-
Notifications
You must be signed in to change notification settings - Fork 0
/
proxy.nginx
187 lines (159 loc) · 5.88 KB
/
proxy.nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
# Trenger ikke accesslogger på NAIS siden dette er innebygd i platformen
access_log off;
error_log /dev/stdout info;
charset utf-8;
client_body_buffer_size 20M; # Default er satt veldig lavt. Får problemer med enkelte dokument queries.
# Expires map
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
}
# Cache-control map
map $upstream_http_cache_control $custom_cache_control {
'' 'no-cache, must-revalidate, proxy-revalidate, max-age=0';
}
server {
listen "${APP_PORT}";
server_name "${APP_HOSTNAME}";
# Proxy headers. Will be overwritten if you set them in blocks.
proxy_buffers 16 32k;
proxy_buffer_size 32k;
proxy_pass_header Nav-Callid;
proxy_set_header Referer $http_referer;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
# complete disable cache and send some debug headers
add_header X-Cache-Status $upstream_cache_status;
add_header X-Application-Id "${APP_NAME}:${APP_VERSION}, pod=${APP_HOSTNAME}";
add_header Content-Security-Policy "default-src 'self'; img-src 'self' data:; font-src 'self' https://cdn.nav.no data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self' https://sentry.gc.nav.no";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1;mode=block";
add_header Strict-Transport-Security "max-age=31536000";
add_header Cache-Control $custom_cache_control;
# Health check for NAIS
location = /k9/feature-toggle/toggles.json {
add_header Content-Type application/json;
root /tmp/;
}
location = /isAlive {
return 200 "Application:UP";
add_header Content-Type text/plain;
}
# Readiness check for NAIS
location = /isReady {
return 200 "Application:READY";
add_header Content-Type text/plain;
}
location "/k9/sak/" {
proxy_set_header Host $http_host;
proxy_pass "${APP_URL}";
proxy_intercept_errors on;
error_page 401 = @401_json;
error_page 403 = @403_json;
error_page 404 = @404_json;
error_page 504 = @504_json;
}
location "/k9/formidling/" {
proxy_set_header Host $http_host;
proxy_pass "${APP_URL_K9FORMIDLING}";
proxy_intercept_errors on;
error_page 401 = @401_json;
error_page 403 = @403_json;
error_page 404 = @404_json;
error_page 504 = @504_json;
}
location "/k9/formidling/dokumentdata" {
proxy_set_header Host $http_host;
proxy_pass "${APP_URL_K9FORMIDLING_DD}";
proxy_intercept_errors on;
error_page 401 = @401_json;
error_page 403 = @403_json;
error_page 404 = @404_json;
error_page 504 = @504_json;
}
location "/k9/oppdrag/" {
proxy_set_header Host $http_host;
proxy_pass "${APP_URL_K9OPPDRAG}";
proxy_intercept_errors on;
error_page 401 = @401_json;
error_page 403 = @403_json;
error_page 404 = @404_json;
error_page 504 = @504_json;
}
location "/k9/klage/" {
proxy_set_header Host $http_host;
proxy_pass "${APP_URL_KLAGE}";
proxy_intercept_errors on;
error_page 401 = @401_json;
error_page 403 = @403_json;
error_page 404 = @404_json;
error_page 504 = @504_json;
}
location "/k9/tilbake/" {
proxy_set_header Host $http_host;
proxy_pass "${APP_URL_K9TILBAKE}";
proxy_intercept_errors on;
error_page 401 = @401_json;
error_page 403 = @403_json;
error_page 404 = @404_json;
error_page 504 = @504_json;
}
location "/k9/fordel/" {
proxy_set_header Host $http_host;
proxy_pass "${APP_URL_K9FORDEL}";
proxy_intercept_errors on;
error_page 401 = @401_json;
error_page 403 = @403_json;
error_page 404 = @404_json;
error_page 504 = @504_json;
}
location "/k9/endringslogg/" {
proxy_ssl_server_name on;
proxy_pass "${ENDRINGSLOGG_URL}";
proxy_intercept_errors on;
proxy_http_version 1.1;
error_page 401 = @401_json;
error_page 403 = @403_json;
error_page 404 = @404_json;
error_page 504 = @504_json;
}
# If no asset matches, send it to your javascript app. Hopefully it's a route in the app!
location @rewrites {
rewrite ^(.+)$ "/k9/web/index.html" last;
}
location @401_json {
default_type application/json;
add_header Location /k9/sak/resource/login?original=$request_uri always;
return 401 '{"feilmelding":"Bruker ikke innlogget","type":"MANGLER_TILGANG_FEIL"}';
}
location @403_json {
default_type application/json;
return 403 '{"feilmelding":"Innlogget bruker har ikke tilgang til ressursen","type":"MANGLER_TILGANG_FEIL"}';
}
location @404_json {
default_type application/json;
return 404 '{"feilmelding":"Kunne ikke finne ressursen, beklager.","type":"IKKE_FUNNET_FEIL"}';
}
location @504_json {
default_type application/json;
return 504 '{"feilmelding":"Timet ut","type":"GENERELL_FEIL"}';
}
location / {
expires $expires;
etag on;
if_modified_since off;
sendfile on;
add_header X-Application-Id "${APP_NAME}:${APP_VERSION}, pod=${APP_HOSTNAME}";
add_header Content-Security-Policy "default-src 'self'; img-src 'self' data:; font-src 'self' https://cdn.nav.no data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src 'self' https://sentry.gc.nav.no";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1;mode=block";
add_header Strict-Transport-Security "max-age=31536000";
# beholder default root slik at vi kan swappe ut med stock nginx
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri @rewrites;
}
}