File: //opt/bitninja-waf/etc/nginx.conf
# v2
# ssl on
worker_processes auto;
#user bitninja-waf bitninja-waf;
include default/waf-user.conf;
events {
worker_connections 1024;
use epoll;
}
http {
server_tokens off;
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
proxy_http_version 1.1;
map $scheme $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
map $server_addr $bind_ip {
default $server_addr;
"~^[a-fA-F0-9:\[\]]+$" [$server_addr];
}
map $server_port $backend_port {
default 80;
60300 80;
}
map $server_port $backend_port_ssl {
60301 443;
}
map $scheme $backend_proto {
default "http";
}
map $host $transparent {
default 0;
}
map $transparent $tproxy_x_real_ip {
default $remote_addr;
1 "";
}
map $transparent $tproxy_add_x_forwarded_for {
default $proxy_add_x_forwarded_for;
1 $http_bn_x_forwarded_for;
}
map $transparent $tproxy_x_forwarded_proto {
default $proxy_x_forwarded_proto;
1 $http_bn_x_forwarded_proto;
}
map $transparent $tproxy_x_forwarded_ssl {
default $proxy_x_forwarded_ssl;
1 $http_x_forwarded_ssl;
}
map $transparent $tproxy_x_forwarded_port {
default $proxy_x_forwarded_port;
1 $http_bn_x_forwarded_port;
}
proxy_read_timeout 300;
proxy_ssl_server_name on;
proxy_ssl_name $host;
include default/*_map.conf;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $tproxy_x_real_ip;
proxy_set_header X-Forwarded-For $tproxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $tproxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $tproxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $tproxy_x_forwarded_port;
proxy_set_header BN-X-Forwarded-For "";
proxy_set_header BN-X-Forwarded-Proto "";
proxy_set_header BN-X-Forwarded-Port "";
proxy_set_header BN-Trusted-Proxy "";
proxy_set_header BN-Frontend "";
proxy_set_header BN-TP-Clientip "";
proxy_set_header BN-TP-Dstip "";
proxy_set_header BN-TP-Proto "";
proxy_set_header BN-TP-Dstport "";
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
# Custom log format added to show requested domains int the logs
log_format combined_host '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" "client-port [$http_bn_client_port]"';
access_log /var/log/bitninja-waf/access.log combined_host;
# Set trusted proxy ips. We thrust in local proxies (bitninja-ssl-termanation and other loadbalancers).
real_ip_header X-Forwarded-For;
real_ip_recursive on;
set_real_ip_from unix:;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 127.0.0.0/8;
set_real_ip_from 5.9.111.147;
set_real_ip_from 5.9.111.147;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
include /opt/bitninja-waf/etc/BitNinjaProxy/*.conf;
include /opt/bitninja-waf/etc/mime.types;
error_page 500 502 503 504 @errorz;
# Default ModSecurity configuration
modsecurity_rules_file /opt/bitninja-waf/etc/default/modsec.conf;
# Appling local changes
include /opt/bitninja-waf/etc/local_configs/global_*.conf;
# IP based proxy settings
server {
include default/default-locations.conf;
location / {
# Appling location based local changes
include /opt/bitninja-waf/etc/local_configs/6666cd76f9695646_*.conf;
modsecurity On;
modsecurity_rules_file /opt/bitninja-waf/etc/6666cd76f9695646/modsec.conf;
proxy_pass $backend_proto://$backend_dest:$backend_port;
}
}
# Domain base proxy settings
}