# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 4096;
}
http {
log_format main '[$time_local] $remote_addr - $remote_user "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
' from $host to $upstream_addr';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##### This is the default Server
#####--------------------------------------------------------------------------------
server {
listen 443 ssl default_server;
listen 8443 ssl default_server;
ssl_certificate /etc/nginx/ssl/hk-server.cer;
ssl_certificate_key /etc/nginx/ssl/hk-server.key;
ssl_client_certificate /etc/nginx/ssl/mydomain-hk.cer;
server_name _;
return 444;
}
##### This is the APP1 configuration
#####--------------------------------------------------------------------------------
# Directive to define the group of servers
# - Placed inside the http context {}
# - Servers in the group are configured using the server directive
#-----------------------------------------------------------------------------------
upstream backend-server {
# a group of server named as backend-server
# averagely allocate session to both server, each ip will always get to the same destination
hash $remote_addr consistent;
server 192.168.10.18:443 weight=5;
server 192.168.10.19:443 weight=6;
}
server {
listen 443 ssl http2;
server_name app1.mydomain.hk;
server_name ~^app1.*\.mydomain\.hk$
server_name 192.168.10.44;
proxy_ssl_server_name on;
ssl_certificate /etc/nginx/ssl/hk-server.cer;
ssl_certificate_key /etc/nginx/ssl/hk-server.key;
ssl_client_certificate /etc/nginx/ssl/mydomain-hk.cer;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_max_temp_file_size 0;
proxy_ssl_certificate /etc/nginx/ssl/hk-server.cer;
proxy_ssl_certificate_key /etc/nginx/ssl/hk-server.key;
ssl_verify_client off;
ssl_verify_depth 2;
error_log /var/log/nginx/error.log info;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
keepalive_timeout 10;
ssl_session_timeout 5m;
location /APP1/VAADIN/themes/APP1_theme/images/watermark/ {
expires epoch;
proxy_pass https://backend-server;
}
location / {
# pass requests to a server group named as backend-server
# -------------------------------------------------------
proxy_pass https://backend-server;
# blacklist 192.168.8.90 - 192.168.8.99
deny 192.168.8.90/31;
deny 192.168.8.92/30;
deny 192.168.8.96/30;
}
}
##### This is the APP2 configuration
#####--------------------------------------------------------------------------------
# Directive to define the group of servers
# - only one server been assign to this group
# - Servers in the group are configured using the server directive
#-----------------------------------------------------------------------------------
upstream app2.mydomain.hk {
least_conn;
# -----------------------------------------------------------------------------
# only one server at this moment
# -----------------------------------------------------------------------------
server 192.168.11.99:8443;
server 192.168.11.99:8080;
}
server {
listen 8080;
listen 8443 ssl http2;
listen 443 ssl http2;
server_name app2.mydomain.hk;
proxy_ssl_server_name on;
ssl_certificate /etc/nginx/ssl/hk-server.cer;
ssl_certificate_key /etc/nginx/ssl/hk-server.key;
ssl_client_certificate /etc/nginx/ssl/mydomain-hk.cer;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_max_temp_file_size 0;
proxy_ssl_certificate /etc/nginx/ssl/hk-server.cer;
proxy_ssl_certificate_key /etc/nginx/ssl/hk-server.key;
ssl_verify_client off;
ssl_verify_depth 2;
error_log /var/log/nginx/error.log info;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
keepalive_timeout 10;
ssl_session_timeout 5m;
location / {
proxy_pass https://app2.mydomain.hk;
}
}
} # End of the http