user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
worker_rlimit_nofile 10240;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
#include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request"'
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$server_name--$request_id"'
'"$upstream_addr" "$upstream_response_time" "$request_time" "$http_x_custom_header"';
access_log /var/log/nginx/access.log main;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
modsecurity_transaction_id "$server_name--$request_id";
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
client_max_body_size 100m;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_tokens off;
proxy_hide_header X-Powered-By;
proxy_hide_header Server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
server_names_hash_bucket_size 128;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
server {
listen 80;
listen [::]:80;
server_name _;
return 444;
}
upstream portal_server{
server 10.1.0.131:80;
server 10.1.0.132:80;
}
server {
listen 80;
server_name node1.xx.com node2.xx.com;
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443 ssl;
server_name node1.xx.com node2.xx.com;
ssl_certificate cert/4390688__node.com.pem;
ssl_certificate_key cert/4390688__node.com.key;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
access_log /var/log/nginx/workstation_access.log;
error_log /var/log/nginx/workstation_error.log;
location /{
if ($request_method = OPTIONS) {
set $all_hear "Content-Type,Accept,User-Agent,X-Requested-With,Cache-Control,Authorization,Host,Pragma,Access-Control-Request-Method,companycode,merchantcode,Origin,Sec-Fetch-Mode,Referer,Accept-Language,Access-Control-Allow-Origin,Access-Control-Request-Headers,${http_access_control_request_headers}";
add_header 'Access-Control-Allow-Origin' $http_origin;
add_header Access-Control-Allow-Credentials true;
add_header 'Access-Control-Allow-Methods' '*';
add_header 'Access-Control-Allow-Headers' $all_hear;
add_header 'Access-Control-Max-Age' 3600;
return 204;
}
proxy_pass http://portal_server/;
proxy_http_version 1.1;
}
error_page 403 444 /40x.html;
location = /40x.html {
add_header Content-Type 'text/html; charset=utf-8';
# 'return' command will intercept the modsec_audit record that triggers the rule 'H', which can only be viewed in the error log, if you do not
# want to be intercepted, you can use 'echo' command instead with -add-module=echo-nginx-module
# Or don't use 'return' to return the response body
return 200 "<!DOCTYPE html><html><head><meta charset=utf-8><body><p><b>Your access was blocked because the URL accessed may pose a security threat to the site.</b><br>status: $status<br>remote_addr: $remote_addr<br>server_name: $server_name<br>date: $time_local<br>tracking ID: $request_id</p>";
}
}
cat /etc/logrotate.d/modsec
/var/log/modsec_audit.log
{
rotate 31
daily
missingok
compress
delaycompress
notifempty
}