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -1793,9 +3618,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1834,9 +3659,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1851,9 +3676,14 @@ http { server { server_name prometheus.dta.ddy.systems; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: 6b2f2a7135b51b6b79f6634cbf65b22a64693dee + ssl_certificate /ingress-controller/ssl/monitoring-prometheus.dta.ddy.systems.pem; + ssl_certificate_key /ingress-controller/ssl/monitoring-prometheus.dta.ddy.systems.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -1884,9 +3714,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1897,9 +3727,13 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "monitoring-prometheus-k8s-9090"; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } client_max_body_size "1m"; @@ -1925,9 +3759,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1935,16 +3769,21 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://monitoring-prometheus-k8s-9090; } } server { server_name selfserviceportal.digidentity-staging.eu; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: b23676658d28c219471e2200501312d7d188404c + ssl_certificate /ingress-controller/ssl/system-snake-oil-certificate.pem; + ssl_certificate_key /ingress-controller/ssl/system-snake-oil-certificate.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -1975,9 +3814,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -1988,9 +3827,25 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "staging-selfserviceportal-80"; + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + deny all; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } client_max_body_size "1m"; @@ -2016,9 +3871,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -2026,16 +3881,21 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://staging-selfserviceportal-80; } } server { server_name serviceprovider.digidentity-staging.eu; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: 47958609f9487195f6f78abdb1133492dd2e4429 + ssl_certificate /ingress-controller/ssl/staging-serviceprovider-https.pem; + ssl_certificate_key /ingress-controller/ssl/staging-serviceprovider-https.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -2066,9 +3926,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -2079,9 +3939,19 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "staging-serviceprovider-80"; + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 77.250.52.167/32; + allow 83.85.75.129/32; + allow 84.104.29.40/32; + deny all; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } client_max_body_size "1m"; @@ -2107,9 +3977,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -2117,16 +3987,21 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://staging-serviceprovider-80; } } server { server_name smartcards.digidentity-staging.eu; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: 0db8324e9ca712109f6dc21f8566b10c566adbca + ssl_certificate /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-intern-digidentity-staging.eu.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -2157,9 +4032,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -2170,9 +4045,25 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "staging-smartcardmanager-80"; + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 52.212.176.193/32; + allow 62.45.127.65/32; + allow 77.250.52.167/32; + allow 82.161.109.153/32; + allow 83.85.75.129/32; + allow 83.86.83.47/32; + allow 84.104.29.40/32; + allow 90.145.204.64/26; + allow 94.208.108.253/32; + deny all; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } client_max_body_size "1m"; @@ -2198,9 +4089,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -2208,17 +4099,67 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://staging-smartcardmanager-80; } } server { server_name sns.digidentity-staging.eu; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: 7f4e396f628630573c27cb3883f0b2428a210378 + ssl_certificate /ingress-controller/ssl/staging-sns.digidentity-staging.eu.pem; + ssl_certificate_key /ingress-controller/ssl/staging-sns.digidentity-staging.eu.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; + location /invoices/api/v1/email_notifications { + set $proxy_upstream_name "staging-invoicemanager-80"; + + port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + + client_max_body_size "1m"; + + proxy_set_header Host $host; + + # Pass the extracted client certificate to the backend + + # Pass Real IP + proxy_set_header X-Real-IP $remote_addr; + + # Allow websocket connections + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $pass_port; + proxy_set_header X-Forwarded-Proto $pass_access_scheme; + + # mitigate HTTPoxy Vulnerability + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ + proxy_set_header Proxy ""; + + # Custom headers + + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + + proxy_redirect off; + proxy_buffering off; + proxy_buffer_size "4k"; + proxy_buffers 4 "4k"; + + proxy_http_version 1.1; + proxy_pass http://staging-invoicemanager-80; + } location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -2248,9 +4189,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -2289,9 +4230,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -2306,9 +4247,14 @@ http { server { server_name sppp.digidentity-staging.eu; - listen [::]:8080; + listen [::]:8080 proxy_protocol; + listen [::]:4430 proxy_protocol ssl ; #http2; + # PEM sha: 47958609f9487195f6f78abdb1133492dd2e4429 + ssl_certificate /ingress-controller/ssl/staging-serviceprovider-https.pem; + ssl_certificate_key /ingress-controller/ssl/staging-serviceprovider-https.pem; - # + #more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains; preload"; + #vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name; location /.well-known/acme-challenge { set $proxy_upstream_name "kube-system-kube-lego-nginx-8080"; @@ -2339,9 +4285,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -2352,9 +4298,19 @@ http { proxy_pass http://kube-system-kube-lego-nginx-8080; } location / { - set $proxy_upstream_name "upstream-default-backend"; + set $proxy_upstream_name "staging-sppp-80"; + allow 213.125.23.194/32; + allow 52.18.61.164/32; + allow 77.250.52.167/32; + allow 83.85.75.129/32; + allow 84.104.29.40/32; + deny all; port_in_redirect off; + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } client_max_body_size "1m"; @@ -2380,9 +4336,9 @@ http { # Custom headers - proxy_connect_timeout 5s; - proxy_send_timeout 60s; - proxy_read_timeout 60s; + proxy_connect_timeout 16s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; proxy_redirect off; proxy_buffering off; @@ -2390,7 +4346,7 @@ http { proxy_buffers 4 "4k"; proxy_http_version 1.1; - proxy_pass http://upstream-default-backend; + proxy_pass http://staging-sppp-80; } }