Merge pull request #1762 from bigchaindb/nginx-update-config

Update nginx config for well being
2024-10-13 13:34:05 +00:00 · 2017-09-27 14:13:22 +02:00 · 2017-09-27 14:13:22 +02:00 · 2e6be2a3b8
commit 2e6be2a3b8
parent 86ddbc2750 9ab6785920
6 changed files with 37 additions and 15 deletions
--- a/k8s/nginx-http/container/Dockerfile
+++ b/k8s/nginx-http/container/Dockerfile
@ -1,4 +1,4 @@
-FROM nginx:1.13.1
+FROM nginx:stable
 LABEL maintainer "dev@bigchaindb.com"
 WORKDIR /
 RUN apt-get update \
--- a/k8s/nginx-http/container/docker_build_and_push.bash
+++ b/k8s/nginx-http/container/docker_build_and_push.bash
@ -1,5 +1,5 @@
 #!/bin/bash

-docker build -t bigchaindb/nginx_http:1.0 .
+docker build -t bigchaindb/nginx_http:1.1 .

-docker push bigchaindb/nginx_http:1.0
+docker push bigchaindb/nginx_http:1.1
--- a/k8s/nginx-http/container/nginx.conf.template
+++ b/k8s/nginx-http/container/nginx.conf.template
@ -45,6 +45,12 @@ http {

  keepalive_timeout 60s;

+  # Do not expose nginx data/version number in error response and header
+  server_tokens off;
+
+  # To prevent cross-site scripting
+  add_header X-XSS-Protection "1; mode=block";
+
  # The following map blocks enable lazy-binding to the backend at runtime,
  # rather than binding as soon as NGINX starts.
  map $remote_addr $bdb_backend {
@ -54,7 +60,6 @@ http {
  # Frontend server for the external clients
  server {
    listen CLUSTER_FRONTEND_PORT;
-
    underscores_in_headers on;

    # Forward websockets to backend BDB at 9985.
@ -100,6 +105,11 @@ http {
        add_header 'Content-Length' 0;
        return 204;
      }
+
+      # Only return this reponse if request_method is neither POST|GET|OPTIONS
+      if ($request_method !~ ^(GET|OPTIONS|POST)$) {
+        return 444;
+      }
    }
  }

--- a/k8s/nginx-https/container/Dockerfile
+++ b/k8s/nginx-https/container/Dockerfile
@ -1,4 +1,4 @@
-FROM nginx:1.13.1
+FROM nginx:stable
 LABEL maintainer "dev@bigchaindb.com"
 WORKDIR /
 RUN apt-get update \
--- a/k8s/nginx-https/container/docker_build_and_push.bash
+++ b/k8s/nginx-https/container/docker_build_and_push.bash
@ -1,5 +1,5 @@
 #!/bin/bash

-docker build -t bigchaindb/nginx_https:1.0 .
+docker build -t bigchaindb/nginx_https:1.1 .

-docker push bigchaindb/nginx_https:1.0
+docker push bigchaindb/nginx_https:1.1
--- a/k8s/nginx-https/container/nginx.conf.template
+++ b/k8s/nginx-https/container/nginx.conf.template
@ -42,6 +42,12 @@ http {
  client_body_timeout 10s;
  client_header_timeout 10s;

+  # Do not expose nginx data/version number in error response and header
+  server_tokens off;
+
+  # To prevent cross-site scripting
+  add_header X-XSS-Protection "1; mode=block";
+
  # DNS resolver to use for all the backend names specified in this configuration.
  resolver DNS_SERVER valid=30s ipv6=off;

@ -60,10 +66,11 @@ http {
  server {
    listen CLUSTER_FRONTEND_PORT ssl;
    server_name "CLUSTER_FQDN";
-    ssl_certificate        /etc/nginx/ssl/cert.pem;
-    ssl_certificate_key    /etc/nginx/ssl/cert.key;
-    ssl_protocols          TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers            HIGH:!aNULL:!MD5;
+
+    ssl_certificate /etc/nginx/ssl/cert.pem;
+    ssl_certificate_key /etc/nginx/ssl/cert.key;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers HIGH:!aNULL:!MD5;

    underscores_in_headers on;

@ -114,6 +121,11 @@ http {
        add_header 'Content-Length' 0;
        return 204;
      }
+
+      # Only return this reponse if request_method is neither POST|GET|OPTIONS
+      if ($request_method !~ ^(GET|OPTIONS|POST)$) {
+        return 444;
+      }
    }
  }